Linux/Unix
Milter-Greylist & Sendmail (fix)
by RyanWagner on May.18, 2010, under Linux/Unix, SMB, Technical, Understanding Technology
If you are currently using milter-greylist for sendmail then you may have errors in your maillog indicating errors.
The first error you may see is a {daemon_port} error.
The next error you may see is a socket unsafe error
The final error you may see is a error indicating that milter-greylist has stopped working.
All 3 of these can be occuring without any noticable issues for users. In my mind if you can remove an error by updating the config then you should and all 3 of these errors are because the milter-greylist documentation has a weak/broken example for the M4 file.
THE FIX:
Update your M4 milter-greylist entry to:
INPUT_MAIL_FILTER(`milter-graylist’,`S=local:/var/run/milter-greylist/milter-greylist.sock, F=T,T=S:1m;R:2m;E:3m’)dnl
define(`confMILTER_MACROS_CONNECT’,confMILTER_MACROS_CONNECT`,{daemon_port}’)dnl
define(`confMILTER_MACROS_HELO’,confMILTER_MACROS_HELO`,{verify},{client_resolve}’)dnl
define(`confMILTER_MACROS_ENVRCPT’,confMILTER_MACROS_ENVRCPT`,{client_resolve}’)dnl
Please note that this entry is for the default install location for Yum/Fedora. If you are using another unix flavor, or installed milter-greylist to run from a different location, just update the file path.
Install ClamAV on Fedora via Yum for sendmail
by RyanWagner on May.12, 2010, under Linux/Unix, SMB, Technical, Understanding Technology
ClamAV installation on fedora is not at all simple or straight forward. ClamAV support and wiki do not properly document the process so here are the steps you need to complete.
packages to install:
clamav-server
clamav-update
clamav-milter
clamav-milter-sysvinit
Then you need to run the bash script found here:
http://github.com/csmart/naa/blob/master/configure-clamd.sh
In the event that link dies:
#!/bin/bash # Copyright 2009 "Christopher Smart" <m...@christophersmart.com> # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. #This script is for installing and configuring clam-server (clamd) on Fedora #Variables VERSION=0.1 COUNTDOWN_TIMEOUT=5 FEDORA_RELEASE="`cat /etc/fedora-release 2>/dev/null`" FRESHCLAM_CONF="/etc/freshclam.conf" #These variables are set later, once we know the user CLAMD_USER="" CLAMD_CONFIG="" CLAMD_SYSCONFIG="" CLAMD_INIT="" CLAMD_LOGROTATE="" CLAMD_PID="" CLAMD_LOG="" #These variables are set later, once we know clamav-server version CLAMD_VERSION="" CLAMD_CONFIG_TEMPLATE="" CLAMD_SYSCONFIG_TEMPLATE="" CLAMD_INIT_TEMPLATE="" CLAMD_LOGROTATE_TEMPLATE="" #Functions countdown() { i=$1 echo "If you do NOT want to proceed, hit CTRL+C within $i seconds..." while [ $i -gt 0 ] do sleep 1 echo -ne "$i.. " let i=i-1 done } #Make this more pretty by adding an extra blank line at the beginning echo "" #Print help, if requested if [ "$1" == "help" -o "$1" == "-help" -o "$1" == "--help" -o "$1" == "-h" -o "$1" == "--h" ] then echo "This script configures clamav-server (clamd) on Fedora." echo "Version $VERSION" echo "" echo "Usage:" echo " $0 [option] [username] [port]" echo "" echo "Options:" echo " -c creates an instance, overwriting if already exists." echo " -r removes an instance." echo "" echo "Parameters (optional):" echo " [username] pass in the username you want clamd to run as, defaults to 'clamav'." echo " [port] pass in the port you want clamd to run on, defaults to '3310'." echo "" echo "Create example:" echo " $0 -c me 3311" echo "" echo "Remove example:" echo " $0 -r me 3311" echo "" echo "Report bugs to m...@christophersmart.com" echo "" exit 0 fi #Check that we're running Fedora if [ -z "$FEDORA_RELEASE" ] then echo "You don't appear to be running Fedora, sorry!" echo "Exiting." echo "" exit 1 fi #We're running Fedora, so make sure we're root if [ $EUID -ne 0 ] then echo "You must run this as root. Prepend sudo, or run:" echo "su -c '$0 [option] [username] [port]'" echo "" echo "Exiting." echo "" exit 1 else echo "You appear to be running `echo $FEDORA_RELEASE`, excellent." echo "" fi #Set clamd user and port if [ "$1" != "-c" -a "$1" != "-r" ] then CLAMD_USER="clamav" CLAMD_PORT="3310" else if [ -z "$2" ] then CLAMD_USER="clamav" else CLAMD_USER="$2" fi if [ -z "$3" ] then CLAMD_PORT="3310" else CLAMD_PORT="$3" fi fi #Variables for config files, now that we know the user CLAMD_CONFIG="/etc/clamd.d/$CLAMD_USER.conf" CLAMD_INIT="/etc/init.d/clamd.$CLAMD_USER" CLAMD_LOGROTATE="/etc/logrotate.d/clamd-$CLAMD_USER" CLAMD_PID="/var/run/clamd.$CLAMD_USER" CLAMD_LOG="/var/log/clamd.$CLAMD_USER" CLAMD_SYSCONFIG="/etc/sysconfig/clamd.$CLAMD_USER" CLAMD_CHKCONFIG="/sbin/chkconfig clamd.$CLAMD_USER" #Removing existing instance of clamd for specified user, if told to do so if [ "$1" == "-r" ] then echo "**WARNING** Removing clamd instance for user '$CLAMD_USER'." countdown $COUNTDOWN_TIMEOUT echo "" echo "OK then, proceeding.." echo "" #Check to see if there's a configuration for that user already if [ ! -e $CLAMD_CONFIG ] then echo "No clamd instance found for user '$CLAMD_USER'." echo "Exiting." echo "" exit 1 fi #Stop and disable daemon $CLAMD_INIT stop &>/dev/null if [ $? -ne 0 ] then echo "Could not stop service, sorry." echo "" echo "Instance of clamd for user '$CLAMD_USER' NOT removed." echo "Exiting." echo "" exit 1 fi #Turn off daemon $CLAMD_CHKCONFIG off &>/dev/null #Remove configs and logs, etc rm -f $CLAMD_CONFIG 2>/dev/null rm -f $CLAMD_INIT 2>/dev/null rm -f $CLAMD_LOGROTATE 2>/dev/null rm -rf $CLAMD_PID 2>/dev/null rm -f $CLAMD_LOG 2>/dev/null rm -f $CLAMD_SYSCONFIG 2>/dev/null unlink /usr/sbin/clamd.$CLAMD_USER 2>/dev/null #Remove user? if [ -n "`id $CLAMD_USER 2>/dev/null`" ] then #User exists, so ask if it should be removed echo -e "**WARNING** DO YOU WANT TO REMOVE THE USER FROM THE SYSTEM? (y/N): \c " read answer echo "" if [ "$answer" == "y" -o "$answer" == "Y" ] then #Remove user and confirm success echo "OK, removing user '$CLAMD_USER' from the system." userdel -r $CLAMD_USER 2>/dev/null if [ $? -eq 0 -o $? -eq 12 ] then echo "User removed successfully." echo "" else echo "**WARNING** Could not remove clamd user from the system. Perform manually." echo "" fi else echo "OK, user will NOT be removed." echo "" fi else echo "User does not exist in the system, not removing." echo "" fi echo "Instance of clamd for user '$CLAMD_USER' has been successfully removed." echo "" exit 0 fi #Creating echo "Configuring clamd to run as user '$CLAMD_USER' on port '$CLAMD_PORT'." echo "" countdown $COUNTDOWN_TIMEOUT echo "" echo "OK then, proceeding.." echo "" #Checking to see if required packages are installed or not echo "Checking for required packages.." if [ -n "`rpm -qa |grep clamav`" -a "`rpm -qa |grep clamav-update`" -a "`rpm -qa |grep clamav-server`" ] then echo "Required packages already installed." echo "" else #Install required packages echo "Installing required clamav packages.." echo "" yum -yq install clamav clamav-server clamav-update echo "" #Check that the install was successful (or already installed) if [ -n "`rpm -qa |grep clamav`" -a "`rpm -qa |grep clamav-update`" -a "`rpm -qa |grep clamav-server`" ] then echo "Packages successfully installed." echo "" else echo "Problem installing required packages, sorry." echo "" echo "Instance of clamd for user '$CLAMD_USER' NOT created successfully." echo "Exiting." echo "" exit 1 fi fi #Get version of clamd, now that it's installed CLAMD_VERSION="`rpm -qa |grep clamav-server |awk -F "-" {'print $3'} 2>/dev/null`" #Variables for template files now that we know the version of clamav-server installed CLAMD_CONFIG_TEMPLATE="/usr/share/doc/clamav-server-$CLAMD_VERSION/clamd.conf" CLAMD_SYSCONFIG_TEMPLATE="/usr/share/doc/clamav-server-$CLAMD_VERSION/clamd.sysconfig" CLAMD_INIT_TEMPLATE="/usr/share/doc/clamav-server-$CLAMD_VERSION/clamd.init" CLAMD_LOGROTATE_TEMPLATE="/usr/share/doc/clamav-server-$CLAMD_VERSION/clamd.logrotate" #Create clamav user if doesn't exist #This should be the user who wants to talk to clamd, else user clamav must have read (and possibly write) access on the files. echo "Checking for clamav user, '$CLAMD_USER'.." if [ -z "`id $CLAMD_USER 2>/dev/null`" ] then useradd $CLAMD_USER -r -c "User for clamd" -d /dev/null -M -s /sbin/nologin 2>/dev/null if [ $? -ne 0 ] then echo "Unable to create new clamd user, '$CLAMD_USER', sorry." echo "" echo "Instance of clamd for user '$CLAMD_USER' NOT created successfully." echo "Exiting." echo "" exit 1 else echo "Created new user." echo "" fi else echo "User already exists, not creating." echo "" fi #Copy and configure clamd configuration file echo "Configuring clamd to do all the right things.." #Check that ALL required template files exist before continuing if [ ! -e "$CLAMD_CONFIG_TEMPLATE" -o ! -e "$CLAMD_SYSCONFIG_TEMPLATE" -o ! -e "$CLAMD_INIT_TEMPLATE" -o ! -e "$CLAMD_LOGROTATE_TEMPLATE" ] then echo "Could not find required template files under /usr/share/doc/clamav-server-$CLAMD_VERSION/, sorry." echo "" echo "Instance of clamd for user '$CLAMD_USER' NOT created successfully." echo "Exiting." echo "" exit 1 fi #Check to see if an instance of clamd for user already exists if [ -e $CLAMD_CONFIG ] then echo "Instance of clamd already exists, clobbering.." #Stop existing daemon to enable new one /etc/init.d/clamd.$CLAMD_USER stop &>/dev/null #Remove existing config because 'cp' is aliased with -i and we don't want a prompt rm -f $CLAMD_CONFIG 2>/dev/null fi #Check to see if the port is already in use, if so, increment by one until we find something that's free PORT_INUSE=0 while [ -n "`netstat -ltn |grep ":$CLAMD_PORT"`" ] do CLAMD_PORT=$(($CLAMD_PORT+1)) PORT_INUSE=1 done if [ $PORT_INUSE == 1 ] then echo "Port was already in use, using '$CLAMD_PORT' instead." fi #Make sure directory exists, which it should if clamav-server is installed (but you never know) mkdir -p /etc/clamd.d 2>/dev/null #Copy over the template file cp -f $CLAMD_CONFIG_TEMPLATE $CLAMD_CONFIG 2>/dev/null sed -i 's/clamd.<SERVICE>/clamd.'$CLAMD_USER'/' $CLAMD_CONFIG sed -i 's/^Example/#Example/' $CLAMD_CONFIG sed -i 's/^#LogFile/LogFile/' $CLAMD_CONFIG sed -i 's/^#PidFile/PidFile/' $CLAMD_CONFIG sed -i 's/^LocalSocket/#LocalSocket/' $CLAMD_CONFIG sed -i 's/^#TCPSocket\ 3310/TCPSocket\ '$CLAMD_PORT'/' $CLAMD_CONFIG sed -i 's/^#TCPAddr/TCPAddr/' $CLAMD_CONFIG sed -i 's/<USER>/'$CLAMD_USER'/' $CLAMD_CONFIG echo "Done." echo "" #Copy and configure clamd for log rotation if [ -d /etc/logrotate.d ] then echo "Configuring log rotation for clamd.." #Try to remove existing log rotate config, whether it exists or not because 'cp' is aliased with -i rm -f $CLAMD_LOGROTATE 2>/dev/null cp -f $CLAMD_LOGROTATE_TEMPLATE $CLAMD_LOGROTATE sed -i 's/clamd.<SERVICE>/clamd.'$CLAMD_USER'/' $CLAMD_LOGROTATE fi echo "Done." echo "" #Configuring clamd under sysconfig echo "Configuring clamd under syconfig.." #Try to remove existing config, whether it exists or not because 'cp' is aliased with -i rm -f $CLAMD_SYSCONFIG 2>/dev/null #Copy over the template file cp -f $CLAMD_SYSCONFIG_TEMPLATE $CLAMD_SYSCONFIG 2>/dev/null sed -i 's/<SERVICE>/'$CLAMD_USER'/' $CLAMD_SYSCONFIG sed -i 's/^#CLAMD/'CLAMD'/' $CLAMD_SYSCONFIG echo "Done." echo "" #Configuring clamd init script echo "Configuring clamd init script.." #Try to remove existing config, whether it exists or not because 'cp' is aliased with -i rm -f $CLAMD_INIT 2>/dev/null #Copy over the init script cp -f $CLAMD_INIT_TEMPLATE $CLAMD_INIT 2>/dev/null sed -i 's/<SERVICE>/'$CLAMD_USER'/' $CLAMD_INIT ln -s /usr/sbin/clamd /usr/sbin/clamd.$CLAMD_USER 2>/dev/null $CLAMD_CHKCONFIG on #Check that was successful if [ $? -ne 0 ] then echo "Could not turn service on, sorry." echo "Exiting." echo "" exit 1 fi echo "Done." echo "" #Configure freshclam echo "Enabling freshclam, the clamav updater.." sed -i 's/^Example/#Example/' $FRESHCLAM_CONF #Should we set the proxy too, if in env? echo "Done." echo "" echo "Creating required directories and starting service.." #Setup logs touch $CLAMD_LOG chown $CLAMD_USER:$CLAMD_USER $CLAMD_LOG chmod 0620 $CLAMD_LOG #Setup run socket mkdir $CLAMD_PID 2>/dev/null chown $CLAMD_USER:$CLAMD_USER $CLAMD_PID/ #Start services /etc/init.d/clamd.$CLAMD_USER start &>/dev/null if [ $? -ne 0 ] then echo "Could not start service, sorry." echo "Continuing." echo "" fi echo "Done." echo "" #Print summary echo "The clamd service has been successfully installed and configured with:" echo "User '$CLAMD_USER' on port '$CLAMD_PORT'." echo "" echo 'Have fun!' echo ""
Now open clamav-milter.conf (/etc/mail/clamav-milter.conf)
comment out:
#Example
Add/Change:
MilterSocket /var/run/clamav-milter/clamav-milter.socketClamdSocket unix:/var/run/clamd.clamav/clamd.sock ClamdSocket tcp:localhost
Now open clamd.conf (/etc/clamd.conf)
comment out:
#User <USER>
Add/Change:
LocalSocket /var/run/clamd.clamav/clamd.sock
Your services are named
THIS INSTALL = OTHER DISTROSclamd.clamav = clamdclamav-milter = clamav-milter
In Sendmail you need to edit the m4 file:
add/change:
INPUT_MAIL_FILTER(`clamav-milter',`S=local:/var/run/clamav-milter/clamav-milter.socket,F=T, T=S:4m;R:4m')dnl define(`ConfINPUT_MAIL_FILTERS', `clamav-milter')dnl
At this point you will need to restart all 3 services (clamd.clamav, clamav-milter, sendmail)
Keep in mind that this process will enable clamav, but by default clamav doesn't do anything. You will still need to configure clamav, but this process is just like any other distro.
OpenSolaris is being discontinued.
by RyanWagner on Feb.24, 2010, under Linux/Unix, Non-Technical
Oracle, since acquiring Sun Systems, has been closing many of the open source projects that Sun once operated. This now includes OpenSolaris. You can see the end of life cycle announcement here:
OCS Inventory, The FREE asset management solution
by RyanWagner on Feb.19, 2010, under Linux/Unix, Mac, SMB, Windows
I am still shocked when an organization tells me that they do not have a complete asset management solution. Often the reason provided is cost and while OCS lacks “fancy pants” it is my product of choice for organizations trying to reduce software cost.
OCS supports all the major Windows and Linux, including MacOS X, operating systems. The OCS Inventory NG Server only works on server based OS, but the agent is compatible with workstation and server OS. Windows agents can even be deployed thru GPO.
OCS is released under the GNU Public License. Which means the product is 100% free to use.
You can see all of the information you need, and the download, here:
defragmentation
by RyanWagner on Jan.01, 2010, under Linux/Unix, SMB, Technical, Understanding Technology, Windows
How often have you told someone to defrag their system, or been told to defrag your system? How many times has anyone ever explains what it is or why we do it?
=- THE NON TECHNICAL ANSWER -=
Imagine having 4 buckets. A green one, a blue one, a red one, and a yellow one. All of these buckets are inside of a brown cardboard box. This is a representation of your hard drive, the brown cardboard box, and 4 programs, the buckets, that you have installed.
Each bucket is filled with marbles which represents the data associated with the 4 programs and just like the buckets the marbles are colored green, blue, red, and yellow.
Overtime marbles get into the wrong buckets. Defragmentation takes all the marbles and puts them together in the matching colored buckets. What this does is it makes it faster for you to find all the data for a program, aka marbles.
In a real world scenario you might have hundreds or thousands of buckets. The less organized they are the longer it will take your computer to go find all the pieces of the program so you can use it.
-= Light Technical Detail =-
Data is written to a drive in the order is it recieved. Your hard drive is recieving input from multiple sources at the same time during an installation and in todays world can even be installed fragmented. It is important to note that defragmentation is putting data in the order that it will be called. System defragmentation is what is generally called defragmentation, but it is not the only type of defragmentation.
GEEK NOTE: this does NOT mean that data has to be placed physically on the drive as 1, 2, 3, 4, 5, 6, 7, etc as is commonly depicted in graphical representations of defragmentation. To be more accurate we would have to discuss drive formating, speeds, etc. Some drives will read every X space-distance so while they are in order based on drive read cycles they are not physically next to each other without data between them.
Non-System Defragmentation?
Most people only think of system defragmentation when talking about defragmentation, but that is not the only defragmentation you can do. Most databases can and should be defragged as part of a maintenance cycle. Exchange databases not being defragmented is one of the most common causes for exchange problems.
GEEK NOTE: even though things like a swap file and system registry are apart of the system they are considered “immovable” by the system defragmentation software. Thus they are not defraged when you run most defrag programs. In order to defragment these you need to use additional tools. One of the most common tools used for windows is PageDefrag . Sadly this tool is starting to become outdated and unless it is updated it will may not work with new OS
UPDATE: Jan 12, 2009
Someone asked me what doesn’t get defragmented from windows disk dedragmentation program. According to wikipedia the following:
http://en.wikipedia.org/wiki/Disk_Defragmenter_(Windows)
In Windows 2000 and later operating systems, Disk Defragmenter has the following limitations:
It does not defragment files residing in the Recycle Bin or files that are in use.[9] In particular, this includes the registry, page file and hibernation file.
Only one volume can be analyzed or defragmented at a time and only one instance can run.[10]
Only local volumes can be defragmented, network volumes are not supported.[10]
The GUI version prior to Windows Vista cannot be scheduled, however the command line utility since Windows XP and later can be scheduled.
Unlike previous versions, the GUI version in Windows Vista does not display a map of disk fragmentation, nor does it display progress during defragmentation.
In addition, the Windows 2000 version has the following limitations which were removed in Windows XP:[10]
Defragmenting NTFS volumes with cluster sizes larger than 4 kilobytes (KB) is not possible.
It is not possible to perform fine-grained movement of uncompressed NTFS file data in Windows 2000. Moving a single file cluster also moves the 4 KB part of the file that contains the cluster.
EFS encrypted files are not defragmented.
NTFS metadata, such as the Master File Table (MFT), or metadata that describes a directory’s contents is not defragmented.
For those who are looking for an alternative solution I recommend trying MyDefrag. This is open source software and used to be called JkDefrag.
Directory Harvest Attacks (DHA)
by RyanWagner on Dec.08, 2009, under Linux/Unix, SMB, Technical, Understanding Technology, Windows
Directory Harvest Attacks, DHA, is one of the most common methods used to obtain valid email address’ from companies. DHA occurs in a couple stages. The first stage is to identify the naming scheme used by the company. The second stage is to identify valid email address’ using that name scheme. The entire time the attackers are effectively spamming your server with requests and logging when your server tells them that the name does exist. The collected names are then sold to spammers, or used by their own future spamming efforts.
DHA = Future Spam
Today many IT professionals are still unaware of what DHA is and when asked how spammers get email address’ often blame users for poor security habits. I am sure that users bad habits are not helping, but a user is probabally only going to hurt themself and not thousands. DHA is capable of effecting large chuncks of an orginization.
In my experience a company with 100-999 email address’ will average 200-400 thousand DHA attacks a month if left unchecked.
Many technologies exist today to combat DHA. Many email services, like postini, and email security devices contain methods to combat DHA. In addition software, like milter-greylist, are available.
DHA Prevention Methods:
1) Greylisting – temporarily blocking IP address’
Greylisting is the process by which new email servers are asked to ‘try again later’. The downside is that inbound email will be delayed, but the upside is that greylisting can cut DHA by more than half. I would highly recommend Milter-Greylist for unix and warn against software that is supposed to greylist exchange directly. If someone is reading this who knows of working greylist software for exchange please post a comment. In my experience setting up MTA delays for exchange and using software plugins for exchange has had problems.
2) Blacklisting – blocking IP address’ permamently
Blacklisting is preventing specific IP address’ from making connections. Blacklisting can be handled several ways. You can black list from your email server, firewall, or even by using additional software that would effect only 1 servers connections. Each of these methods have pros and cons. A final way to blacklist is via a service. Most of these blacklist services are free and vary in methods used. You can look thru the thousands of these blacklist services, generally called RBL which stands for realtime black list, and pick which ones suit your needs. I would recommend that people stay away from SORBS except while combating a serious problem. SORBS is one of the most aggressive blacklists and has entire blocks of valid IP address’ blacked out with no reasonable way for the owners of those IPs to get them off the list. This results in thousands of email servers unable to legitimately send you email. On the plus side using SORBS during a crisis will mean you can cut your spam, DHA, and other malicious issues drastically down. Hopefully allowing you to catchup with your security issues. I follow 2 rules for RBLs. The first is to use multiple sources. The second is to not rely on RBLs as my only blacklist source. You must still maintain your own blacklist so you are not waiting on RBLs to catch up to you.
3) Behavioral Identification – simular to anti-virus heuristics
Behavioral Identification is almost exclusive to Services and Hardware. Some exceptions exist, but consider this an advantage of going with a service or hardware solution for email security. I highly recommend postini as a service and either the cisco emails security devices or even the sonicwall security devices. The sonicwall security device comes with some very handy reporting for DHA and by regularly updating your blacklist with DHA attackers who have done 10+ attacks in a day you will make a serious impact on the number of DHA you encounter every day.
vsftpd Folder Security
by RyanWagner on Dec.03, 2009, under Linux/Unix, SMB, Technical
vsftpd is one of the most common FTP server programs for unix. For anyone who is thinking of using unix you will need a ftp program and, to its benefit, vsftpd is simple, effective, and free. Thus far I have not been able to configure vsftp to select folders out of hierarchy for user access. For example if you wanted to create a new ftp user with folder access to the web root directory AND his home directory then you might not want to choose vsftp.
Another problem with vsftp is that when it is initially installed ftp users are able to navigate everywhere on the sevrer and while they may not have any access, even read, they can still download files to their desktops and then read the files. This problem we will be resolving today.
In most cases your vsftpd installation will be /etc/vsftpd, but note that you may have some vsftpd files in the /etc folder. Inside of the vsftpd.conf file look for
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
#chroot_list_enable=YES
# (default follows)
#chroot_list_file=/etc/vsftpd/chroot_list
Please note that even though it only shows 2 commented out options you actually have 3.
chroot_local_user
chroot_list_enable
chroot_list_file
Here is a working config entry.
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
chroot_local_user=YES
chroot_list_enable=YES
# (default follows)
chroot_list_file=/etc/vsftpd/chroot_list
Don’t forget to restart vsftpd. Now your users will only be able to see their home folders and the subfolders within that folder. If you need to create a ftp user who has global access you can assign their home as the root directory, but that is not advisable. The proper way to configure this is to add their username to the chroot_list_file, in the above example it is “/etc/vsftpd/chroot_list”. Any account found listed in this file will be excluded from the home folder lock down.
website: http://vsftpd.beasts.org/
