Creating SFTP Server on Amazon EC2
Disclaimer. I say in the title Amazon EC2, but it will work on any other VM (your VM, EC2, GCP compute engine, Azure VM).
For this I'll assume that you have already launched your EC2 (I'm using for this tutorial a CentOS 7.0 image, but you can use Ubuntu or another distro. I'll use CentOS because is more stable and secure for enterprise environment), if you don't have launched your instance, you can follow this instructions.
What is SFTP?
SFTP uses Secure Shell (SSH) technology to authenticate and maintain a secure connection between machines.
SSH is another cryptographic network protocol that has as a source a secure connection for data exchange and is used in case of remote logins for access to computer systems.
When SFTP is broadcast, the information is not transmitted through streaming channels, but packaged in SSH. The user can also configure private keys to reinforce the information while the data options are sent to the server.
Installing VSFTPD
vsftpd is a GPL licensed FTP server for UNIX systems, including Linux. It is secure and extremely fast. It is stable.
- Log into your server
- change to root account
sudo -i
3. Check for updates & Install vsftpd
yum check-update
yum -y install vsftpd
yum -y install openssh-server
4. Change vsftp configuration file
After install vsftp you have to change the main configuration to make a production environment.
Access the configuration file:
vi /etc/vsftpd/vsftpd.conf
To disable anonymous access find the line with anonymous_enable=YES and change to
anonymous_enable=NO
Then uncomment the line
chroot_local_user=YES
And add
allow_writeable_chroot=YES
pasv_enable=Yes
pasv_min_port=40000
pasv_max_port=40100
After all, restart the service
systemctl restart vsftpd.service
and set the ftp_home_dir on to allow ftp access to the users home directories .
If you are using CentOs 7
setsebool -P tftp_home_dir on
CentOS 6
setsebool -P ftp_home_dir on
Configure sshd
After installing VSFTP we have to change ssh main file
- Enter the configuration file
vi /etc/ssh/sshd_config
2. Uncomment the line so you can log via login/password
PasswordAuthentication yes
3. Comment the line
#Subsystem sftp /usr/libexec/openssh/sftp-server
4. And add
Subsystem sftp internal-sftpMatch group sftpChrootDirectory /home/%uX11Forwarding noAllowTcpForwarding noForceCommand internal-sftp
In the Chroot you can use %r too is the same.
5. Restart SSH
systemctl restart sshd
Create User/Group
Create a group named sftp (if you change this name remember to change the Match group on ssh configuration file).
groupadd sftp
Create User and set the password
useradd -m test -s /sbin/nologin -g sftppasswd test
And after that you have to change the owner of the main folder and create a subfolder to the user write their content (in this case i'm giving permission to delete to).
sudo chown root /home/testsudo chmod go-w /home/testsudo mkdir /home/test/writablesudo chown test:sftp /home/test/writablesudo chmod ug+rwX /home/test/writable
Test
Open a new terminal and connect in your sftp
sftp test@xx.xx.xx
Next steps, how can I scale with more storage and cheap?
In the next story I'll tell about how you can mount one partition in your EC2 instance linked with your S3 bucket using S3FS, so you can save money using S3 instead EBS.