How to set up a secure SFTP server in Linux

Last updated on December 1, 2020 by Dan Nanni

SFTP service provides secure file access and transfer mechanisms over SSH tunnels. If you are setting up an SFTP server accessed by multiple users, you need to enforce security protection, not only in terms of protecting SFTP users from external intruders, but also in terms of protecting the SFTP server from (potentially malicious) SFTP users, and providing isolation among individual SFTP users.

In this tutorial, I will describe how to set up a secure SFTP server in Linux, by properly protecting the SFTP server from SFTP users, and isolating individual SFTP users from one another. There can be many different ways to achieve this goal, but I will describe MySecureShell based approach here.

MySecureShell is OpenSSH based SFTP server, featuring a number of security features:

Install MySecureShell on Linux

To use MySecureShell on Linux, you first need to install the following prerequisites.

To install prerequisites on Ubuntu or Debian:

$ sudo apt-get install libssl0.9.8 ssh openssh-server gcc make

To install prerequisites on CentOS, RHEL or Fedora:

$ sudo yum install openssl-devel openssh-server gcc make

Once all prerequisites are installed, you can build and install MySecureShell on Linux as follows.

$ wget http://mysecureshell.free.fr/repository/index.php/source/mysecureshell_1.31.tar.gz
$ tar xvfvz mysecureshell_1.31.tar.gz
$ cd mysecureshell_1.31
$ ./configure
$ make
$ sudo ./install.sh en
#########################################
#       MySecureShell       #
#########################################

Welcome to the MySecureShell installation script !

Detecting needed files for installation:
Existing file MySecureShell         [ OK ]
Existing file sftp_config         [ OK ]

Do you want to test MySecureShell (check libraries requirement) ? (Y/n)
Test MySecureShell...
Test ending

This script will made a few operations:
- Install MySecureShell in /bin
- Make a configuration file in /etc/ssh/sftp_config
- Introduce if which MySecureShell as a valid shell
- Install utilities in /usr/bin

WARNING: The server will shutdown and all sftp connected clients will be killed !
- Do you want to continue installation ? (Y/n)

MySecureShell Installation

MySecureShell file created             [ OK ]
MySecureShell file created                [ OK ]

Do you want MySecureShell shell to be add like valid shell on your system ? (Y/n)
MySecureShell shell added like a valid shell     [ OK ]

Installation of tool sftp-who         [ OK ]
Installation of tool sftp-kill            [ OK ]
Installation of tool sftp-state           [ OK ]
Installation of tool sftp-admin           [ OK ]
Installation of tool sftp-verif           [ OK ]
Installation of tool sftp-user            [ OK ]

Do you want to automatically rotate MySecureShell logs ? (Y/n)
Initialisation of MySecureShell rotation logs   [ OK ]
cp: target `/share/man/fr/man8' is not a directory
Installation of Manuals                [ OK ]

Installation Finished !

Configure MySecureShell

After installation, verify where MySecureShell is installed.

$ whereis MySecureShell
/usr/bin/MySecureShell

In order to manage SFTP users with MySecureShell, first create a Linux group that SFTP users will belong to. Let's say the group is called sftp.

$ sudo groupadd sftp

Then configure an existing SFTP user (e.g., alice) so that the user belongs to sftp group, and uses MySecureShell shell upon login.

$ sudo usermod -s /usr/bin/MySecureShell -g sftp alice

If you are creating a new SFTP user from scratch, then run the following command instead.

$ sudo useradd -m -s /usr/bin/MySecureShell -g sftp bob

To customize the default settings of MySecureShell, edit its configuration file located at /etc/ssh/sftp_config. In the configuration file, you can define various per-group security settings. For example, for Linux group sftp:

$ sudo vi /etc/ssh/sftp_config
<Group sftp>
        Download                50k     # limit download speed for each connection
        Upload                  0       # unlimit upload speed for each connection
        StayAtHome              true    # limit user to his/her home directory
        VirtualChroot           true    # fake a chroot to the home account
        LimitConnectionByUser   1       # max connection for each account
        LimitConnectionByIP     1       # max connection by IP for each account
        IdleTimeOut             300     # disconnect user if idle too long time (in sec)
        HideNoAccess            true    # hide file/directory which user has no access
</Group>

Once the configuration file has bee edited, make sure to restart sshd as follows.

To restart sshd on Ubuntu or Debian:

$ sudo service ssh restart

To restart sshd on CentOS, RHEL or Fedora:

$ sudo service sshd restart

Access and Manage SFTP server

On client-side, you can log in to the SFTP server as follows. The user is chrooted to his own home directory, and no other directory on the server is visible to the user.

$ sftp bob@sftp_host.com
[email protected]'s password: 
Connected to 192.168.233.141.
sftp> pwd
Remote working directory: /
sftp> 

On SFTP server-side, you can manage SFTP server and its users as follows.

To monitor SFTP users who are connected currently:

$ sftp-who
--- 1 / 10 clients ---
Global used bandwith : 0 bytes/s / 0 bytes/s
PID: 24377   Name: bob   IP: 192.168.10.55
    Home: /home/bob
 Status: idle    Path: /
 File: 
  Connected: 2013/05/28 20:57:42 [since 01mins 05s]
   Speed: Download: 0 bytes/s [50.00 kbytes/s]  Upload: 0 bytes/s [unlimited]
  Total: Download: 1002 bytes   Upload: 82 bytes

To disconnect a particular SFTP user forcefully:

$ sudo sftp-kill bob

Support Xmodulo

This website is made possible by minimal ads and your gracious donation via PayPal or credit card

Please note that this article is published by Xmodulo.com under a Creative Commons Attribution-ShareAlike 3.0 Unported License. If you would like to use the whole or any part of this article, you need to cite this web page at Xmodulo.com as the original source.

Xmodulo © 2021 ‒ AboutWrite for UsFeed ‒ Powered by DigitalOcean