How to set up a secure SFTP server in Linux
Last updated on December 1, 2020 by Dan Nanni
SFTP service provides secure file access and transfer mechanisms over SSH tunnels. If you are setting up an SFTP server accessed by multiple users, you need to enforce security protection, not only in terms of protecting SFTP users from external intruders, but also in terms of protecting the SFTP server from (potentially malicious) SFTP users, and providing isolation among individual SFTP users.
In this tutorial, I will describe how to set up a secure SFTP server in Linux, by properly protecting the SFTP server from SFTP users, and isolating individual SFTP users from one another. There can be many different ways to achieve this goal, but I will describe MySecureShell based approach here.
MySecureShell is OpenSSH based SFTP server, featuring a number of security features:
- Limit per-connection download/upload bandwidth
- Limit the number of concurrent connections per account
- Hide file and directory owner/group/rights
- Hide files and directories which user has no access to
- Limit the life time of a connection
- Chroot SFTP user into his/her home directory
- Deny upload of files and directories that match regular expressions
Install MySecureShell on Linux
To use MySecureShell on Linux, you first need to install the following prerequisites.
To install prerequisites on Ubuntu or Debian:
$ sudo apt-get install libssl0.9.8 ssh openssh-server gcc make
To install prerequisites on CentOS, RHEL or Fedora:
$ sudo yum install openssl-devel openssh-server gcc make
Once all prerequisites are installed, you can build and install MySecureShell on Linux as follows.
$ wget http://mysecureshell.free.fr/repository/index.php/source/mysecureshell_1.31.tar.gz $ tar xvfvz mysecureshell_1.31.tar.gz $ cd mysecureshell_1.31 $ ./configure $ make $ sudo ./install.sh en
######################################### # MySecureShell # ######################################### Welcome to the MySecureShell installation script ! Detecting needed files for installation: Existing file MySecureShell [ OK ] Existing file sftp_config [ OK ] Do you want to test MySecureShell (check libraries requirement) ? (Y/n) Test MySecureShell... Test ending This script will made a few operations: - Install MySecureShell in /bin - Make a configuration file in /etc/ssh/sftp_config - Introduce if which MySecureShell as a valid shell - Install utilities in /usr/bin WARNING: The server will shutdown and all sftp connected clients will be killed ! - Do you want to continue installation ? (Y/n) MySecureShell Installation MySecureShell file created [ OK ] MySecureShell file created [ OK ] Do you want MySecureShell shell to be add like valid shell on your system ? (Y/n) MySecureShell shell added like a valid shell [ OK ] Installation of tool sftp-who [ OK ] Installation of tool sftp-kill [ OK ] Installation of tool sftp-state [ OK ] Installation of tool sftp-admin [ OK ] Installation of tool sftp-verif [ OK ] Installation of tool sftp-user [ OK ] Do you want to automatically rotate MySecureShell logs ? (Y/n) Initialisation of MySecureShell rotation logs [ OK ] cp: target `/share/man/fr/man8' is not a directory Installation of Manuals [ OK ] Installation Finished !
Configure MySecureShell
After installation, verify where MySecureShell is installed.
$ whereis MySecureShell
/usr/bin/MySecureShell
In order to manage SFTP users with MySecureShell, first create a Linux group that SFTP users will belong to. Let's say the group is called sftp.
$ sudo groupadd sftp
Then configure an existing SFTP user (e.g., alice) so that the user belongs to sftp group, and uses MySecureShell shell upon login.
$ sudo usermod -s /usr/bin/MySecureShell -g sftp alice
If you are creating a new SFTP user from scratch, then run the following command instead.
$ sudo useradd -m -s /usr/bin/MySecureShell -g sftp bob
To customize the default settings of MySecureShell, edit its configuration file located at /etc/ssh/sftp_config. In the configuration file, you can define various per-group security settings. For example, for Linux group sftp:
$ sudo vi /etc/ssh/sftp_config
<Group sftp>
Download 50k # limit download speed for each connection
Upload 0 # unlimit upload speed for each connection
StayAtHome true # limit user to his/her home directory
VirtualChroot true # fake a chroot to the home account
LimitConnectionByUser 1 # max connection for each account
LimitConnectionByIP 1 # max connection by IP for each account
IdleTimeOut 300 # disconnect user if idle too long time (in sec)
HideNoAccess true # hide file/directory which user has no access
</Group>
Once the configuration file has bee edited, make sure to restart sshd as follows.
To restart sshd on Ubuntu or Debian:
$ sudo service ssh restart
To restart sshd on CentOS, RHEL or Fedora:
$ sudo service sshd restart
Access and Manage SFTP server
On client-side, you can log in to the SFTP server as follows. The user is chrooted to his own home directory, and no other directory on the server is visible to the user.
$ sftp bob@sftp_host.com
[email protected]'s password: Connected to 192.168.233.141. sftp> pwd Remote working directory: / sftp>
On SFTP server-side, you can manage SFTP server and its users as follows.
To monitor SFTP users who are connected currently:
$ sftp-who
--- 1 / 10 clients ---
Global used bandwith : 0 bytes/s / 0 bytes/s
PID: 24377 Name: bob IP: 192.168.10.55
Home: /home/bob
Status: idle Path: /
File:
Connected: 2013/05/28 20:57:42 [since 01mins 05s]
Speed: Download: 0 bytes/s [50.00 kbytes/s] Upload: 0 bytes/s [unlimited]
Total: Download: 1002 bytes Upload: 82 bytes
To disconnect a particular SFTP user forcefully:
$ sudo sftp-kill bob
Support Xmodulo
This website is made possible by minimal ads and your gracious donation via PayPal or credit card
Please note that this article is published by Xmodulo.com under a Creative Commons Attribution-ShareAlike 3.0 Unported License. If you would like to use the whole or any part of this article, you need to cite this web page at Xmodulo.com as the original source.
Xmodulo © 2021 ‒ About ‒ Write for Us ‒ Feed ‒ Powered by DigitalOcean