Setup a SFTP server on Debian

Published by Pierre-Yves Landuré on

SFTP is a protocol allowing for secure file transfers over SSH. This guide describe how to setup SFTP only accounts on a SSH server.

This howto is tested on:

  • Debian 10.0 Buster

Settings

Set the name of the system group of users restricted to SFTP only:

sftpOnlyGroup='sftp-only'

Requirements

This howto requires:

  • a working OpenSSH server.

Configuration

Detect if sudo is available (“command” is used if not):

cmdProxy='command'
command type -f 'sudo' &>'/dev/null' && cmdProxy='sudo'

Create the “${sftpOnlyGroup}” group:

command grep --quiet --regexp="^${sftpOnlyGroup}:" '/etc/group' \
  || ${cmdProxy} addgroup --system "${sftpOnlyGroup}"

Set the sftp subsystem as internal:

if ! grep --quiet --regexp='^Subsystem[\t ]*sftp[\t ]*internal-sftp' '/etc/ssh/sshd_config'; then
  # Remove existing sftp subsystem settings.
  ${cmdProxy} sed -i -e 's/^Subsystem[\t ]*sftp[\t ]/# &/' '/etc/ssh/sshd_config'
  ${cmdProxy} tee -a '/etc/ssh/sshd_config' <<< '
# Set internal-sftp as sftp subsystem.
# Allow for simpler use of ChrootDirectory directive.
Subsystem sftp internal-sftp'
fi

Setup the restriction to a chrooted SFTP server for users in the “${sftpOnlyGroup}” group:

command grep --quiet --regexp="^Match group ${sftpOnlyGroup}" '/etc/ssh/sshd_config' \
    || ${cmdProxy} tee -a '/etc/ssh/sshd_config' <<< "
# Restrict to SFTP only for users in group '${sftpOnlyGroup}'
Match group ${sftpOnlyGroup}
    ForceCommand internal-sftp
    X11Forwarding no
    AllowTcpForwarding no
    PermitTTY no"

If a group based access restriction is set, add ‘${sftpOnlyGroup}’ to allowed groups:

command grep --quiet --regexp='^AllowGroups[\t ]' '/etc/ssh/sshd_config' \
  && command grep --quiet --regexp="^AllowGroups[\t ].*${sftpOnlyGroup}.*" '/etc/ssh/sshd_config' \
  || ${cmdProxy} sed -i \
      -e "s/^AllowGroups[\t ]*[^\t ]*/&,${sftpOnlyGroup}/" \
      '/etc/ssh/sshd_config'

Reload the SSH server configuration:

${cmdProxy} systemctl 'reload' 'ssh'

Usage

Add users that should only have access to the SFTP server to the “${sftpOnlyGroup}” group:

# sudo adduser 'username' "${sftpOnlyGroup}"

Warning ! Users in the “${sftpOnlyGroup}” group wont be able to login using SSH.

Next steps

For further security, SFTP only users can be logged-in in a chroot environment. See ‘ChrootDirectory’ directive in sshd_config man page.

Thanks

Categories: Security

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Related Posts

Security

Install Rootkit Hunter (rkhunter) on Debian

Rootkit Hunter is, as its name describe, a rootkits detection tool. It can detect if a system has been compromised. It is a required tool for checking a system health. This guide describe how to configure rkhunter on Debian.

Security

Block DFind vulnerability scanner using IPtables

DFind is the vulnerability scanner generating the "w00tw00t.at.ISC.SANS.DFind" HTTP requests found in Web servers logs. This guide setup some iptables rules blocking these requests. A better method is to use fail2ban to block the sources of these requests.

Security

Set access restrictions on a network port with iptables on Debian

This post describe a simple way to block all access to a network port on Debian, except for specified IP addresses.