How to Setup a sFTP Server in Google Cloud Platform and Restrict Access

In this short article I’ll show the steps necessary to properly setup a sFTP Server in Google Cloud’s Compute Engine, so that an user can send files and only have access to a specific folder.

This procedure won’t take more than 12 minutes and the user will authenticate using an username and password. In sFTP, there is also the possibility of authenticating via certificate. In this case, you should add the certificate to Compute Engine instance metadata and to your sFTP client.

First, go to Google Cloud Platform — Compute Engine and click Create Instance. Give it a name and choose the type of instance. GCP will tell you automatically how much it will cost.

Create Instance on GCP

In Boot Disk, click Change and choose CentOS and the size of the disk. Leave the rest as default and click Create.

At this point, you probably already have a Firewall rule to allow TCP connections on Port 22 (SSH). If not, go to Console / VPC Network and create a firewall rule that will allow this incoming TCP connection on port 22. Once in VPC Network, reserve a static IP address to the newly created instance.

Now, SSH into this new instance, we will do some configurations:

First add an user:

sudo adduser USERNAME

Now, assign a password to this user

sudo passwd USERNAME

Then, create a group restricted for this user:

sudo groupadd restricted

And add him/her to the group:

sudo usermod -g restricted USERNAME

Now, create the folder with write access to upload files:

mkdir upload
sudo chmod -R 777 ./upload

Now, open the SSH daemon configuration file with:

sudo vi /etc/ssh/sshd_config

Do the following:

Press letter i to edit and replace:

Subsystem sftp /usr/lib/openssh/sftp-server

with:

Subsystem sftp internal-sftp

At the end of file, add:

Match group restricted
ChrootDirectory /home/
ForceCommand internal-sftp
AllowTcpForwarding no
X11Forwarding no

And three more setups:

ListenAddress XXX.XXX.XXX.XXX
PasswordAuthentication yes
PermitRootLogin no

Note that the sFTP will listen to IPv4, not IPv6. Listening to the whole Internet (ListenAddress 0.0.0.0) is very risky, because of brute force password attacks. So, you can setup a specific IP to listen, or even use iptables and firewall to block unwanted connections outside sshd_config. Also, be sure this block of the file is properly setup:

# GSSAPIAuthentication yes
GSSAPICleanupCredentials no

Allowing GSSAPI authentication through SSH exposes the system’s GSSAPI to remote hosts, increasing the attack surface of the system.

Press :wq! to exit. If you did a mistake and want to start again, type :q! Now, you may restart the instance. If you want to develop a script to automatically upload files to Google Cloud Storage, before restarting click Edit instance and add the startup script:

Startup script

Note that you still will be able to SSH into the instance:

SSH

Now open Filezilla and enter:

sftp://external_IP_of_instance + username + password + Port 22

Add host key

sFTP success

Done ! You can also access sFTP via command line:

sudo apt install lftp
lftp sftp://USERNAME:PASSWORD@EXTERNAL_IP

put file.txt