Ultimate Guide: Creating a Secure SFTP Server with Chroot on Ubuntu 22.04
Welcome to our comprehensive tutorial on setting up a highly secure SFTP server with chroot on Ubuntu 22.04. In this step-by-step guide, we’ll walk you through the entire process, ensuring that you can securely transfer files while restricting user access to their designated directories.
🔐 What You’ll Learn in This Tutorial 🔐
- Step-by-step installation of Ubuntu 22.04 for your SFTP server.
- Configure OpenSSH for secure SFTP connections.
- Implement chroot to confine users to their home directories.
- Fine-tune permissions and user access for maximum security.
By the end of this tutorial, you’ll have a robust SFTP server that ensures data integrity and confidentiality, making it ideal for personal use, small businesses, or even enterprise-level applications.
Create root directory for sftp users
You can change directory name to anything you like
mkdir /sftpusers
chmod 701 /sftpusers
Create sftp user group
Change the group name to anything you like
groupadd sftpgroup
Create sftp user
Change mysftpuser to username you like
useradd -g sftpgroup -s /sbin/nologin mysftpuser
passwd mysftpuser
Create sftp user directory
mkdir /sftpusers/mysftpuser
chown mysftpuser:sftpgroup /sftpusers/mysftpuser
chmod 700 /sftpusers/mysftpuser
Edit ssh config file
SSH config file is located at /etc/ssh/sshd_config, edit it with nano or any other text editor.
Uncomment the following line
Subsystem sftp /usr/lib/openssh/sftp-server
Add the following text at the end of the ssh config file
Match Group sftpgroup
ChrootDirectory /sftpusers/
ForceCommand internal-sftp -d /%u
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no
PermitTunnel no
PasswordAuthentication yes
Save and restart SSH
systemctl restart sshd
Setup SFTP authentication with SSH key
Create directory for ssh keys
mkdir /etc/ssh/authorized_keys
chown root:root /etc/ssh/authorized_keys
chmod 755 /etc/ssh/authorized_keys
echo 'PUBLIC_KEY' >> /etc/ssh/authorized_keys/username
chmod 644 /etc/ssh/authorized_keys/username
Edit ssh config file
Open /etc/ssh/sshd_config file with nano or any other text editor and change the following text from this
Match Group sftpgroup
ChrootDirectory /sftpusers/
ForceCommand internal-sftp -d /%u
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no
PermitTunnel no
PasswordAuthentication yes
To this
Match Group sftpgroup
ChrootDirectory /sftpusers/
ForceCommand internal-sftp -d /%u
AuthorizedKeysFile /etc/ssh/authorized_keys/%u .ssh/authorized_keys
PermitRootLogin no
PermitEmptyPasswords no
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no
PermitTunnel no
PasswordAuthentication yes
Save and restart SSH
systemctl restart sshd
Disable SFTP password authentication
Edit file /etc/ssh/sshd_config and change PasswordAuthentication yes to PasswordAuthentication no