SFTP also known as SSH File Transfer Protocol, enables a secured data transfer between SFTP server and client machine. SFTP encrypts both data and commands and also protects passwords and sensitive information from being transferred openly over the network. This is very helpful solution if someone has concerns about their data security and is looking for secured data transfer between the system and server.
Let us see how we can setup the SFTP server on Amazon EC2 using Ubuntu.
First of all, we would need to launch EC2 instance with Ubuntu (16.04) OS. Once we have the EC2 instance, follow the steps to setup the SFTP Server.
Login into the machine using its public/elastic IP. ‘ubuntu’ is default username for Ubuntu
login as: ubuntu
then promote yourself to the root user so you will get all privileges!
sudo –i
Update all the packages available
apt-get update –y
Install vsftpd package
apt-get install vsftpd
Add a user and set its password
adduser atidke
atidke is desired username.
Make .ssh directory in User’s Home Directory. This directory will help us to login into the server using a private key.
mkdir /home/atidke/.ssh
Create private and public key for the user. You can either use KeyGen or PuttyGen(for Windows)
Let us create key pair using KeyGen. First go to the .ssh directory which we have created recently.
cd /home/atidke/.ssh
Generate the Key-Pair
ssh-keygen -t rsa
Copy the content of public key (file with .pub extension) into the authorized_keys which should be located inside the .ssh directory
cat id_rsa.pub
Copy the content displayed on the shell
vim authorized_keys
Paste the copied content in authorized_keys
Save and Close the file.
Now change the file permissions and the ownership
chmod 700 /home/atidke/.ssh
chmod 600 /home/atidke/.ssh/authorized_keys
chown -R atidke:atidke /home/atidke/.ssh
Copy the private key to your machine from where you want to access the SFTP. You will need to convert the key to .ppk extension if you want to access the SFTP from Windows.
Now we have the user and it’s private key. Test the connection with server. You can use putty if you are using Windows.
Next, you should be able to access the server but that’s not all, real thing is coming up next!
Now we have to jail the user to specific directory and we should restrict it’s shell access so that user can’t access the command shell of the server.
First of all, create a group for SFTP users
groupadd sftpusers
then, add our user into that group
adduser atidke sftpusers
Now atidke is the member of the sftpusers group
Create A SFTP directory and change the permissions
mkdir /sftp
chmod 755 /sftp
chown root:sftpusers /sftp
Create a directory inside ‘sftp’ for example, we are going to create directory ‘shared’ to share the data among several users
mkdir /sftp/shared
chown root:sftpusers /sftp/shared
Change the permissions of ‘shared’ directory so that only users of sftpusers group can see and modify the data inside the ‘shared’ directory
We have to modify sshd_config to specify the SFTP directory and jail user into that directory
vi /etc/ssh/sshd_config
We have to replace the Subsystem Line. Comment following line:
Subsystem sftp /usr/lib/openssh/sftp-server
So it should look like
#Subsystem sftp /usr/lib/openssh/sftp-server
And add following line:
Subsystem sftp internal-sftp
Add following lines at bottom of file. It should be below ‘UsePAM yes’
Match group sftpusers
ChrootDirectory /sftp/
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
Save and Close the file.
Switch the ownership of user’s home directory to root user without changing the ownership of .ssh directory which will be used to verify the Key
chown root:root /home/atidke
chown -R atidke:atidke /home/atidke/.ssh
Restart SSH
/etc/init.d/ssh restart
Mission accomplished! Test your SFTP connection using SFTP tools like WinSCP. Check if you have jailed the user and blocked it’s shell access. User should not be able to access the shell of the server.
Go ahead and create another SFTP users and jail them, at last you are the boss of the server!
