Thursday, December 2, 2021

How to create SFTP only Server on Centos/RHEL/UBUNTU | SFTP Jailed Server on Centos/RHEL/UBUNTU

 How to create SFTP only server in chroot jailed environment 

 Step 1 - Install ssh packages 

# yum update 

# yum install openssh-server 

or 

#apt-get update 

# apt-get install openssh-server 

 Step 2 - Create user and group 

   

     * Create new group for sftp 

groupadd sftp_users 

   * Create user for sftp and set password 

# useradd -g sftp_users -s /bin/false -M -d /opt/SFTP/nirmal  nirmal      

# passwd  nirmal 


  • The -g sftp_users option will add nirmal user to the sftp_users group.
  • The -s /bin/false will disable user ssh shell because we want only sftp only user so shell not required .
  • The -M -d /opt/SFTP/nirmal  options will ignore to create nirmal user with defined  home directory but will assign home Directory in profile . 


 Step 3 - Create SFTP Directory and change owner and permission 


mkdir -p /opt/SFTP/nirmal

mkdir /opt/SFTP/nirmal/DATA  

# chown root:sftp_users /opt/SFTP/nirmal

# chown nirmal:sftp_users /opt/SFTP/nirmal/DATA 

# chmod 755 /opt/SFTP/nirmal

# chmod 770 /opt/SFTP/nirmal/DATA

  

Step 4 - Change sshd_config configuration file accordingly 


# vi /etc/ssh/sshd_config


#Subsystem      sftp    /usr/lib/openssh/sftp-server  # comment this line 


Subsystem sftp internal-sftp     # add this line


#add below entry for every user as required


Match User nirmal  

        ForceCommand internal-sftp 

        PasswordAuthentication yes

        ChrootDirectory /opt/SFTP/nirmal

        PermitTunnel no

        AllowAgentForwarding no

        AllowTcpForwarding no

        X11Forwarding no




# now save file and exit 




OR 


# vim /etc/ssh/sshd_config


#Subsystem      sftp    /usr/lib/openssh/sftp-server  # comment this line 


Subsystem sftp internal-sftp 


#add below entry for every user as required


Match group  sftp_users  

        ForceCommand internal-sftp 

        PasswordAuthentication yes

        ChrootDirectory %h

        PermitTunnel no

        AllowAgentForwarding no

        AllowTcpForwarding no

        X11Forwarding no




# now save file and exit 




Note: if you want user landing in a folder inside Home Directory you can use like
           ForceCommand internal-sftp -d /DATA



Step 5 - Restart SSHD Service 

    # systemctl   restart sshd




Step 6 - Check from client 

    # sftp  nirmal@192.168.1.2














Enjoy :)






























 

1 comment:

Linux server hardening | Secure Linux Servers

 Linux server hardening is the process of securing a Linux server by reducing its attack surface and mitigating security risks. The goal is ...