Thursday, December 2, 2021

How to create SFTP only Server on Centos/RHEL/UBUNTU | SFTP Jailed Server on Centos/RHEL/UBUNTU

 How to create SFTP only server in chroot jailed environment 

 Step 1 - Install ssh packages 

# yum update 
# yum install openssh-server 
or 
#apt-get update 
# apt-get install openssh-server 

 Step 2 - Create user and group 

   

     * Create new group for sftp 

groupadd sftp_users 

   * Create user for sftp and set password 

# useradd -g sftp_users -s /bin/false -M -d /opt/SFTP/nirmal  nirmal      
# passwd  nirmal 

  • The -g sftp_users option will add nirmal user to the sftp_users group.
  • The -s /bin/false will disable user ssh shell because we want only sftp only user so shell not required .
  • The -M -d /opt/SFTP/nirmal  options will ignore to create nirmal user with defined  home directory but will assign home Directory in profile . 


 Step 3 - Create SFTP Directory and change owner and permission 


mkdir -p /opt/SFTP/nirmal
mkdir /opt/SFTP/nirmal/DATA  
# chown root:sftp_users /opt/SFTP/nirmal
# chown nirmal:sftp_users /opt/SFTP/nirmal/DATA 
# chmod 755 /opt/SFTP/nirmal
# chmod 770 /opt/SFTP/nirmal/DATA
  

Step 4 - Change sshd_config configuration file accordingly 


# vi /etc/ssh/sshd_config

#Subsystem      sftp    /usr/lib/openssh/sftp-server  # comment this line 

Subsystem sftp internal-sftp     # add this line

#add below entry for every user as required

Match User nirmal  
        ForceCommand internal-sftp 
        PasswordAuthentication yes
        ChrootDirectory /opt/SFTP/nirmal
        PermitTunnel no
        AllowAgentForwarding no
        AllowTcpForwarding no
        X11Forwarding no



# now save file and exit 



OR 


# vim /etc/ssh/sshd_config

#Subsystem      sftp    /usr/lib/openssh/sftp-server  # comment this line 

Subsystem sftp internal-sftp 

#add below entry for every user as required

Match group  sftp_users  
        ForceCommand internal-sftp 
        PasswordAuthentication yes
        ChrootDirectory %h
        PermitTunnel no
        AllowAgentForwarding no
        AllowTcpForwarding no
        X11Forwarding no



# now save file and exit 



Note: if you want user landing in a folder inside Home Directory you can use like
           ForceCommand internal-sftp -d /DATA



Step 5 - Restart SSHD Service 

    # systemctl   restart sshd



Step 6 - Check from client 

    # sftp  nirmal@192.168.1.2













Enjoy :)






























 

at 1 comment:
Subscribe to: Posts (Atom)

Linux server hardening | Secure Linux Servers

 Linux server hardening is the process of securing a Linux server by reducing its attack surface and mitigating security risks. The goal is ...