Setup simple SFTP server in minutes

rynaro

Henrique A. Lavezzo

Posted on December 12, 2019

Setup simple SFTP server in minutes

Context

One of most common ways to share files between companies is still FTP servers. And sometimes, you need to setup a FTP in-house, whether out compliance control, security, cost, or 'cause its simple enough to do it yourself.

I've one FTP server in company that I work. It's a simple FTP server, developed with Python, using pyftpdlib package, and aws S3 integration. We have a hook action, that send file into a folder mirror named bucket, to secure files, and after 15 days, we made a server FS clean, to guarantee healthy disk space level.

But recently, we get a specific trait from new partner, we need to expose an sftp server. In a quick search, pyftpdlib does not support sftp protocol. After this, I go to aws services, to see how much cost the use of AWS Transfer. It's easy to use service, but expensive for a small startup, and I don't think we need an entire service for this. In other situation, our monthly invoice will be affected by third-party factor, and one mistake made by our partner, could increase the invoice numbers.

Given the above factors, I decided to build a simple sftp from scratch.

DIY Setup

First of all, you'll need a server instance. In this case, I've used a DigitalOcean Droplet. My decision was driven by low-cost purposes.

I like Ubuntu server instances, and this "paper" uses the assumption the server is a Ubuntu server.

Packages

Make sure, your instance is updated.

# apt update && apt upgrade
Enter fullscreen mode Exit fullscreen mode

Install vim, or use nano.

# apt install vim
Enter fullscreen mode Exit fullscreen mode

Create user

You'll need to create a user, for your third-party user. We'll call our friend, as partner here. Say hello to Partner.

# adduser --shell /bin/false partner
Enter fullscreen mode Exit fullscreen mode

You can allow your Linux, to create home folders. But actually, I like to stay in front of situation.

Create user folder

If you allowed adduser to create home folders, then you don't need to create a permitted folder space.

# mkdir -p /var/sftp/partner/files
Enter fullscreen mode Exit fullscreen mode

Remember to guarantee permissions to Partner in your home sweet home.

# chown partner:partner /var/sftp/partner
# chmod 755 /var/sftp/partner
Enter fullscreen mode Exit fullscreen mode

SFTP access restrictions

Partner is a common user inside our server. And without other (recommended) security rules, Partner will be able to make an ssh connection. And we don't want this.

We'll create a rule at end of file of sshd_config, for sftp only restriction.

# vim /etc/ssh/sshd_config
Enter fullscreen mode Exit fullscreen mode

The content:

Match User partner
    ForceCommand internal-sftp
    PasswordAuthentication yes
    ChrootDirectory /var/sftp/partner
    PermitTunnel no
    AllowAgentForwarding no
    AllowTcpForwarding no
    X11Forwarding no
Enter fullscreen mode Exit fullscreen mode

Restart SSH Service

After configure Partner restriction, you'll need to restart SSH service to make sure changes take effect on server.

You can be disconnected after this. Just reconnect.

# systemctl restart ssh
Enter fullscreen mode Exit fullscreen mode

Create password

Create a password for partner if didn’t create one yet.

# passwd partner
Enter fullscreen mode Exit fullscreen mode

Testing sftp server

SFTP Connection

For sftp connection, try to connect in your server with partner credentials.

$ sftp partner@your-sftp-server
Enter fullscreen mode Exit fullscreen mode

Type password, and if everything is alright, you'll enter inside partner sftp home folder.

SSH Connection

Partner should has access only to sftp and no ssh connections should be allowed. The test is simple, just try to connect with SSH.

$ ssh partner@your-sftp-server
Enter fullscreen mode Exit fullscreen mode

Type password, hit enter. And you expect to receive this warning message.

This service allows sftp connections only.
Connection to your-sftp-server closed.
Enter fullscreen mode Exit fullscreen mode

After this, you can send the partner credentials to Partner. 😂

This "tutorial" has the purpose to show a simple way to build an sftp server using only Linux resources. As you can see, this "tutorial" doesn't go deep inside major security efforts. But, you can easily enforce your security, using Linux resources too, or using the service providers (aws, Digital Ocean, etc) tools.

💖 💪 🙅 🚩
rynaro
Henrique A. Lavezzo

Posted on December 12, 2019

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related