How to set up a secure SFTP server in Linux

This tutorial will briefly describe how to set up a secure SFTP server in Linux,

MySecureShell which is OpenSSH based SFTP server, has a number of security features:

  • Limit per-connection download/upload bandwidth
  • Limit the number of concurrent connections per account
  • Hide file and directory owner/group/rights
  • Hide files and directories which user has no access to
  • Limit the life time of a connection
  • Chroot SFTP user into his/her home directory
  • Deny upload of files and directories that match regular expressions

To use MySecureShell on Linux, you first need to install the following packages.

install on Ubuntu or Debian:

$ sudo apt-get install libssl0.9.8 ssh openssh-server gcc make 

install on CentOS, RHEL or Fedora:

$ sudo yum install openssl-devel openssh-server gcc make 

Once all prerequisites are installed, you can build and install MySecureShell on Linux as follows.

$wge thttp://mysecureshell.free.fr/repository/index.php/source/mysecureshell_1.31.tar.gz
 $ tar xvfvz mysecureshell_1.31.tar.gz
 $ cd mysecureshell_1.31
 $ ./configure
 $ make
 $ sudo ./install.sh en 
#########################################
#                             MySecureShell                        #########################################
Welcome to the MySecureShell installation script !
Detecting needed files for installation:
Existing file MySecureShell                                 [ OK ]
Existing file sftp_config                                       [ OK ]
Do you want to test MySecureShell (check libraries requirement) ? (Y/n)
Test MySecureShell...
Test ending 
This script will made a few operations:
- Install MySecureShell in /bin
- Make a configuration file in /etc/ssh/sftp_config
- Introduce if which MySecureShell as a valid shell
- Install utilities in /usr/bin
WARNING: The server will shutdown and all sftp connected clients will be killed !
- Do you want to continue installation ? (Y/n)
MySecureShell Installation 
MySecureShell file created                                  [ OK ]
MySecureShell file created                                  [ OK ] 
Do you want MySecureShell shell to be add like valid shell on your system ? (Y/n)
MySecureShell shell added like a valid shell        [ OK ]
Installation of tool sftp-who                                 [ OK ]
Installation of tool sftp-kill                                  [ OK ]
Installation of tool sftp-state                               [ OK ]
Installation of tool sftp-admin                             [ OK ]
Installation of tool sftp-verif                                [ OK ]
Installation of tool sftp-user                                [ OK ]
Do you want to automatically rotate MySecureShell logs ? (Y/n)
Initialisation of MySecureShell rotation logs        [ OK ]
cp: target `/share/man/fr/man8' is not a directory
Installation of Manuals                                         [ OK ]
Installation Finished !

Configure MySecureShell

The next commands will verify if MySecureShell was actually installed.

$ whereis MySecureShell 
/usr/bin/MySecureShell

To successfully manage users with MySecureShell, you need to create a group that SFTP users will own.

$ sudo groupadd sftp

Afterwards add or test an existing SFTP user (e.g., alice) to the “sftp” group, and uses MySecureShell shell upon login.

$ sudo usermod -s /usr/bin/MySecureShell -g sftp alice 

If you are just beggining the sftp setup then use the following commands .

$ sudo useradd -m -s /usr/bin/MySecureShell -g sftp bob 

edit the configuration file located at /etc/ssh/sftp_config to customize userswithin  MySecureShell. you can configure security setting you require for your group “sftp”:

$ sudo vi /etc/ssh/sftp_config 
<Group sftp>
        Download                50k     # limit download speed for each connection
        Upload                  0       # unlimit upload speed for each connection
        StayAtHome              true    # limit user to his/her home directory
        VirtualChroot           true    # fake a chroot to the home account
        LimitConnectionByUser   1       # max connection for each account
        LimitConnectionByIP     1       # max connection by IP for each account
        IdleTimeOut             300     # disconnect user if idle too long time (in sec)
        HideNoAccess            true    # hide file/directory which user has no access
</Group>

 restart sshd once configuration is completed as follows.

on Ubuntu or Debian:

$ sudo service ssh restart 

on CentOS, RHEL or Fedora:

$ sudo service sshd restart 

Management of SFTP server

you can log in to the SFTP server using the following command. After login you will notice that each ftp user is chrooted to their own directory and no other directory is visible to sftp users except their own folders

$ sftp bob@sftp_host.com 
bob@192.168.233.141's password: 
Connected to 192.168.233.141.
sftp> pwd
Remote working directory: /
sftp> 

 managenent of SFTP server with the users.

To view currently connected SFTP use:

$ sftp-who 
--- 1 / 10 clients ---
Global used bandwith : 0 bytes/s / 0 bytes/s
PID: 24377   Name: bob   IP: 192.168.10.55
Advertisements
%d bloggers like this: