Let us see how we can setup the SFTP server on Amazon EC2 using Ubuntu.
First of all, we would need to launch EC2 instance with Ubuntu (16.04) OS. Once we have the EC2 instance, follow the steps to setup the SFTP Server.
Login into the machine using its public/elastic IP. ‘ubuntu’ is default username for Ubuntu
login as: ubuntu
then promote yourself to the root user so you will get all privileges!
Update all the packages available
apt-get update –y
Install vsftpd package
apt-get install vsftpd
Add a user and set its password
salim is desired username.
Make .ssh directory in User’s Home Directory. This directory will help us to login into the server using a private key.
Create private and public key for the user. You can either use KeyGen or PuttyGen(for Windows)
Let us create key pair using KeyGen. First go to the .ssh directory which we have created recently.
Generate the Key-Pair
ssh-keygen -t rsa
Copy the content of public key (file with .pub extension) into the authorized_keys which should be located inside the .ssh directory
Copy the content displayed on the shell
Paste the copied content in authorized_keys
Save and Close the file.
Now change the file permissions and the ownership
chmod 700 /home/salim/.ssh
chmod 600 /home/salim/.ssh/authorized_keys
chown -R salim:salim /home/salim/.ssh
Copy the private key to your machine from where you want to access the SFTP. You will need to convert the key to .ppk extension if you want to access the SFTP from Windows.
Now we have the user and it’s private key. Test the connection with server. You can use putty if you are using Windows.
Next, you should be able to access the server but that’s not all, real thing is coming up next!
Now we have to jail the user to specific directory and we should restrict it’s shell access so that user can’t access the command shell of the server.
First of all, create a group for SFTP users
then, add our user into that group
adduser salim sftpusers
Now salim is the member of the sftpusers group
Create A SFTP directory and change the permissions
chmod 755 /sftp
chown root:sftpusers /sftp
Create a directory inside ‘sftp’ for example, we are going to create directory ‘shared’ to share the data among several users
chown root:sftpusers /sftp/shared
Change the permissions of ‘shared’ directory so that only users of sftpusers group can see and modify the data inside the ‘shared’ directory
We have to modify sshd_config to specify the SFTP directory and jail user into that directory
We have to replace the Subsystem Line. Comment following line:
Subsystem sftp /usr/lib/openssh/sftp-server
So it should look like
#Subsystem sftp /usr/lib/openssh/sftp-server
And add following line:
Subsystem sftp internal-sftp
Add following lines at bottom of file. It should be below ‘UsePAM yes’
Match group sftpusers
Save and Close the file.
Switch the ownership of user’s home directory to root user without changing the ownership of .ssh directory which will be used to verify the Key
chown root:root /home/salim
chown -R salim:salim/home/salim/.ssh
Mission accomplished! Test your SFTP connection using SFTP tools like WinSCP. Check if you have jailed the user and blocked it’s shell access. User should not be able to access the shell of the server.
Now before connecting check which port FTP is listening by below commands:
sudo netstat -tulpn | grep ftp