e-Zest members share technology ideas to foster digital transformation.

Setting up SFTP Server on Amazon EC2

Written by Amit Tidke | Apr 5, 2017 1:18:56 PM

SFTP also known as SSH File Transfer Protocol, enables a secured data transfer between SFTP server and client machine. SFTP encrypts both data and commands and also protects passwords and sensitive information from being transferred openly over the network. This is very helpful solution if someone has concerns about their data security and is looking for secured data transfer between the system and server.

Let us see how we can setup the SFTP server on Amazon EC2 using Ubuntu.

First of all, we would need to launch EC2 instance with Ubuntu (16.04) OS. Once we have the EC2 instance, follow the steps to setup the SFTP Server.

Login into the machine using its public/elastic IP. ‘ubuntu’ is default username for Ubuntu

login as: ubuntu

then promote yourself to the root user so you will get all privileges!

sudo –i

Update all the packages available

apt-get update –y

Install vsftpd package

apt-get install vsftpd

Add a user and set its password

adduser atidke

atidke is desired username.

Make .ssh directory in User’s Home Directory. This directory will help us to login into the server using a private key.

mkdir /home/atidke/.ssh

Create private and public key for the user. You can either use KeyGen or PuttyGen(for Windows)

Let us create key pair using KeyGen. First go to the .ssh directory which we have created recently.

cd /home/atidke/.ssh

Generate the Key-Pair

ssh-keygen -t rsa

Copy the content of public key (file with .pub extension) into the authorized_keys which should be located inside the .ssh directory

cat id_rsa.pub

Copy the content displayed on the shell

vim authorized_keys

Paste the copied content in authorized_keys

Save and Close the file.

Now change the file permissions and the ownership

chmod 700 /home/atidke/.ssh

chmod 600 /home/atidke/.ssh/authorized_keys

chown -R atidke:atidke /home/atidke/.ssh

Copy the private key to your machine from where you want to access the SFTP. You will need to convert the key to .ppk extension if you want to access the SFTP from Windows.

Now we have the user and it’s private key. Test the connection with server. You can use putty if you are using Windows.

Next, you should be able to access the server but that’s not all, real thing is coming up next!

Now we have to jail the user to specific directory and we should restrict it’s shell access so that user can’t access the command shell of the server.

First of all, create a group for SFTP users

groupadd sftpusers

then, add our user into that group

adduser atidke sftpusers

Now atidke is the member of the sftpusers group

Create A SFTP directory and change the permissions

mkdir /sftp

chmod 755 /sftp

chown root:sftpusers /sftp

Create a directory inside ‘sftp’ for example, we are going to create directory ‘shared’ to share the data among several users

mkdir /sftp/shared

chown root:sftpusers /sftp/shared

Change the permissions of ‘shared’ directory so that only users of sftpusers group can see and modify the data inside the ‘shared’ directory

We have to modify sshd_config to specify the SFTP directory and jail user into that directory

vi /etc/ssh/sshd_config

We have to replace the Subsystem Line. Comment following line:

Subsystem sftp /usr/lib/openssh/sftp-server

So it should look like

#Subsystem sftp /usr/lib/openssh/sftp-server

And add following line:

Subsystem sftp internal-sftp

Add following lines at bottom of file. It should be below ‘UsePAM yes’

Match group sftpusers

ChrootDirectory /sftp/

X11Forwarding no

AllowTcpForwarding no

ForceCommand internal-sftp

Save and Close the file.

Switch the ownership of user’s home directory to root user without changing the ownership of .ssh directory which will be used to verify the Key

chown root:root /home/atidke

chown -R atidke:atidke /home/atidke/.ssh

Restart SSH

/etc/init.d/ssh restart

Mission accomplished! Test your SFTP connection using SFTP tools like WinSCP. Check if you have jailed the user and blocked it’s shell access. User should not be able to access the shell of the server.

Go ahead and create another SFTP users and jail them, at last you are the boss of the server!