Creating an SFTP Server on Ubuntu 22.04
Our engineers from our various sites need a way to share data center system information from workstations that are locked down from the internet, to their daily reports which reside in SharePoint. We’ve hardened security so usb slots on the facility workstations are disabled, so thumb-drives won’t work. There were also networking concerns of providing direct access to SharePoint, because the SharePoint servers has a range of IPs we would need to allow on our Network ACLs (NACLs).
Since this is a one-off situation, we need an alternative solution, and quick. Thus, we will create an SFTP server, and make all the needed configurations for a safe connection. This will allow engineers to transmit data reports from the workstation to the server.
There will be some networking involved to make this happen, but we won’t be getting into that during this demonstration.
Terminology
SSH
The acronym SSH stands for “Secure Shell.” The SSH protocol was designed as a secure alternative to unsecured remote shell protocols. It utilizes a client-server paradigm, in which clients and servers communicate via a secure channel.
The SSH protocol has three layers:
- The transport layer. Ensures secure communication between the server and the client, monitors data encryption/decryption, and protects the integrity of the connection. It also performs data caching and compression.
- The authentication layer. Conducts the client authentication procedure.
- The connection layer. Manages communication channels after the authentication.
SFTP
SFTP (Secure File Transfer Protocol) is a file transfer protocol that uses ssh encryption to transfer files between systems securely. It comes as a standard part of SSH version 2.0.
It allows users to choose the level of authentication they want to use when transferring files. Files can be transferred using SFTP with no added authentication, using a combination of user ID and password, or using a pair of SSH keys. SFTP is used whenever there is a need to transfer files between systems while maintaining a high level of security.
Getting to Business
Creating our AWS EC2 Instance
For the sake of simplicity, if you are familiar with the inner-workings of the AWS platform, then feel free to launch your server in the VPC you see fit. However, I don’t plan on reinventing the wheel, and will use a few defaults.
Provided below are the instance configurations:
VPC: Default
Subnet: Random Public Subnet
AMI: Ubuntu 22.04 LTS
Instance Type: T2 Micro
Security Group:
Allow SSH from your IP
Allow all traffic from 0.0.0.0/0
** Don’t worry about allowing all traffic to your instance, once you are done making the initial configuration of your server, you can go back and harden the security group rules.
Create a new .pem file, name it and download it to your local pc. After that it’s time to launch to the instance.
Making the Connection
Prior to establishing a connection, we want to change the permissions of our .pem file. It’s important that our private key is read only, or else it won’t connect to our instance. Let’s locate the directory where our file is being kept and issue the following command:
chmod 400 .pemfileNow, we should be able to successfully access our host as needed. For that, we can run the ssh command below:
ssh -i “path/to/.pem” ubuntu@ipUpdating the host
Before we get into the thick of things, let’s go ahead and update/upgrade our server to ensure we got the latest package versions and needed upgrades.
sudo apt update && sudo apt upgrade -yInstalling Openssh-server
There are many sftp tools we could leverage, depending on our need. However, for the use case in question — we are going to use Openssh-server.
sudo apt install openssh-serverBy default, it should be present but we can never be too sure. Also, it should update the tool to the latest version when we made our install attempt.
Creating our Group
sudo groupadd sftpusersCreating Users
We will now create the users with the useradd command, and their home directory ( -d option). A nice little additive to mention;I am going to implement a block on the shell access(-s option), which will not allow ssh, but only sftp to the server.
useradd -d /home/<user> -s /usr/bin/bashAssigning users to the Group
Now, lets assign our users to the sftpusers group. We can do so by leveraging “usermod” in conjunction with the following options (a) and (G) which will append the user to the specified group mentioned.
usermod -aG sftpusers <user>Modify permissions for each user’s home directory
After adding users to the needed groups, now we can modify the permissions of the directory itself. Then we will need to change the file and group ownership by running the chmod & chown commands.
sudo chmod 755 /home/user1
sudo chown user1:sftpuser /home/user1Creating a ssh key on your client machine
Although, the user has a password, I would like to leverage an ssh key as an additional means of authentication. This key will need to be saved on the client machine.
ssh-keygen -t rsa -b 4096 -f /path/key/is-savedCopy key to the remote server
Once downloaded, we will need to locate the key and find the .pub file, and open it in VIM, and copy the contents. Then paste it in the /home/<user>/.ssh/authorized_keys file on the remote host.
What you may find, is that “authorized_keys” file doesn’t exist yet, so you might need to create it first.
Modifying the sshd_config file
Although users have a ssh key, I still wanted them to enter their password as an extra security measure. So, I modified the sshd_config file to enable password authentication.
To get there, we need to navigate to the directory where the file is held. Since I know where it’s located, I am going to cut straight to the chase and use Vim to open the file.
sudo vim /etc/ssh/sshd_config
Inside the configuration file, we will want enable PubkeyAuthentication, and PasswordAuthentication. Once finished, select “esc”, followed by “:wq”, and your changes will be saved and you’ll exit the editor. Lastly, we will need to restart the ssh service for changes to take effect.
sudo service ssh restartTesting the connection
Lastly, we want to test our connection to confirm all of the previously made changes were done properly.
sftp -i path/to/privatekey user@ipIf you’ve made it to the end of this demonstration, then congratulations– you have successfully launched an SFTP server and confirmed access.
However, if you’re wanting to dive a little deeper and make some configuration changes (and potentially break stuff), then let’s keep going!
Optional
Hardening the server
When bringing new systems into the fold, it’s important to have a security best practice. We didn’t make many modifications to the server nor the configuration file, so if we are wanting to move away from the system’s defaults, we should leverage an SSH configuration audit tool.
For the demonstration, we are going to use ssh-audit. Now, you can easily visit the website sshaudit or you can take the road less traveled, and install it on your host.
sudo apt install ssh-audit
Once installed lets examine our existing ssh security posture by running the command below:
ssh-audit -v ip-address
Also, if we visit the website, we can conduct a client audit. Select the button to scan, and then choose “copy OpenSSH client command”. Once selected, paste the command into your terminal. After 15 seconds or so, you will receive a grade of your SSH posture, and all of the recommended changes that need to take place.
If you select the tab for “SSH Hardening Guides” , there are recommended hardening steps you can take (with commands), but may not fully result in a perfect auditing score because not all packaged SSH server versions support the required options.
My best advice is look at each issue individually, and look at the recommendation (and potential risk) to decide on the best action moving forward.
If you’ve stuck it through until the end of this article, you’re the real MVP! If you’ve ran into any issue while following this demo, feel free to comment and let me know.
Sincerely,
Carlintheclouds
Sources:
