25.5.1 Running DNS and FTP Services in a Chroot Jail

If the DNS name service daemon (named) runs in a chroot jail, any hacker that enters your system via a BIND exploit is isolated to the files under the chroot jail directory. Installing the bind-chroot package creates the /var/named/chroot directory, which becomes the chroot jail for all BIND files.

You can configure the vsftpd FTP server to automatically start chroot jails for clients. By default, anonymous users are placed in a chroot jail. However, local users that access an vsftpd FTP server are placed in their home directory. Specify the chroot_local_user=YES option in the /etc/vsftpd/vsftpd.conf file to place local users in a chroot jail based on their home directory.