Prerequisites
Before restricting FTP access, make sure you have:
- SSH access to your VPS
- vsftpd installed and configured
- Root or sudo privileges
Step 1: Enable Chroot in vsftpd
Connect to your VPS:
ssh hxroot@YOUR_SERVER_IP -p 22sudo nano /etc/vsftpd.confEnsure these lines are present:
chroot_local_user=YES
allow_writeable_chroot=YESRestart vsftpd:
sudo systemctl restart vsftpdStep 2: User Jail Already Configured
With chroot_local_user=YES, each FTP user is jailed into their home directory automatically.
You can also create a separate chroot directory:
sudo mkdir -p /var/ftp/restricted
sudo useradd -d /var/ftp/restricted -s /usr/sbin/nologin restricteduser
sudo passwd restricteduser
sudo chown -R restricteduser:restricteduser /var/ftp/restricted
sudo chmod 755 /var/ftp/restrictedStep 3: Prevent User from Escaping via Symbolic Links
Disable symlinks within chroot:
sudo nano /etc/vsftpd.confAdd:
local_root=/var/ftp/restricted
pasv_enable=YES
pasv_min_port=30000
pasv_max_port=30010
hide_file=.*
deny_file={*.sh,*.bin,*.exe}Step 4: Create User-Specific Config File (Per-User Restrictions)
Enable user config directory:
sudo mkdir /etc/vsftpd/user_conf
sudo nano /etc/vsftpd/user_conf/restricteduserAdd:
local_root=/var/www/mysite
write_enable=YESIn main vsftpd.conf, ensure:
user_config_dir=/etc/vsftpd/user_confRestart vsftpd.
Step 5: Test the Restriction
Connect via FTP and try to navigate up:
cd ..You should stay in the same directory or get an error.
Alternative: Use SFTP Chroot (for SSH File Transfer)
If using SFTP instead of FTP, edit /etc/ssh/sshd_config:
Subsystem sftp internal-sftp
Match User restricteduser
ChrootDirectory /var/www/mysite
ForceCommand internal-sftp
X11Forwarding no
AllowTcpForwarding no
PermitTTY noRestart SSH.
✅ FTP access restricted. Users cannot leave their assigned directories.