SFTP is a tool for storing data on a server using the SSH protocol. It provides a secure way to transfer data by using encryption, keeping both commands and files protected from breach or man-in-the-middle attacks. The major advantage of using SFTP over FTP is that SFTP uses a secure encrypted method to transmit data, whereas FTP uses plain text data type to transmit data over the internet, which allows attackers to easily read the data and cause it to leak, whereas SFTP uses encrypted data type security while transferring data, preventing attackers from seeing sensitive data such as file data, user passwords, commands executed, and so on. In this session we will understand the setup of SFTP server on Linux and take login from both CLI and GUI mode with limiting users directory travel over system.
How to configure SFTP?
Requirements:
- A Linux server (Any Flavour).
- OPENSSH service in active state.
- Lots of space (Dedicated partition recommanded).
Steps to configure SFTP:
Install or update openssh-server and openssh-client.
For RHEL Servers.
yum install openssh-server openssh-client -yFor Debian or Ubuntu:
apt install openssh-server openssh-client -yUse sudo before command if you dont have direct root login.
Create sftp user:
Create user simply using useradd command:
useradd sftpuser
passwd sftpuserProvide password to the user using passwd.
Create home partition for user:
We can easily configure custom path for SFTP to any sftpuser by changing it in /etc/ssh/sshd_config file.
Add this in /etc/ssh/sshd_config file.
Match user sftpuser
ChrootDirectory /sftp/sftpuser
ForceCommand internal-sftpCreate home directory.
mkdir -p /sftp/sftpuser Add additional directories inside home folder
mkdir -p /sftp/sftpuser/{uploads,downloads}Add require permissions and ownerships:
The recommended permissions and ownership is:
chown root:root /sftp/sftpuser And
chown sftpuser:sftpuser /sftp/sftpuser/{uploads,downloads} -RThe home directory is owned by root which restrict access and prevent directory traversal for sftpuser, while subdirectories are owned by sftpuser to allow the user to read/write files within their allowed area only.
Now restart sshd service and try to login using sftpuser.
sftp sftpuser@192.168.48.57Provide password and get login shell.
[root@client ~]# sftp sftpuser@192.168.48.57
sftpuser@192.168.48.57's password:
Connected to 192.168.48.57.
sftp> ls
downloads uploads
sftp> pwd
Remote working directory: /
sftp>For filezilla you require this steps:
Download sftp tool called Filezilla the and install it into your system.
Open FileZilla and fill required details:
Specify Details:
- Host: sftp://Your-Host-IP.
- Username: sftpuser.
- Password: Your-user-password (In my case its qwerasdf).
- Port: 22 (Optional: If using custom port instead of default port).
Additional Security layer.
Since the sftpuser can only use to transfer file restrict the bash login for those users.
usermod -s /sbin/nologin sftpuserOR you can even change it directly from /etc/passwd file (Not Recommanded).
vi /etc/passwd
...
systemuser1:x:1000:1000::/home/systemuser1:/bin/bash
systemuser2:x:1001:1001::/home/systemuser2:/bin/bash
sftpuser:x:1002:1002::/home/sftpuser:/sbin/nologinAnd save the /etc/passwd file it will apply the changes.
NOTE: It will not prompt any error if your syntex may goes wrong for safer side take /etc/passwd backup. Also it will impact system and other users who try to login server. So it is not recommanded to make any direct change in /etc/passwd file.
Setting up an SFTP server on Linux is a secure way to transfer data to server than FTP. We will soon provide the commands used in SFTP shell with real life examples. As previously mentioned don’t make any changes in /etc/passwd until usermod not reflecting your changes.