Secure FTP Server in Chroot Jail Environment
Often SFTP is confused with FTPS Well, they are different SFTP – Part of SSH server FTPS – Secure implementation of FTP server (yes, both use SSL encryption on the transport) WHAT IS JAILROOT/CHROOT? Evey process in *NIX systems has Process Context. This context contains the “absolute path” of the command that lead to creation of the process. e. g. $ ls The Process Context shall contain “/bin/ls”. It must be noticed that process has visibility till “/”. The hacker may somhow access all directories below “/” as they are in visibility. This is insecure.
We decrease the visibility of process by creating altogether a separate directory called CHROOT or JAILROOT. For eg. if /dir1/dir2/chroot-dir is the JAILROOT directory in our configuration then the process run from login within this directory shall have no knowledge of anything above “/dir1/dir2/chroot-dir/”. For this process /dir1/dir2/chroot-dir/ is their “/” in the process context. CREATE USER WHO WILL BE ALLOWED TO LOGIN THROUGH SFTP sage ~]# useradd sftp-user Make sftp-server as login shell for that user. sage ~]# usermod -s /bin/false sftp-user CREATE JAILROOT DIRECTORY age ~]# mkdir /chroot-dir && chown root. sftp-user /chroot-dir && chmod 750 /chroot-dir
MODIFY SSH SERVER CONFIGURATION TO ENABLE SFTP IN CHROOT sage ~]# vi /etc/ssh/sshd_config #Subsystem sftp /usr/libexec/sftp-server Subsystem sftp internal-sftp ChrootDirectory /chroot-dir ADD /usr/libexec/openssh/sftp-server AS A VALID LOGIN SHELL sage ~]# echo ‘/usr/libexec/openssh/sftp-server’ >> /etc/shells sage ~]# /etc/init. d/sshd restart TEST SFTP bash~$ sftp [email protected] domain Connecting to hostname. domain… [email protected] domain’s password: sftp> ls sftp> quit