How to Configure vsftpd for Root FTP Access on SLES 10.1: Secure Setup Guide


1 views

Enabling root FTP access requires careful configuration due to vsftpd's default security restrictions. The key configuration parameters needed are:

# /etc/vsftpd.conf
local_enable=YES
write_enable=YES
chroot_local_user=NO
userlist_enable=YES
userlist_deny=NO
userlist_file=/etc/vsftpd.users
allow_writeable_chroot=YES

Before proceeding, implement these security measures:

  1. Configure firewall rules to restrict FTP access to trusted IPs
  2. Enable TLS encryption (highly recommended)
  3. Set up fail2ban for brute force protection

1. Edit the vsftpd configuration file:

sudo vi /etc/vsftpd.conf

2. Add root to the allowed users file:

echo "root" | sudo tee -a /etc/vsftpd.users

3. Modify PAM configuration (if needed):

# /etc/pam.d/vsftpd
# Comment out or modify the following line:
# auth    required        pam_shells.so

After making changes, test the setup:

sudo systemctl restart vsftpd
ftp localhost
# Try logging in with root credentials

If you encounter "Connection closed by remote host":

  • Verify SELinux/AppArmor permissions
  • Check /var/log/vsftpd.log for detailed errors
  • Ensure root's shell is listed in /etc/shells

For better security, consider using sudo instead of direct root access:

# /etc/sudoers
ftpuser ALL=(root) /usr/bin/vsftpd



While enabling root FTP access is generally discouraged for security reasons, there are legitimate use cases in controlled environments where this configuration might be necessary. When implementing this setup, it's crucial to:


    

  • Restrict access to specific IP addresses
    • 

  • Use strong authentication methods
    • 

  • Monitor FTP logs regularly
    • 

  • Consider alternative secure file transfer methods first
    • 





To properly enable root logins in vsftpd on SLES 10.1, you'll need to modify several configuration parameters. Here's the complete setup:


# /etc/vsftpd.conf
listen=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
chroot_local_user=NO
allow_writeable_chroot=YES
userlist_enable=YES
userlist_deny=NO
userlist_file=/etc/vsftpd.users
seccomp_sandbox=NO




The userlist_file directive specifies which users are allowed FTP access. Create or edit this file:


# /etc/vsftpd.users
root
other_allowed_user




On SLES systems, you'll likely need to modify PAM settings to permit root FTP access. Edit the PAM configuration file:


# /etc/pam.d/vsftpd
# Comment out or modify these lines:
# auth    required    pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
auth    required    pam_shells.so
auth    include     common-auth
account include     common-account
session include     common-session




If you're still experiencing connection drops after applying these changes, check:


# Verify SELinux status (if applicable)
getenforce

# Check vsftpd logs
tail -f /var/log/vsftpd.log

# Test basic FTP functionality
ftp localhost

# Verify file permissions
ls -la /home




For production environments, consider these more secure alternatives:


# SFTP setup (uses SSH)
Subsystem sftp internal-sftp

# Restrict root to SFTP only in sshd_config:
Match User root
    ForceCommand internal-sftp
    PasswordAuthentication yes
    ChrootDirectory /secure/root/directory
    PermitTunnel no
    AllowAgentForwarding no
    AllowTcpForwarding no
    X11Forwarding no