SFTP (SSH File Transfer Protocol) allows for secure file transfer to and from the server. SFTP, despite its name, isn't based on FTP, which, unlike SFTP, doesn't allow for encrypted file transfer. FTPS is an extension of FTP that allows only to encrypt login and password. That's the basics when it comes to the security aspect of the very protocol.
Additional considerations to secure our server are disallowing password authentication and replacing it with SSH key-based authentication. Moreover, the goal is also to limit user ability to uploads in a dedicated directory without any further access to the server's shell.
First of all, you should have a server with sudo-level access. I'm going to use Debian, default VM configuration in Google Compute Engine, although you should be fine following this tutorial on any Debian-based distros, including Ubuntu, whether it's cloud or on-premise installation. Your server is already SFTP-enabled, so you don't have to install any additional software.
Create user and copy SSH key
We start by creating a new testsftp user on the server. You're going to get asked a few questions, but the most important right now is to set a password.
$ sudo adduser testsftp
Locally generate a new SSH key and save it.
$ ssh-keygen -t rsa -b 4096 -C "[email protected]"
You can now try to copy the SSH public key from your local machine to the server.
$ ssh-copy-id -i /path/to/key_rsa testsftp@<SERVER_IP>
If it fails with Permission denied (publickey).
not asking for a password, then your server doesn't support password authentication.
To temporarily allow to authenticate with password edit SSH config.
$ sudo nano /etc/ssh/sshd_config
Find PasswordAuthentication no
line and replace it with PasswordAuthentication yes
and apply changes by restarting the SSH daemon.
$ sudo systemctl restart sshd
Tray again to copy the SSH key.
$ ssh-copy-id -i /path/to/key_rsa testsftp@<SERVER_IP>
Test connection via SSH.
$ ssh -i /path/to/key_rsa testsftp@<SERVER_IP>
Bring back the previous SSH config and disallow to authenticate with a password by replacing PasswordAuthentication yes
with PasswordAuthentication no
.
Setup safe SFTP space
Currently, the user not only can use SFTP but also access the server's shell. To restrict access to SFTP uploads to a particular directory, follow the next steps.
Create dir dedicated for file upload.
$ sudo mkdir -p /var/sftp/uploads
$ sudo chown root:root /var/sftp
$ sudo chmod 755 /var/sftp
$ sudo chown testsftp:testsftp /var/sftp/uploads
Limit testsftp
user to using only SFTP.
$ sudo nano /etc/ssh/sshd_config
Add the following configuration at the end of the SSH daemon configuration file.
Match User testsftp
ForceCommand internal-sftp
PasswordAuthentication noChrootDirectory /var/sftp
PermitTunnel no
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no
If you do want to allow for password authentication, you can set PasswordAuthentication yes
.
Apply changes by restarting the SSH daemon.
$ sudo systemctl restart sshd
Make sure access via SSH is now disabled.
$ ssh -i ./test_rsa testsftp@<SERVER_IP>
You can now make sure SFTP uploads work using software like FileZilla.
Photo by Gabriel Wasylko on Unsplash.