tutorial

Ultimate Guide: Creating a Secure SFTP Server with Chroot on Ubuntu 22.04

Abdul Aziz
Abdul Aziz

Cat Administrator

facebook
x
reddit
linkedin
Ultimate Guide: Creating a Secure SFTP Server with Chroot on Ubuntu 22.04

Welcome to our comprehensive tutorial on setting up a highly secure SFTP server with chroot on Ubuntu 22.04. In this step-by-step guide, we’ll walk you through the entire process, ensuring that you can securely transfer files while restricting user access to their designated directories.

🔐 What You’ll Learn in This Tutorial 🔐

  • Step-by-step installation of Ubuntu 22.04 for your SFTP server.
  • Configure OpenSSH for secure SFTP connections.
  • Implement chroot to confine users to their home directories.
  • Fine-tune permissions and user access for maximum security.

By the end of this tutorial, you’ll have a robust SFTP server that ensures data integrity and confidentiality, making it ideal for personal use, small businesses, or even enterprise-level applications.

Create root directory for sftp users

You can change directory name to anything you like

Terminal window
1
mkdir /sftpusers
2
chmod 701 /sftpusers

Create sftp user group

Change the group name to anything you like

Terminal window
1
groupadd sftpgroup

Create sftp user

Change mysftpuser to username you like

Terminal window
1
useradd -g sftpgroup -s /sbin/nologin mysftpuser
2
passwd mysftpuser

Create sftp user directory

Terminal window
1
mkdir /sftpusers/mysftpuser
2
chown mysftpuser:sftpgroup /sftpusers/mysftpuser
3
chmod 700 /sftpusers/mysftpuser

Edit ssh config file

SSH config file is located at /etc/ssh/sshd_config, edit it with nano or any other text editor. Uncomment the following line

/etc/ssh/sshd_config
1
Subsystem       sftp    /usr/lib/openssh/sftp-server

Add the following text at the end of the ssh config file

/etc/ssh/sshd_config
1
Match Group sftpgroup
2
        ChrootDirectory /sftpusers/
3
        ForceCommand internal-sftp -d /%u
4
    AllowAgentForwarding no
5
        AllowTcpForwarding no
6
        X11Forwarding no
7
        PermitTunnel no
8
        PasswordAuthentication yes

Save and restart SSH

Terminal window
1
systemctl restart sshd

Setup SFTP authentication with SSH key

Create directory for ssh keys

Terminal window
1
mkdir /etc/ssh/authorized_keys
2
chown root:root /etc/ssh/authorized_keys
3
chmod 755 /etc/ssh/authorized_keys
4
echo 'PUBLIC_KEY' >> /etc/ssh/authorized_keys/username
5
chmod 644 /etc/ssh/authorized_keys/username

Edit ssh config file

Open /etc/ssh/sshd_config file with nano or any other text editor and change the following text from this

/etc/ssh/sshd_config
1
Match Group sftpgroup
2
        ChrootDirectory /sftpusers/
3
        ForceCommand internal-sftp -d /%u
4
    AllowAgentForwarding no
5
        AllowTcpForwarding no
6
        X11Forwarding no
7
        PermitTunnel no
8
        PasswordAuthentication yes

To this

/etc/ssh/sshd_config
1
Match Group sftpgroup
2
        ChrootDirectory /sftpusers/
3
        ForceCommand internal-sftp -d /%u
4
        AuthorizedKeysFile /etc/ssh/authorized_keys/%u .ssh/authorized_keys
5
        PermitRootLogin no
6
        PermitEmptyPasswords no
7
    AllowAgentForwarding no
8
        AllowTcpForwarding no
9
        X11Forwarding no
10
        PermitTunnel no
11
        PasswordAuthentication yes

Save and restart SSH

Terminal window
1
systemctl restart sshd

Disable SFTP password authentication

Edit file /etc/ssh/sshd_config and change PasswordAuthentication yes to PasswordAuthentication no

#sftp server #linux #ubuntu