How do I securely configure SFTP for data transfer?
Read as we ask the THG Hosting Solution Architect about FTP, or File Transfer Protocol. Learn more as we discuss how SFTP or SSH File Transfer Protocol can help create additional efficiency on your Linux system…
FTP is a very popular method for transferring data across two servers. However, most users prefer SFTP due to the added security features and abilities built into the SSH service. This solution is most effective on any basic Linux system. Although this can be set up on a Windows system, it is typically more straightforward in Linux.
File Transfer Protocol (FTP) has been a popular method for copying files since the 1970s. It’s the preferred method for copying files to and from a dedicated server or VPS within web hosting environments. However, the security limitations of FTP resulted in many users looking for a new method of copying files. For example, the default configuration commands and user credentials are sent in plain text, which means that anyone can read them if intercepted.
A MORE SECURE SOLUTION: SSH FILE TRANSFER PROTOCOL (SFTP)
Since FTP transfers are easily intercepted and spied upon, SSH File Transfer Protocol (SFTP) is a better route to take when copying sensitive information because of the Secure Shell protocol. If you have SSH installed on your server, then you are most likely ready to use SFTP. Also, most FTP clients you would use to transfer support connecting to servers using SFTP. This means that using SFTP is a time-saving choice since there is usually no additional configuration time necessary. You can quickly and easily enjoy the additional security provided by SFTP.
CONFIGURING USER ACCESS WITH SFTP
Since SFTP uses SSH to communicate between two platforms, the setting of your SSH server determines how users connect to the SFTP server. This means that keys can be used to connect rather than passwords. However, the default configurations mean that all users automatically get SFTP and SSH access.
If you want to limit users to SFTP only, you can change your setting in the /etc/ssh/sshd_config file.
sudo nano /etc/ssh/sshd_config
Note: This example will use nano to edit the file. In your own configurations, use whichever text editor you feel most comfortable with.
The first step is to configure the sftp subsystem to use the internal-sftp version. Complete a search for sftp to see if there is an existing line in the config file. Be sure that the line reads:
Subsystem sftp internal-sftp
Next, you will need to scroll to the end of the config file and add the lines below:
Match group sftpusers
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
Save and exit the file. Restart the SSH for the changes you’ve made to take effect:
sudo service sshd restart
Next, create the sftpusers group to add users that you would like to only have access the server vis SFTP:
groupadd sftpusers
Add the SFTP users to the sftpusers group with the usermod command. Remember to swap out “username” for the actual username you would like to only have SFTP access:
usermod -a -G sftpusers username
The next step is to double-check that the user can’t log in with a shell by changing their default shell:
usermod -s /bin/false username
Now that you have changed the user’s shell to /bin/false, you have prevented them from the ability to log into a terminal shell.
Try to log in via SSH as the server user to check and be sure that the changes you’ve made are working. You should see a restriction message (i.e. “This service allows sftp connections only.”) after you enter the correct password. Your last task to test to be sure that the SFTP connections work and you have completed your task.
