Secure FTP Server in Chroot Jail Environment
SFTP IN CHROOT
Often SFTP is confused with FTPS
Well, they are different SFTP - Part of SSH server FTPS - Secure implementation of FTP server
(yes, both use SSL encryption on the transport)
WHAT IS JAILROOT/CHROOT?
Evey process in *NIX systems has Process Context. This context contains the "absolute path" of the command that lead to creation of the process.
e.g.
$ ls
The Process Context shall contain "/bin/ls".
It must be noticed that process has visibility till "/". The hacker may somhow access all directories below "/" as they are in visibility. This is insecure.
We decrease the visibility of process by creating altogether a separate directory called CHROOT or JAILROOT.
For eg. if /dir1/dir2/chroot-dir is the JAILROOT directory in our configuration then the process run from login within this directory shall have no knowledge of anything above "/dir1/dir2/chroot-dir/". For this process /dir1/dir2/chroot-dir/ is their "/" in the process context.
CREATE USER WHO WILL BE ALLOWED TO LOGIN THROUGH SFTP
sage ~]# useradd sftp-user
Make sftp-server as login shell for that user.
sage ~]# usermod -s /bin/false sftp-user
CREATE JAILROOT DIRECTORY
sage ~]# mkdir /chroot-dir && chown root.sftp-user /chroot-dir && chmod 750 /chroot-dir
MODIFY SSH SERVER CONFIGURATION TO ENABLE SFTP IN CHROOT
sage ~]# vi /etc/ssh/sshd_config
#Subsystem sftp /usr/libexec/sftp-server
Subsystem sftp internal-sftp
ChrootDirectory /chroot-dir
ADD /usr/libexec/openssh/sftp-server AS A VALID LOGIN SHELL
sage ~]# echo '/usr/libexec/openssh/sftp-server' >> /etc/shells sage ~]# /etc/init.d/sshd restart
TEST SFTP
bash~$ sftp sftp-user@hostname.domain
Connecting to hostname.domain... sftp-user@hostname.domain's password: sftp> ls
sftp>
Often SFTP is confused with FTPS
Well, they are different SFTP - Part of SSH server FTPS - Secure implementation of FTP server
(yes, both use SSL encryption on the transport)
WHAT IS JAILROOT/CHROOT?
Evey process in *NIX systems has Process Context. This context contains the "absolute path" of the command that lead to creation of the process.
e.g.
$ ls
The Process Context shall contain "/bin/ls".
It must be noticed that process has visibility till "/". The hacker may somhow access all directories below "/" as they are in visibility. This is insecure.
We decrease the visibility of process by creating altogether a separate directory called CHROOT or JAILROOT.
For eg. if /dir1/dir2/chroot-dir is the JAILROOT directory in our configuration then the process run from login within this directory shall have no knowledge of anything above "/dir1/dir2/chroot-dir/". For this process /dir1/dir2/chroot-dir/ is their "/" in the process context.
CREATE USER WHO WILL BE ALLOWED TO LOGIN THROUGH SFTP
sage ~]# useradd sftp-user
Make sftp-server as login shell for that user.
sage ~]# usermod -s /bin/false sftp-user
CREATE JAILROOT DIRECTORY
sage ~]# mkdir /chroot-dir && chown root.sftp-user /chroot-dir && chmod 750 /chroot-dir
MODIFY SSH SERVER CONFIGURATION TO ENABLE SFTP IN CHROOT
sage ~]# vi /etc/ssh/sshd_config
#Subsystem sftp /usr/libexec/sftp-server
Subsystem sftp internal-sftp
ChrootDirectory /chroot-dir
ADD /usr/libexec/openssh/sftp-server AS A VALID LOGIN SHELL
sage ~]# echo '/usr/libexec/openssh/sftp-server' >> /etc/shells sage ~]# /etc/init.d/sshd restart
TEST SFTP
bash~$ sftp sftp-user@hostname.domain
Connecting to hostname.domain... sftp-user@hostname.domain's password: sftp> ls
sftp>