Kartik Mehta

Create Your Own SFTP Server

Photo by Thomas Jensen on Unsplash

Create Your Own SFTP Server

Kartik Mehta's photo
Kartik Mehta
·

7 min read

Table of contents

In the digital age, the security of data during transfer is paramount. One of the most reliable methods to ensure data is securely transferred over the internet is through the use of Secure File Transfer Protocol (SFTP). This protocol provides a secure channel in a client-server architecture, encrypting data to prevent unauthorized access during transmission. This blog post will guide you through setting up your own SFTP server, ensuring your data transfers remain secure.

Understanding SFTP

SFTP stands for Secure File Transfer Protocol. Unlike its predecessor FTP, SFTP encodes both data and commands, preventing sensitive information from being exposed over the network. This level of security is crucial for businesses and individuals who regularly handle confidential data.

Learn More about SFTP on Wikipedia: Here

Why Set Up an SFTP Server?

Setting up an SFTP server allows you to manage how data is securely transferred in or out of your organization or home network. It provides you with control over user access, the security of data in transit, and audit trails of who transferred what and when. This control is vital in maintaining the integrity and confidentiality of sensitive information.

Setting Up an AWS EC2 Instance

1. AWS Management Console: Navigate and log in to the AWS Management Console, and access the EC2 Dashboard.

2. Launch Instance: Click on "Launch Instance" and choose an Amazon Machine Image (AMI). For this project, the Amazon Linux 2 AMI is recommended.

3. Instance Type: Select a suitable instance type. For small to medium-sized backup needs, t2.micro offers a cost-effective solution that falls within the AWS Free Tier.

4. Instance Details: Configure your instance. The default settings are generally adequate for basic projects.

5. Add Storage: Adjust the storage settings based on the volume of data you plan to back up (default will work for testing).

6. Security Group: Configure the security group to allow SSH access (port 22) from your IP address, ensuring secure SFTP connections.

7. Launch: Review your settings, then launch the instance. You'll be prompted to select or create a new key pair. Download and securely store this key pair; it's essential for SSH access.

8. Connect to you EC2 Instance: Using you private key that you have generated earlier, connect to your EC2 Instance using the command,

ssh -i /path_to_key.pem ec2-user@<your_public_ip_address>

Installation

  1. Update your package repository.

     sudo yum update -y

  2. Install OpenSSH Server if it's not already installed.

     sudo yum install openssh-server -y

  3. Start and enable the SSH service.

     sudo systemctl start sshd
 sudo systemctl enable sshd

  4. Check the status of the SSH service to ensure it's running.

     sudo systemctl status sshd

  5. Open the SSH configuration file in a text editor such as nano or vi.

     sudo nano /etc/ssh/sshd_config

  6. To configure SFTP, ensure the following line is present and not commented out:

     Subsystem sftp internal-sftp

    This line Subsystem sftp internal-sftp in the SSH daemon configuration file (sshd_config) is used to configure the Secure File Transfer Protocol (SFTP) server to use the internal SFTP server that comes built into OpenSSH, instead of an external SFTP server.

  7. Add a block at the end of the file to create a chroot environment for SFTP users. Replace sftponly with your desired group name:

     Match Group sftponly
 ChrootDirectory %h
 AllowTCPForwarding no
 X11Forwarding no
 ForceCommand internal-sftp

    • Match Group sftponly: This line starts a conditional block that applies the following directives only to users who are members of the group sftponly. It's a way to apply special restrictions or settings to a specific subset of users based on group membership. The configuration directives that follow this line will only affect users in the sftponly group until the end of the block or until another Match line is encountered.

    • ChrootDirectory %h: This directive confines the user to their home directory, effectively preventing them from accessing any files or directories outside of it. %h is a variable that represents the user's home directory. This is a security measure that limits the potential damage a user can do or the data they can access if their account is compromised.

    • AllowTCPForwarding no: This line disables TCP forwarding for users in the sftponly group. TCP forwarding is a feature that allows users to create secure SSH tunnels for other TCP connections, which can be used for various purposes, including securely accessing remote services or bypassing network restrictions. Disabling it increases security by limiting the capabilities of the SFTP users, ensuring they can only use the connection for file transfers.

    • X11Forwarding no: This directive disables X11 forwarding, which is a mechanism to securely run graphical applications over SSH. Since users in the sftponly group should only have access to file transfer capabilities, disabling X11 forwarding ensures they cannot run graphical applications, adhering to the principle of least privilege and enhancing security.

    • ForceCommand internal-sftp: This command forces the execution of the internal SFTP server for users in the sftponly group, regardless of what command or request is made by the user's SSH client. It ensures that these users can only use SFTP for file transfers and cannot execute shell commands or access other SSH features. The internal-sftp server is a secure, lightweight SFTP server built into OpenSSH.

  8. Save and exit the file.

  9. Apply the changes by restarting the SSH service.

     sudo systemctl restart sshd

  10. Create a new group for SFTP users.

    sudo addgroup sftponly

  11. Add a new user to this group. Set the home directory as desired.

    sudo useradd -m -g sftponly -s /sbin/nologin username
sudo passwd username

    username : Change this accordingly.

  12. Change the ownership and permissions of the home directory to work with the chroot environment.

    sudo chown root:root /home/username
sudo chmod 755 /home/username

    username : Change this accordingly.

  13. Create a directory for files within the user's home directory and set appropriate ownership.

    sudo mkdir /home/username/files
sudo chown username:sftponly /home/username/files

    username : Change this accordingly.

Testing your Server

From your local machine, use an SFTP client or command-line tool to connect to the SFTP server using the new user's credentials.

sftp -i /path_to_key.pem ec2-user@<public_ip_address>

You should be logged into the user's files directory, where you can upload and download files securely. Some common commands that you can use in SFTP Shell:

  1. ls: Lists the files and directories in the current remote directory.

  2. lcd: Changes the current local directory.

  3. get: Downloads a file from the remote system to the local system.

  4. mget: Downloads multiple files from the remote system to the local system.

  5. put: Uploads a file from the local system to the remote system.

  6. mput: Uploads multiple files from the local system to the remote system.

Start somethings big with `this` as the template

Building upon the foundation of an SFTP server, there are numerous project ideas that can cater to various interests and needs, spanning from data management and automation to enhancing security and developing new functionalities.

1. Secure Data Exchange Platform: Develop a platform that facilitates secure data exchange between different stakeholders, such as businesses, clients, and suppliers.

2. Automated Data Backup and Sync System: Create a system that automatically backs up critical data from various sources (servers, workstations, cloud services) to your SFTP server.

3. Secure Document Management System: Build a document management system that leverages the SFTP server for secure storage and transfer of documents. Incorporate features like version control, document sharing permissions, and automated workflows for document approval processes.

4. Remote Software Deployment Tool: Develop a tool that uses SFTP to securely deploy software updates or configurations to remote servers or workstations. This could include scheduling deployment tasks, monitoring deployment status, and rollback functionalities in case of errors.

5. Secure File Transfer API: Develop an API that enables other applications to securely transfer files using your SFTP server. This API could be used to integrate secure file transfer capabilities into custom applications or services.

Conclusion

Setting up an SFTP server is a straightforward process that significantly enhances the security of your file transfers. By following these steps, you can ensure that your data is protected from unauthorized access while in transit. As you become more comfortable with these configurations, you can explore more advanced settings, such as key-based authentication, to further secure your SFTP server.

serverAWSsshSFTPSecurityLinux