Chroot VSFTPD user on a webserver and change port of VSFTPD

First of all make sure to change the name of your VSFTP configuration file:

 sudo mv /etc/vsftpd.conf /etc/vsftpd.conf_orig 
 sudo nano /etc/vsftpd.conf


Now paste below code in vsftpd.conf file:

listen_port=4021
listen=NO
listen_ipv6=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
connect_from_port_20=NO
chroot_local_user=YES
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
ssl_enable=NO
pasv_enable=Yes
pasv_min_port=10000
pasv_max_port=10100
allow_writeable_chroot=YES

Restart VSFTPD service and it will start to listen on port 4021

service vsftpd restart

Now create sftp group:

groupadd sftp

Modify /etc/ssh/sshd_config file to disable users that are part of sftp group to login by a ssh client.

nano /etc/ssh/sshd_config

Add the following line in the end of the file

Match group sftp
ChrootDirectory /home
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

Restart the SSH server

service ssh restart

Now let’s create a user and give it a password

useradd myftpuser

passwd  myftpuser

Change a home folder of your “myftpuser” user:

usermod -d /var/www/myftpuser/www myftpuser

Root must be owner of the path /var/www/myftpuser/:

chown root:root /var/www/myftpuser/

Add user to sftp and www-data group:

usermod  myftpuser -G sftp, www-data

Check groups of your newly created user:

groups  myftpuser  

Groups www-data and sftp should be listed.

Make www-data owner of the web folder there all of your files will be stored:

chown www-data:www-data /var/www/myftpuser/www/ 

Last but not least try to ssh into your myftpuser account. You should not be able to login.

The next step is try login to your FTP but don’t forget to use port: 4021 that we specified above.

Also do not forget to allow port 4021 in your firewall. I use ufw firewall so the following command will allow port 4021:

 ufw allow 4021

Leave a Comment