Setting Up Sftp On Ubuntu 16.04

Setting Up SFTP on Ubuntu 16.04
by Janeth Kent Date: 12-03-2018 ftp sftp ssh ubuntu linux


I recently had a request to setup SFTP for a customer so they could manage a set of files in their environment through an FTP GUI. Being an avid user of command line tools like SCP I haven’t needed to set up FTP or SFTP in many years. So I dusted off some guides and fired it up.

While setting everything up it seems as though many guides were missing a critical step in some form or fashion. So I have taken it upon myself to write a guide to detail my entire process from start to finish.

The Guide

Step 1 – Create a New User

Personally once I am logged into my server I switch to the root user:

$ sudo -s

Let us add a new user

$ adduser [your username]

You will be prompted to add a password. For testing purposes I usually make the password something simple to start and go back and change it to be something secure later on. All other user information is optional so you can simply hit ENTER to move through it if you would like.

Step 2 – Creating a Directory to Put Files In

We do not want our new SFTP user to have access to our whole file system as this would be a huge security flaw. So in this guide we are going to restrict the user down to a single directory to add and remove files from.

This is where I found my first hang up. When using SFTP we have to have the directory that the user is going to be forced into owned by root. All directories above that must also be owned by root without any group write permissions. Failing to create this structure properly will result in you not being able to login.

Example Structure:

/var/www/html/ The directory HTML is where our website resides so this is the directory we want to have our SFTP user to be able to write to.

To accomplish this we will actually force our user to the directory /var/www/ this way the WWW and VAR directories can be owned by root while the HTML directory can be owned by www-data which we will then add our new user to.

To accomplish this:

$ chmod 755 /var/www

This changes our permissions to only allow writing by the user who owns the directory while read and execute to everyone else.

$ chown root:root /var/www

This changes our directory to be owned by the user root and group root which satisfies our directory structure requirements.

$ chown -R www-data:www-data /var/www/html/

This gives ownership to the user www-data and group www-data which is the standard Apache user.

Step 3 – Locking Down our User

$ nano /etc/ssh/sshd_config

Note: You can use whatever text editor you like here to edit the file.

Find the section Subsystem sftp /var/lib/openssh/sftp-server Comment it out so it looks like #Subsystem sftp /var/lib/openssh/sftp-server

Add the line Subsystem sftp internal-sftp right below it.

Add the following lines to the very bottom of the file:


Match User [Your New Username] ChrootDirectory /var/www
X11Forwarding no
AllowTcpForwarding no
AllowAgentForwarding no
ForceCommand internal-sftp
PasswordAuthentication yes

Save the file and exit.

Match User: Tells the SSH server to only apply the following settings to the one user
ChrootDirectory: This tells the server what directory our user is allowed to ONLY work within this directory
X11Forwading, AllowTCPForwarding, AllowAgentForwarding: Prohibits the user from port forwarding, tunneling and X11 forwarding fot the user. These are all security things.
ForceCommand internal-sftp: Forces the SSH server to the run the SFTP program upon access which disables shell access.
PasswordAuthentication: Allows for the user to login with a typed password. You can remove this is you would rather use a security key which is by far safer.

Restart the SSH Server

$ /etc/init.d/ssh restart

With the SSH server restarted your SFTP user should be able to login and view files. It won’t be able to modify any files yet as we did not give the user access to do so.

$ usermod -a -G www-data [Your User]
This adds the user that you specify to the www-data group. Completing this will allow your user to be able to modify files within the directory /var/www/html

Errors

I've created a user 'www' and added it to the 'www-data' group. I've set the home directory of 'www' to /var/www/ also. I would like to use 'www' to transfer files in and out of my web server by FTP

The problem is when I run the command:

sudo chown -R www-data:www-data /var/www/

..I don't have permission to write files via FTP

However when I run:

sudo chown -R www:www /var/www

..I have full FTP access but get a 'Forbidden' message in my browser.

Any advice on how to get full FTP access including all subfolders would be really appreciated.

That means that you already have a www-data user which Apache uses that should have the necessary permissions in /var/www.

The simplest solution would be to use that same user, but you could also assign the www-data group to your new user and make sure the /var/www directory structure allows the group to write to it:

chown -R www-data:www-data /var/www
chmod -R ug+rw /var/www

Conclusion

There are so many other complex SSH server configurations. This setup allows for a very specific use case which many people have implemented. While SFTP is secure allowing access to any remote server allows for the possibility of attack. This guide should only be used if you understand the security risks involved with allowing SFTP.

This guide showed you how to create a new user and limit that user to SFTP access only. We also limited that user to our website directory and prevented it from access any other critical system files.

If this guide has been helpful for you and your team please share it with others!

 
by Janeth Kent Date: 12-03-2018 ftp sftp ssh ubuntu linux hits : 4945  
 
Janeth Kent

Janeth Kent

Licenciada en Bellas Artes y programadora por pasión. Cuando tengo un rato retoco fotos, edito vídeos y diseño cosas. El resto del tiempo escribo en MA-NO WEB DESIGN END DEVELOPMENT.

 
 
 

Related Posts

Linux For Dummies: Permissions

In the previous articles I made a short introduction to the Unix world and in the following article I have dealt with the basic commands for the file system management. Today we are…

Linux for Dummies: Ubuntu Terminal

I introduced in the previous article, available here, the basic concepts concerning the Linux world. Today we are going to have a look to some basic operations that we can perform…

The Best RSS Readers for Ubuntu

Even if most of the tech experts actively claim that RSS (Rich Site Summary) is dead especially after Google Reader was discontinued 5 years ago but it isn’t yet as…

How to install Letsencrypt Certificates with Certbot in Ubuntu

In this article we will explain how to install, manage and configure the SSL Security certificate, Let's Encypt in NGINX server used as proxy. This certificate is free but does…

How to Set up a Fully Functional Mail Server on Ubuntu 16.04 with iRedMail

Setting up your own mail server from scratch on Linux is complex and tedious, until you meet iRedMail. This tutorial is going to show you how you can easily and…

GIMP 2.10 released: Features 32-bit support, new UI and A Ton Of Improvements

It's been over a half-decade since the GIMP 2.8 stable debut and today marks the long-awaited release of GIMP 2.10, its first major update in six years. And among other…

Install Java in Ubuntu 16.04

Java and the JVM (Java's virtual machine) are widely used and required for many kinds of software. This article will guide you through the process of installing and managing different…

ArangoDB, install and configure the popular Database in ubuntu 16.04

Introduction to ArangoDb, open source, NoSQL, multi-model database BigData seems to be getting stronger every day and more and more NoSQL databases are coming out to the market, all trying to position…

How to Choose a Laptop for Web Design and Development

Efficiency is important at work, no matter the type of job you do. The better the tools that you use, the more productive you are. So if you’re a web…

The Best Lightweight Linux Distributions For Older PC's

What do you do with your old computers? The one which once had good hardware configuration but now those are considered outdated. Why not revive your old computer with Linux?…

How to write real client IP address in error Log with Varnish 4 and Apache 2.4 in Ubuntu 16.04

In order to have Varnish 4 pass on the real client IP to your Apache 2.4 error log in Ubuntu 16.04 , you'll need to edit your Varnish configuration (/etc/varnish/default.vcl…

How to Configure the Mod_Security Core Ruleset in Ubuntu

ModSecurity is a Web Application Firewall, a program that can be used to inspect information as it passes through your web server, intercepting malicious requests before they are processed by your…

We use our own and third-party cookies to improve our services, compile statistical information and analyze your browsing habits. This allows us to personalize the content we offer and to show you advertisements related to your preferences. By clicking "Accept all" you agree to the storage of cookies on your device to improve website navigation, analyse traffic and assist our marketing activities. You can also select "System Cookies Only" to accept only the cookies required for the website to function, or you can select the cookies you wish to activate by clicking on "settings".

Accept All Only sistem cookies Configuration