LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   how to prevent root from being able to vsftpd (https://www.linuxquestions.org/questions/linux-server-73/how-to-prevent-root-from-being-able-to-vsftpd-4175521452/)

socalheel 10-08-2014 12:37 PM
how to prevent root from being able to vsftpd
 
i believe i have set up my conf file and user_list file correctly but for some reason, i am still able to connect to sftp using my root account after i restart vsftpd.

here are the uncommented lines from /etc/vsftpd/vsftpd.conf
Code:
anonymous_enable=YES
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
listen=YES

pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES

here is my /etc/vsftpd/user_list file
Code:
# vsftpd userlist
# If userlist_deny=NO, only allow users in this file
# If userlist_deny=YES (default), never allow users in this file, and
# do not even prompt for a password.
# Note that the default vsftpd pam config also checks /etc/vsftpd/ftpusers
# for users that are denied.
root
bin
daemon
adm
lp
sync
shutdown
halt
mail
news
uucp
operator
games
nobody

what am i doing wrong?

jlinkels 10-08-2014 12:58 PM
You rely on the userlist do deny certain users. So if the file cannot be found no users are denied. Can you include userlist_file=/etc/path/to/userlist explicitely in the vsftp.conf. And also userlist_deny=yes. Make sure the userlist file is readable for the vsftp process.

Furthermore check your log files. Try to increase logging verbosity level.

jlinkels

socalheel 10-08-2014 01:06 PM
Quote:
Originally Posted by jlinkels (Post 5250936)
You rely on the userlist do deny certain users. So if the file cannot be found no users are denied. Can you include userlist_file=/etc/path/to/userlist explicitely in the vsftp.conf. And also userlist_deny=yes. Make sure the userlist file is readable for the vsftp process.

Furthermore check your log files. Try to increase logging verbosity level.

jlinkels
thanks man ... i tried that too with no success.

i did not, however, check the log files. i'll do that. i'll check-in with what i find.

eklavya 10-09-2014 12:39 AM
There should be a file /etc/vsftpd/ftpusers
Add root in the list to prevent log in and restart vsftpd.

bathory 10-09-2014 12:55 PM
@OP
Quote:
i believe i have set up my conf file and user_list file correctly but for some reason, i am still able to connect to sftp using my root account after i restart vsftpd.
Mind that sftp is different from ftp/ftps that vsftpd provides.
It's based on ssh, so you have to disable ssh login for root, if you don't want root to be able to sftp. See the PermitRootLogin in /etc/ssh/sshd_config for details

Regards

jlinkels 10-09-2014 01:07 PM
Darn, bathory might be right. So this is not the place to change that. Although vsftp has almost the same name as sftp, they are completely different and independent.

You should edit /etc/ssh/sshd_config and set PermitRootLogin=no and optionally set AllowedUsers for the users that you want to have access.

Because sftp runs over ssh, all related services, ssh, sftp, scp, rsync rely on the settings in the sshd_config.

I am not sure sftp allows for more fine grained control. So that sftp can deny root whil ssh allows. I don't think so.

jlinkels


All times are GMT -5. The time now is 06:12 PM.