Never Ending Security

It starts all here

How to set up a secure SFTP server in Linux

How To: SFTP

How to set up a secure SFTP server in Linux

SFTP service provides secure file access and transfer mechanisms over SSH tunnels. If you are setting up an server accessed by multiple users, you need to enforce security protection, not only in terms of protecting users from external intruders, but also in terms of protecting the server from (potentially malicious) users, and providing isolation among individual users.

MySecureShell is OpenSSH based SFTP server, featuring a number of security features:

  • Limit per-connection download/upload bandwidth
  • Limit the number of concurrent connections per account
  • Hide file and directory owner/group/rights
  • Hide files and directories which user has no access to
  • Limit the life time of a connection
  • Chroot SFTP user into his/her home directory
  • Deny upload of files and directories that match regular expressions

Install MySecureShell on Linux

To use MySecureShell on Linux, you first need to install the following prerequisites.

To install prerequisites on Ubuntu or Debian:

$ sudo apt-get install libssl0.9.8 ssh openssh-server gcc make

Once all prerequisites are installed, you can build and install MySecureShell on Linux as follows.

$ wget http://mysecureshell.free.fr/repository/index.php/source/mysecureshell_1.31.tar.gz
$ tar xvfvz mysecureshell_1.31.tar.gz
$ cd mysecureshell_1.31
$ ./configure
$ make
$ sudo ./install.sh en
#########################################
#      MySecureShell       #
#########################################

Welcome to the MySecureShell installation script !

Detecting needed files for installation:
Existing file MySecureShell         [ OK ]
Existing file sftp_config           [ OK ]

Do you want to test MySecureShell (check libraries requirement) ? (Y/n)
Test MySecureShell...
Test ending

This script will made a few operations:
- Install MySecureShell in /bin
- Make a configuration file in /etc/ssh/sftp_config
- Introduce if which MySecureShell as a valid shell
- Install utilities in /usr/bin

WARNING: The server will shutdown and all sftp connected clients will be killed !
- Do you want to continue installation ? (Y/n)

MySecureShell Installation

MySecureShell file created              [ OK ]
MySecureShell file created              [ OK ]

Do you want MySecureShell shell to be add like valid shell on your system ? (Y/n)
MySecureShell shell added like a valid shell        [ OK ]

Installation of tool sftp-who           [ OK ]
Installation of tool sftp-kill          [ OK ]
Installation of tool sftp-state         [ OK ]
Installation of tool sftp-admin         [ OK ]
Installation of tool sftp-verif         [ OK ]
Installation of tool sftp-user          [ OK ]

Do you want to automatically rotate MySecureShell logs ? (Y/n)
Initialisation of MySecureShell rotation logs   [ OK ]
cp: target `/share/man/fr/man8' is not a directory
Installation of Manuals             [ OK ]

Installation Finished !

Configure MySecureShell

After installation, verify where MySecureShell is installed.

$ whereis MySecureShell
/usr/bin/MySecureShell

In order to manage users with MySecureShell, first create a Linux group that SFTP users will belong to. Let’s say the group is called “sftp”.

$ sudo groupadd sftp

Then configure an existing SFTP user (e.g., alice) so that the user belongs to “sftp” group, and uses MySecureShell shell upon login.

$ sudo usermod -s /usr/bin/MySecureShell -g sftp alice

If you are creating a new SFTP user from scratch, then run the following command instead.

$ sudo useradd -m -s /usr/bin/MySecureShell -g sftp bob

To customize the default settings of MySecureShell, edit its configuration file located at /etc/ssh/sftp_config. In the configuration file, you can define various per-group security settings. For example, for Linux group “sftp”:

$ sudo vi /etc/ssh/sftp_config
<Group sftp>
Download 50k # limit download speed for each connection
Upload 0 # unlimit upload speed for each connection
StayAtHome true # limit user to his/her home directory
VirtualChroot true # fake a chroot to the home account
LimitConnectionByUser 1 # max connection for each account
LimitConnectionByIP 1 # max connection by IP for each account
IdleTimeOut 300 # disconnect user if idle too long time (in sec)
HideNoAccess true # hide file/directory which user has no access
</Group>

Once the configuration file has bee edited, make sure to restart sshd as follows.

$ sudo service ssh restart

Access and Manage SFTP server

On client-side, you can log in to the SFTP server as follows. The user is chrooted to his own home directory, and no other directory on the server is visible to the user.

$ sftp bob@sftp_host.com
bob@192.168.233.141's password: 
Connected to 192.168.233.141.
sftp> pwd
Remote working directory: /
sftp> 

On SFTP server-side, you can manage SFTP server and its users as follows.

To monitor SFTP users who are connected currently:

$ sftp-who
--- 1 / 10 clients ---
Global used bandwith : 0 bytes/s / 0 bytes/s
PID: 24377   Name: bob   IP: 192.168.10.55
    Home: /home/bob
    Status: idle    Path: /
    File: 
    Connected: 2013/05/28 20:57:42 [since 01mins 05s]
    Speed: Download: 0 bytes/s [50.00 kbytes/s]  Upload: 0 bytes/s [unlimited]
    Total: Download: 1002 bytes   Upload: 82 bytes

To disconnect a particular SFTP user forcefully:

$ sudo sftp-kill bob

Download the program at: http://mysecureshell.sourceforge.net/en/download.html

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s