tutorial

Ultimate Guide: Creating a Secure SFTP Server with Chroot on Ubuntu 22.04

Abdul Aziz
facebook
x
reddit
linkedin
Ultimate Guide: Creating a Secure SFTP Server with Chroot on Ubuntu 22.04

Welcome to our comprehensive tutorial on setting up a highly secure SFTP server with chroot on Ubuntu 22.04. In this step-by-step guide, we’ll walk you through the entire process, ensuring that you can securely transfer files while restricting user access to their designated directories.

🔐 What You’ll Learn in This Tutorial 🔐

  • Step-by-step installation of Ubuntu 22.04 for your SFTP server.
  • Configure OpenSSH for secure SFTP connections.
  • Implement chroot to confine users to their home directories.
  • Fine-tune permissions and user access for maximum security.

By the end of this tutorial, you’ll have a robust SFTP server that ensures data integrity and confidentiality, making it ideal for personal use, small businesses, or even enterprise-level applications.

Create root directory for sftp users

You can change directory name to anything you like

Terminal window
mkdir /sftpusers
chmod 701 /sftpusers

Create sftp user group

Change the group name to anything you like

Terminal window
groupadd sftpgroup

Create sftp user

Change mysftpuser to username you like

Terminal window
useradd -g sftpgroup -s /sbin/nologin mysftpuser
passwd mysftpuser

Create sftp user directory

Terminal window
mkdir /sftpusers/mysftpuser
chown mysftpuser:sftpgroup /sftpusers/mysftpuser
chmod 700 /sftpusers/mysftpuser

Edit ssh config file

SSH config file is located at /etc/ssh/sshd_config, edit it with nano or any other text editor. Uncomment the following line

/etc/ssh/sshd_config
Subsystem       sftp    /usr/lib/openssh/sftp-server

Add the following text at the end of the ssh config file

/etc/ssh/sshd_config
Match Group sftpgroup
        ChrootDirectory /sftpusers/
        ForceCommand internal-sftp -d /%u
    AllowAgentForwarding no
        AllowTcpForwarding no
        X11Forwarding no
        PermitTunnel no
        PasswordAuthentication yes

Save and restart SSH

Terminal window
systemctl restart sshd

Setup SFTP authentication with SSH key

Create directory for ssh keys

Terminal window
mkdir /etc/ssh/authorized_keys
chown root:root /etc/ssh/authorized_keys
chmod 755 /etc/ssh/authorized_keys
echo 'PUBLIC_KEY' >> /etc/ssh/authorized_keys/username
chmod 644 /etc/ssh/authorized_keys/username

Edit ssh config file

Open /etc/ssh/sshd_config file with nano or any other text editor and change the following text from this

/etc/ssh/sshd_config
Match Group sftpgroup
        ChrootDirectory /sftpusers/
        ForceCommand internal-sftp -d /%u
    AllowAgentForwarding no
        AllowTcpForwarding no
        X11Forwarding no
        PermitTunnel no
        PasswordAuthentication yes

To this

/etc/ssh/sshd_config
Match Group sftpgroup
        ChrootDirectory /sftpusers/
        ForceCommand internal-sftp -d /%u
        AuthorizedKeysFile /etc/ssh/authorized_keys/%u .ssh/authorized_keys
        PermitRootLogin no
        PermitEmptyPasswords no
    AllowAgentForwarding no
        AllowTcpForwarding no
        X11Forwarding no
        PermitTunnel no
        PasswordAuthentication yes

Save and restart SSH

Terminal window
systemctl restart sshd

Disable SFTP password authentication

Edit file /etc/ssh/sshd_config and change PasswordAuthentication yes to PasswordAuthentication no

#sftp server #linux #ubuntu