SFTP is Secure FTP, which works on SSH protocol.
It is one of the way to secure your SFTP server.
Advantages of SFTP ->
1. Encrypted connection with OpenSSH
2. Work on SSH 1 & 2 protocol
3. OpenSSH is free & secured
4. Need to keep one common port in firewall.
Issue with SFTP ->
1. Need to restrict user from Login access by keeping login shell /bin/nologin or /bin/false
2. Before 4.5 setting up Chroot Jail* was difficult.
3. If you setup Chroot with SFTP then it may create security issue as normal user become root in background. Because sftp-server runs as root user.
*Chroot Jail -> Where User cant access outside of chroot directory. It is always required for security reason.
Prerequisite: OpenSSH_5.1p1 and linux with 2.6.2x kernel.
Steps to Set up plain SFTP server:
1. Download tarball of OpenSSH5.1p1
2. Extract it and compile it.
$ tar -zxvf openssh-5.1p1.tar.gz
$ cd openssh-5.1
$ ./configure -prefix=/opt
$ make install
It will compile and install OpenSSH5.1p1 under /opt
3. Configuring SFTP server:
Configuration files will be stored /opt/openssh5.1/etc
Configuration file name is -> /opt/openssh5.1/etc/sshd_config
No need to change anything for default setting, just start the server.
Start OpenSSH server by giving below command:
Now you can connect to SFTP server using Filezilla
Setting Up Chroot Jail with SFT:
4. Add below 3 lines to /opt/openssh5.1/etc/sshd_config
Match user <username>
This will chroot that user to his home directory. He wont be able to get into of his Home directory.
5. Change ownership of Home directory or chroot directory to root:root
$ chown root:root/home/username
$ chmod 755 /home/username
6. As user wont be able to create any files under root. Just create one directory under home directory. And change ownership of it to the user. So that user can download and upload files in it.
7. Reload sshd by below command
$ kill -HUP <pid of /opt/openssh5.1/sbin/sshd
a. For security reasons disable shell access to the only SFTP user by changing login shell to /bin/nologin or /bin/false.
$ usermod -s /bin/fase <username>
For bulk change open /etc/passwd and change login shell from /bin/bash to /bin/false
b. It is always advisable to use FTPS (FTP with SSL/TLS encryption than SFTP.) It is faster also more secured for MitM attack as you can update certificate after specific time.