Let’s Make That FTP Server More Secure

CHROOT your users!
Publish date:
Social count:
CHROOT your users!

Previously, I showed you how to build a simple-but-functional FTP server with OpenSuSE Linux (www.opensuse.org). You installed the Yast2-FTP configuration tool, then installed FileZilla to test it (The File Transfer Protoccol).

In that introduction to building your own FTP server, I finished with this warning: “Don’t expose this server to the Internet.” Perhaps you ignored me and Googled the info so that you could do it anyway. That was your choice, of course, but you should know that you may have exposed yourself to a world of hurt.


If your test FTP server isn’t running, start it. On your PC, start FileZilla and log in to the FTP server. Your home directory (“/home/your-name”) on that FTP server will appear in the right pane, same as usual. But now, click the “..” dots at the top of that listing to move up one directory at a time.

The first click puts you in /home. Most Linux distributions (including OpenSuSE) create a home directory from the user’s name. In Fig. 1, you can see my name, my wife’s name and an imaginary user whom I’ve named “Brick B Dumb” in honor of that special coworker we’ve all come to love.

Image placeholder title

Fig. 1: Without CHROOT: Viewing all of the normal user accounts in the /home directory.

Suppose you have a heavily-used FTP server. The program director and most of the air talent all have accounts. Keep this in mind: Many hacking attempts are made by a disgruntled former employee.

If Mr. Disgruntled has used your FTP server, he’s already seen the /home directory and knows that Brick has an account. Once Disgruntled is fired, you may change all important passwords and warn everyone else to do so … but Brick won’t see that email. (Even if he had, he would just have changed from “letmein123” to “letmein456.”)

Disgruntled can easily guess that password and log in to your FTP server as Brick. He can click the double dots “..” until he’s in the top level directory (“/”) and browse all over the system.

You might think, “What’s the big deal? It’s just an FTP server!” The problem is, many people use the same password for many different things. Suppose your program director uses the same password to remotely administer your audio system.

Unfortunately, in the top-level directory, there is a file named /etc/shadow that contains the names of every user on that server … with passwords. As our FTP server is currently configured, anyone can download that file. The passwords are encrypted, but Disgruntled might download some cracking software and figure out how to log in to your audio system. Next thing you know, your station is airing Carlin’s “Seven Dirty Words” and everyone is running around with their hair on fire.

For a whole host of reasons, we want each user to be limited to his or her /home directory. Even though this is “just an FTP server,” we don’t want them to see anything else. To do this, we will use CHROOT: “change (or limit) the root (top) directory available to a user.”


The name doesn’t refer to the root user (i.e., the administrator/superuser), but to the highest-level directory that a user is allowed to access.

The FTP server that we’re using, VSFTPD, makes it very easy to jail each user into his or her /home directory. If you look at the General settings in the Yast-FTP tool, you can even check “CHROOT users.”

Unfortunately, depending on the software versions, it might not work. VSFTPD has been changed recently and your version of Yast might not have caught up yet; I ran into that while writing this article.

The good news is that most configuration files for Linux are in plain text, and this one is no exception. The bad news is, we’ll have to edit it in …


Well, you need to know how to use a terminal, anyway. If you go to the OpenSuSE forums for help (forums.opensuse.org), they’ll likely ask you to open a terminal and run some commands, then report the results back to them. If you Google for help and ideas, most of that will be “edit the config file” type stuff as well, which requires using the terminal.

There are several ways to do this; here’s one. On the FTP server, click the Start Lizard in the lower left corner of the screen. Hover over Applications, then click on “System.” When the System options appear, click “Terminal,” then click “Terminal — Super User Mode.” You’ll be prompted for the root password. This is simply your password, if you accepted the defaults when you installed OpenSuSE.

We want a good text editor for terminal use. My favorite is called “nano.” I showed you how to use Yast last time to install software, but there’s another way. If you know the exact name of the program, the command-line software tool is called “zypper.” Enter “zypper install nano.” If nano is already installed, zypper will say so. Otherwise, it’ll ask for confirmation (press “y”), then install it. It’s in the online OpenSuSE repositories, so as long as you have an Internet connection on your FTP server, it will be installed in a moment or two.

Image placeholder title

Fg. 2: With CHROOT: The user is “jailed” into his/her home directory.EDIT THE CONFIG

Enter “nano /etc/vsftpd.conf.” Use the arrow keys to scroll through the file (see Fig. 2). The CTRL key is used for many common commands; these are listed at the bottom of the screen. One useful one is CTRL-W (for “where is”), which will let you search through the text. We want these lines, exactly as shown here:


Some may already be in there, but will be commented out with a “#” the start of the line. Delete that “#” mark. Some will be set to “NO” instead of “YES;” change as needed. If CTRL-W reports “not found,” simply type in the needed line at the end of the file.

The “#comments” in the file explain most of these options, so I won’t cover them in depth here. Briefly, though, we are indeed “CHROOT’ing” our users and allowing them to upload or download.

By the way, the feature change in VSFTPD that I mentioned a moment ago requires that new line, “allow_writeable_chroot.” For security reasons, VSFTPD’s maintainers decided to strictly enforce access permissions when CHROOT is active. It’s so strict, though, you won’t even be able to browse into your /home directory unless this option is set to “YES.”


When you’re done editing in nano, press CTRL-O (for “write out”). Press “y” to confirm that you want to write “vsftpd.conf.” Nano will write the file to /etc, overwriting the old vsftpd.conf, which is what we want. Press CTRL-X to get back to the terminal prompt. There’s a geeky way to restart a server without rebooting, but let’s do it the easy way: Start Lizard -> Leave -> Restart.

Once you’re back in the GUI desktop on the FTP server, return to your PC and use FileZilla to connect again. If you’ve done this properly, you can now click the double-dots (“..”) in that right pane as much as you wish, but you’ll never escape from your home directory. (Feel free to emit a satisfied, if evil, cackle.)

If you can still get into other directories, or have other problems (such as an inability to upload files), you’ve missed or have misspelled an option. Remember that there are no spaces. The words in these options are separated by underscores (“_”): it’s “write_enable=YES,” and not, “write enable=YES.” They’re case sensitive too: “yes” or “Yes” isn’t the same as “YES.”


If you’re network-savvy, there are certainly other ways to do this. But I recommend a separate, dedicated Internet connection for any high-volume server. Get a provisioning sheet from your Internet Service Provider (ISP). It will specify the values that we need to make this work.

For this example, let’s assume that our ISP has assigned an Internet IP address of, a netmask of and a gateway address of

Open Yast (Start Lizard, hover over Applications, then click System, and then Control Center). You’ll see Network Devices to the left. Click that, then click “Network Settings” to the right. The window shown in Fig. 3 will appear.

Image placeholder title

Fig. 3: Where to enter the information from the ISP’s provisioning sheet.

In the “Overview” tab, you’ll see your Network card. Click on it, then click “Edit” at the bottom of the Window to change to a static IP connection. Use the IP address and netmask provided by your ISP.

The “Hostname/DNS” tab is where you enter your ISP’s DNS information. The “Routing” tab is where you enter your ISP’s default gateway — in our example.

Click OK to save the changes. You may be asked to disable Network Manager; if so, click “yes” and continue. (That’s a user-friendly desktop network management tool that’s not very useful for a server.) When making major changes like this, I like to reboot to be safe. Start Lizard->Leave->Restart.


To test your FTP server, use your PC, but this time, enter the public Internet IP address ( in our example). You should be able to get into the server.

Wow, we’ve covered a lot of stuff here. Remember that you can Google to your heart’s content to learn more; you can also visit the OpenSuSE forums (forums.opensuse.org) and post a request for help.

But in this article, I showed you how to CHROOT your users so that they can’t go any “higher” in the directory tree. It’s important to prevent people from peeking and poking all over your server. Even though it’s “just an FTP server,” we don’t want that.

Finally, at present, our FTP server has only one user: you. You can certainly add others; click the Start Lizard, Applications, System->Yast, then choose “User and Group Management.” But since we’ve CHROOT’d our users into their home directories, no one can see any files but their own!

Next time, I’ll show you how to add a special FTP “super user,” with other users underneath that person’s /home directory. The super user can move, delete and copy files to his/her heart’s content. We’ll also enable ftps — the “s” stands for “secure” — using the Transport Security Layer (TSL) for encrypted connections.

Until then!

Stephen Poole is market chief at Crawford Broadcasting in Birmingham, Ala. Send comments and questions to rwee@nbmedia.com.