Tuesday, 19 March 2013

Locking down FTP users in FreeBSD

I'll give you a quick run down of what you'll need to do, in order to have a chrooted FTP server, with links to useful documentation, so you don't have to go trawling the web for help on these tasks. For editing files I prefer the "ee" program, it's REALLY easy to learn and you don't need to know any of the silly commands / shortcuts you need to know better than your own name with the vi editor.


  • Install the OS, using your favorite method.
  • Apply FreeBSD updates, either in binary form or the old long drawn out method of recompiling from source, this depends on your requirements and if you have a custom kernel.
  • Create a group, call it ftpusers to make it clear what it's going to be used for.
  • Add users to said group when you create them, maybe give them an alternate home like /usr/ftpusers to separate them from the normal users.
  • Add the group name you created above to /etc/ftpchroot, don't forget to add an @ before the group name e.g @ftpusers  otherwise it won't work.
  • Enable FTP Daemon by adding the following line to /etc/rc.conf:


ftpd_enable="YES"

and type this at the command line to start the ftp daemon

/etc/inetd/ftpd start

or in /etc/inetd.conf remove the comment from the ftpd line and type

kill -HUP inetd

 at the command line after editing the inetd.conf file to start ftpd.

or reboot, your choice.

And that's pretty much it! Now test it with multiple accounts to make sure it's all good and as expected before deploying or letting your internet friends abuse it.

If you want to allow SSH access to certain people but not others use the nologin shell for those that don't need SSH access, beware there may be flaws in using this method or the shell code which could be exploited if you open SSH to the world, the same applies to an "open" FTP daemon.

No comments:

Post a comment