How to set up a secure SFTP server in Linux

SFTP service provides secure file access and transfer mechanisms over SSH tunnels. If you are setting up an SFTP server accessed by multiple users, you need to enforce security protection, not only in terms of protecting SFTP users from external intruders, but also in terms of protecting the SFTP server from (potentially malicious) SFTP users, and providing isolation among individual SFTP users.

In this tutorial, I will describe how to set up a secure SFTP server in Linux, by properly protecting the SFTP server from SFTP users, and isolating individual SFTP users from one another. There can be many different ways to achieve this goal, but I will describe MySecureShell based approach here.

MySecureShell is OpenSSH based SFTP server, featuring a number of security features:

  • Limit per-connection download/upload bandwidth
  • Limit the number of concurrent connections per account
  • Hide file and directory owner/group/rights
  • Hide files and directories which user has no access to
  • Limit the life time of a connection
  • Chroot SFTP user into his/her home directory
  • Deny upload of files and directories that match regular expressions

Install MySecureShell on Linux

To use MySecureShell on Linux, you first need to install the following prerequisites.

To install prerequisites on Ubuntu or Debian:

$ sudo apt-get install libssl0.9.8 ssh openssh-server gcc make

To install prerequisites on CentOS, RHEL or Fedora:

$ sudo yum install openssl-devel openssh-server gcc make

Once all prerequisites are installed, you can build and install MySecureShell on Linux as follows.

$ wget http://mysecureshell.free.fr/repository/index.php/source/mysecureshell_1.31.tar.gz
$ tar xvfvz mysecureshell_1.31.tar.gz
$ cd mysecureshell_1.31
$ ./configure
$ make
$ sudo ./install.sh en
#########################################
#		MySecureShell		#
#########################################

Welcome to the MySecureShell installation script !

Detecting needed files for installation:
Existing file MySecureShell			[ OK ]
Existing file sftp_config			[ OK ]

Do you want to test MySecureShell (check libraries requirement) ? (Y/n)
Test MySecureShell...
Test ending

This script will made a few operations:
- Install MySecureShell in /bin
- Make a configuration file in /etc/ssh/sftp_config
- Introduce if which MySecureShell as a valid shell
- Install utilities in /usr/bin

WARNING: The server will shutdown and all sftp connected clients will be killed !
- Do you want to continue installation ? (Y/n)

MySecureShell Installation

MySecureShell file created				[ OK ]
MySecureShell file created				[ OK ]

Do you want MySecureShell shell to be add like valid shell on your system ? (Y/n)
MySecureShell shell added like a valid shell		[ OK ]

Installation of tool sftp-who			[ OK ]
Installation of tool sftp-kill			[ OK ]
Installation of tool sftp-state			[ OK ]
Installation of tool sftp-admin			[ OK ]
Installation of tool sftp-verif			[ OK ]
Installation of tool sftp-user			[ OK ]

Do you want to automatically rotate MySecureShell logs ? (Y/n)
Initialisation of MySecureShell rotation logs	[ OK ]
cp: target `/share/man/fr/man8' is not a directory
Installation of Manuals				[ OK ]

Installation Finished !

Configure MySecureShell

After installation, verify where MySecureShell is installed.

$ whereis MySecureShell
/usr/bin/MySecureShell

In order to manage SFTP users with MySecureShell, first create a Linux group that SFTP users will belong to. Let's say the group is called "sftp".

$ sudo groupadd sftp

Then configure an existing SFTP user (e.g., alice) so that the user belongs to "sftp" group, and uses MySecureShell shell upon login.

$ sudo usermod -s /usr/bin/MySecureShell -g sftp alice

If you are creating a new SFTP user from scratch, then run the following command instead.

$ sudo useradd -m -s /usr/bin/MySecureShell -g sftp bob

To customize the default settings of MySecureShell, edit its configuration file located at /etc/ssh/sftp_config. In the configuration file, you can define various per-group security settings. For example, for Linux group "sftp":

$ sudo vi /etc/ssh/sftp_config
<Group sftp>
        Download                50k     # limit download speed for each connection
        Upload                  0       # unlimit upload speed for each connection
        StayAtHome              true    # limit user to his/her home directory
        VirtualChroot           true    # fake a chroot to the home account
        LimitConnectionByUser   1       # max connection for each account
        LimitConnectionByIP     1       # max connection by IP for each account
        IdleTimeOut             300     # disconnect user if idle too long time (in sec)
        HideNoAccess            true    # hide file/directory which user has no access
</Group>

Once the configuration file has bee edited, make sure to restart sshd as follows.

To restart sshd on Ubuntu or Debian:

$ sudo service ssh restart

To restart sshd on CentOS, RHEL or Fedora:

$ sudo service sshd restart

Access and Manage SFTP server

On client-side, you can log in to the SFTP server as follows. The user is chrooted to his own home directory, and no other directory on the server is visible to the user.

$ sftp bob@sftp_host.com
bob@192.168.233.141's password: 
Connected to 192.168.233.141.
sftp> pwd
Remote working directory: /
sftp> 

On SFTP server-side, you can manage SFTP server and its users as follows.

To monitor SFTP users who are connected currently:

$ sftp-who
--- 1 / 10 clients ---
Global used bandwith : 0 bytes/s / 0 bytes/s
PID: 24377   Name: bob   IP: 192.168.10.55
	Home: /home/bob
	Status: idle    Path: /
	File: 
	Connected: 2013/05/28 20:57:42 [since 01mins 05s]
	Speed: Download: 0 bytes/s [50.00 kbytes/s]  Upload: 0 bytes/s [unlimited]
	Total: Download: 1002 bytes   Upload: 82 bytes

To disconnect a particular SFTP user forcefully:

$ sudo sftp-kill bob

Subscribe to Xmodulo

Do you want to receive Linux FAQs, detailed tutorials and tips published at Xmodulo? Enter your email address below, and we will deliver our Linux posts straight to your email box, for free. Delivery powered by Google Feedburner.

7 thoughts on “How to set up a secure SFTP server in Linux

  1. All the mirrors for the target seem to be down.

    --
    Error Downloading Packages:
    libsepol-devel-2.0.41-4.el6.x86_64: failure: Packages/libsepol-devel-2.0.41-4.el6.x86_64.rpm from base: [Errno 256] No more mirrors to try.
    keyutils-libs-devel-1.4-4.el6.x86_64: failure: Packages/keyutils-libs-devel-1.4-4.el6.x86_64.rpm from base: [Errno 256] No more mirrors to try.
    krb5-devel-1.10.3-10.el6_4.6.x86_64: failure: Packages/krb5-devel-1.10.3-10.el6_4.6.x86_64.rpm from updates: [Errno 256] No more mirrors to try.
    krb5-libs-1.10.3-10.el6_4.6.x86_64: failure: Packages/krb5-libs-1.10.3-10.el6_4.6.x86_64.rpm from updates: [Errno 256] No more mirrors to try.
    openssl-devel-1.0.0-27.el6_4.2.x86_64: failure: Packages/openssl-devel-1.0.0-27.el6_4.2.x86_64.rpm from updates: [Errno 256] No more mirrors to try.
    libcom_err-devel-1.41.12-14.el6_4.2.x86_64: failure: Packages/libcom_err-devel-1.41.12-14.el6_4.2.x86_64.rpm from updates: [Errno 256] No more mirrors to try.
    zlib-devel-1.2.3-29.el6.x86_64: failure: Packages/zlib-devel-1.2.3-29.el6.x86_64.rpm from base: [Errno 256] No more mirrors to try.
    libselinux-devel-2.0.94-5.3.el6_4.1.x86_64: failure: Packages/libselinux-devel-2.0.94-5.3.el6_4.1.x86_64.rpm from updates: [Errno 256] No more mirrors to try.

    • When you create an account with useradd command, there is no default password associated with it, meaning that the account is disabled for login. You need to set its password explicitly after that:

      $ sudo passwd bob
  2. I've been looking for a guide to turn an old 100 Mb/s server into a place to store automated cPanel backups. Would this work for remote cPanel backups? If I created this on a spare server and set my cPanel server to backup selected accounts using the cPanel function to this new server.

    Sorry English is not my first language.

    Thank you for the guide!

  3. After configuring MySecureShell, FTP function failure,user login failure via FTP

    My question is:MySecureShell conflict with FTP, is that right?

Leave a comment

Your email address will not be published. Required fields are marked *

Current day month ye@r *