Restrict users to their home directory in VSFTP
Sometimes you may want to restrict users to their home directory while doing FTP. You can achieve this in VSFTP with the following steps.
1. Open the VSFTPD configuration file “/etc/vsftpd.conf” . Uncomment the following lines.
chroot_local_user=YES
chroot_list_file=/etc/vsftpd.chroot_list
2. Create the file “/etc/vsftpd.chroot_list” and place the user names (one per line) that you want to restrict in that file.
3. Restart VSFTPD to take effect.
/etc/init.d/vsftpd restart
After this users listed in the file “/etc/vsftpd.chroot_list” will be locked up in their home directory.
Restrict the number of parallel connections to a server
connlimit
Allows you to restrict the number of parallel connections to a server per client IP address (or client address block).
[!] –connlimit-above n
Match if the number of existing connections is (not) above n.
–connlimit-mask prefix_length
Group hosts using the prefix length. For IPv4, this must be a number between (including) 0 and 32. For IPv6, between 0 and 128.
Examples:
# allow 2 telnet connections per client host
iptables -A INPUT -p tcp –syn –dport 23 -m connlimit –connlimit-above 2 -j REJECT
# you can also match the other way around:
iptables -A INPUT -p tcp –syn –dport 23 -m connlimit ! –connlimit-above 2 -j ACCEPT
# limit the number of parallel HTTP requests to 16 per class C sized network (24 bit netmask)
iptables -p tcp –syn –dport 80 -m connlimit –connlimit-above 16 –connlimit-mask 24 -j REJECT
# limit the number of parallel HTTP requests to 16 for the link local network (ipv6)
ip6tables -p tcp –syn –dport 80 -s fe80::/64 -m connlimit –connlimit-above 16 –connlimit-mask 64 -j REJECT
