Creating SFTP Server on Amazon EC2

Disclaimer. I say in the title Amazon EC2, but it will work on any other VM (your VM, EC2, GCP compute engine, Azure VM).

For this I'll assume that you have already launched your EC2 (I'm using for this tutorial a CentOS 7.0 image, but you can use Ubuntu or another distro. I'll use CentOS because is more stable and secure for enterprise environment), if you don't have launched your instance, you can follow this instructions.

What is SFTP?

SFTP uses Secure Shell (SSH) technology to authenticate and maintain a secure connection between machines.

SSH is another cryptographic network protocol that has as a source a secure connection for data exchange and is used in case of remote logins for access to computer systems.

When SFTP is broadcast, the information is not transmitted through streaming channels, but packaged in SSH. The user can also configure private keys to reinforce the information while the data options are sent to the server.

Installing VSFTPD

vsftpd is a GPL licensed FTP server for UNIX systems, including Linux. It is secure and extremely fast. It is stable.

1. Log into your server
2. change to root account

sudo -i

3. Check for updates & Install vsftpd

yum check-update
yum -y install vsftpd
yum -y install openssh-server

4. Change vsftp configuration file

After install vsftp you have to change the main configuration to make a production environment.

Access the configuration file:

vi /etc/vsftpd/vsftpd.conf

To disable anonymous access find the line with anonymous_enable=YES and change to

anonymous_enable=NO

Then uncomment the line

chroot_local_user=YES

And add

allow_writeable_chroot=YES
pasv_enable=Yes
pasv_min_port=40000
pasv_max_port=40100

After all, restart the service

systemctl restart vsftpd.service

and set the ftp_home_dir on to allow ftp access to the users home directories .

If you are using CentOs 7

setsebool -P tftp_home_dir on

CentOS 6

setsebool -P ftp_home_dir on

Configure sshd

After installing VSFTP we have to change ssh main file

1. Enter the configuration file

vi /etc/ssh/sshd_config

2. Uncomment the line so you can log via login/password

PasswordAuthentication yes

3. Comment the line

#Subsystem sftp /usr/libexec/openssh/sftp-server

4. And add

Subsystem sftp internal-sftp
Match group sftp
ChrootDirectory /home/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

In the Chroot you can use %r too is the same.

5. Restart SSH

systemctl restart sshd

Create User/Group

Create a group named sftp (if you change this name remember to change the Match group on ssh configuration file).

groupadd sftp

Create User and set the password

useradd -m test -s /sbin/nologin -g sftp
passwd test

And after that you have to change the owner of the main folder and create a subfolder to the user write their content (in this case i'm giving permission to delete to).

sudo chown root /home/test
sudo chmod go-w /home/test
sudo mkdir /home/test/writable
sudo chown test:sftp /home/test/writable
sudo chmod ug+rwX /home/test/writable

Test

Open a new terminal and connect in your sftp

sftp test@xx.xx.xx

Next steps, how can I scale with more storage and cheap?

In the next story I'll tell about how you can mount one partition in your EC2 instance linked with your S3 bucket using S3FS, so you can save money using S3 instead EBS.