how to prevent root from being able to vsftpd

socalheel · 10-08-2014, 12:37 PM

i believe i have set up my conf file and user_list file correctly but for some reason, i am still able to connect to sftp using my root account after i restart vsftpd.

here are the uncommented lines from /etc/vsftpd/vsftpd.conf

Code:

anonymous_enable=YES
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
listen=YES

pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES

here is my /etc/vsftpd/user_list file

Code:

# vsftpd userlist
# If userlist_deny=NO, only allow users in this file
# If userlist_deny=YES (default), never allow users in this file, and
# do not even prompt for a password.
# Note that the default vsftpd pam config also checks /etc/vsftpd/ftpusers
# for users that are denied.
root
bin
daemon
adm
lp
sync
shutdown
halt
mail
news
uucp
operator
games
nobody

what am i doing wrong?

jlinkels · 10-08-2014, 12:58 PM

You rely on the userlist do deny certain users. So if the file cannot be found no users are denied. Can you include userlist_file=/etc/path/to/userlist explicitely in the vsftp.conf. And also userlist_deny=yes. Make sure the userlist file is readable for the vsftp process.

Furthermore check your log files. Try to increase logging verbosity level.

jlinkels

socalheel · 10-08-2014, 01:06 PM

Quote:

Originally Posted by jlinkels

You rely on the userlist do deny certain users. So if the file cannot be found no users are denied. Can you include userlist_file=/etc/path/to/userlist explicitely in the vsftp.conf. And also userlist_deny=yes. Make sure the userlist file is readable for the vsftp process.

Furthermore check your log files. Try to increase logging verbosity level.

jlinkels

thanks man ... i tried that too with no success.

i did not, however, check the log files. i'll do that. i'll check-in with what i find.

eklavya · 10-09-2014, 12:39 AM

There should be a file /etc/vsftpd/ftpusers
Add root in the list to prevent log in and restart vsftpd.

bathory · 10-09-2014, 12:55 PM

@OP

Quote:

i believe i have set up my conf file and user_list file correctly but for some reason, i am still able to connect to sftp using my root account after i restart vsftpd.

Mind that sftp is different from ftp/ftps that vsftpd provides.
It's based on ssh, so you have to disable ssh login for root, if you don't want root to be able to sftp. See the PermitRootLogin in /etc/ssh/sshd_config for details

Regards

jlinkels · 10-09-2014, 01:07 PM

Darn, bathory might be right. So this is not the place to change that. Although vsftp has almost the same name as sftp, they are completely different and independent.

You should edit /etc/ssh/sshd_config and set PermitRootLogin=no and optionally set AllowedUsers for the users that you want to have access.

Because sftp runs over ssh, all related services, ssh, sftp, scp, rsync rely on the settings in the sshd_config.

I am not sure sftp allows for more fine grained control. So that sftp can deny root whil ssh allows. I don't think so.

jlinkels