• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer navigation

The Geek Diary

  • OS
    • Linux
    • CentOS/RHEL
    • Solaris
    • Oracle Linux
    • VCS
  • Interview Questions
  • Database
    • oracle
    • oracle 12c
    • ASM
    • mysql
    • MariaDB
  • DevOps
    • Docker
    • Shell Scripting
  • Big Data
    • Hadoop
    • Cloudera
    • Hortonworks HDP

How To Limit/Restrict FTP Commands On Vsftpd Services (CentOS/RHEL 6,7)

by admin

Learn how to restrict or limit what ftp commands user can run on vsftpd services. For example, how to deny an user to create or remove a directory.

1. The vsftpd services is installed and configured with default options. The creation and elimination of directories is working as expected.

# ftp localhost
Trying 127.0.0.1...
Connected to localhost (127.0.0.1).
220 (vsFTPd 3.0.2)
Name (localhost:root): test
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>ftp> mkdir test
257 "/home/test/test" created
ftp> rmdir test
250 Remove directory operation successful.
ftp>

2. Denied user to create or remove a directory. Add the below lines at the end of the file /etc/vsftpd/vsftpd.conf.

# tail /etc/vsftpd/vsftpd.conf
tcp_wrappers=YES

# Allowed commands
#cmds_allowed=ABOR,ACCT,ALLO,APPE,CDUP,CWD,DELE,EPRT,EPSV,FEAT,HELP,LIST,MDTM,MODE,NLST,NOOP,OPTS,PASS,PASV,PORT,PWD,QUIT,REIN,REST,RETR,RMD,RNFR,RNTO,SITE,SIZE,SMNT,STAT,STOR,STOU,STRU,SYST,TYPE,USER,XCUP,XCWD,XPWD,XRMD

# Explicitly denied commands
cmds_denied=RMD,RMDIR,XRMD,MKD,MKDIR,XMKD

3. Restart the vsftpd service

# systemctl restart vsftpd

Note: For Oracle linux 6 use

# service vsftpd restart

4. User can’t create or remove a directory:

# ftp localhost
Trying 127.0.0.1...
Connected to localhost (127.0.0.1).
220 (vsFTPd 3.0.2)
Name (localhost:root): test
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
ftp> mkdir test2
550 Permission denied.   
ftp>
ftp> rmdir test
550 Permission denied.   
ftp>

Refer to man pages for more information:

# man vsftpd.conf

cmds_allowed
This option specifies a comma-separated list of allowed FTP commands (post login. USER, PASS and QUIT and
others are always allowed pre-login). Other commands are rejected. This is a powerful method of really
locking down an FTP server. Example: cmds_allowed=PASV,RETR,QUIT

Default: (none)

cmds_denied
This option specifies a comma-separated list of denied FTP commands (post login. USER, PASS, QUIT and
others are always allowed pre-login). If a command appears on both this and cmds_allowed then the denial
takes precedence. (Added in v2.1.0).

Filed Under: CentOS/RHEL 6, CentOS/RHEL 7, Linux

Some more articles you might also be interested in …

  1. modprobe Command Options
  2. How to Disable NetworkManager in CentOS/RHEL 8
  3. CentOS / RHEL 7 : How to disable all tty consoles and enable only 1
  4. Beginners Guide to User and Group Administration in Linux
  5. How to grep with color output
  6. lsscsi Command Examples in Linux
  7. CentOS / RHEL 6 : How to disable telnet service
  8. lvdisplay error: “Failed to create directory /var/lock/lvm. File-based locking initilisation failed.”
  9. Linux OS Service ‘sshd’
  10. How to Setup VNC Server for New User in CentOS/RHEL 5

You May Also Like

Primary Sidebar

Recent Posts

  • JavaFX ComboBox: Set a value to the combo box
  • Nginx load balancing
  • nginx 504 gateway time-out
  • Images preview with ngx_http_image_filter_module

© 2022 · The Geek Diary

  • Archives
  • Contact Us
  • Copyright