×
Community Blog Setting Up SFTP on Alibaba Cloud ECS Ubuntu 18.04

Setting Up SFTP on Alibaba Cloud ECS Ubuntu 18.04

In this tutorial, we will explore how to set up SFTP for secure file transfers on your Alibaba Cloud ECS instance running Ubuntu 18.04.

By Alex Mungai Muchiri, Alibaba Cloud Tech Share Author. Tech Share is Alibaba Cloud's incentive program to encourage the sharing of technical knowledge and best practices within the cloud community.

There are many developers who would wish to set up secure FTP to manage files hosted on their servers using a standard Guided User Interface (GUI). In this tutorial, we are going to explore how you can try this out on your Alibaba Cloud Elastic Compute Service (ECS) instance running Ubuntu 18.04.

Introduction

So, why would you want to set up an SFTP server on your ECS instance? The most obvious reason is the secure protocol that enables you to transfer files between servers and clients. SFTP is an acronym for SSH File Transfer Protocol and is a secure implementation of the FTP protocol. If your server has SSH access, then SFTP will normally be available as a default configuration.

However, you will need to reconfigure the default settings as they enable unlimited shell access and file transfer to all users on the system.You should enable chroot for more robust security, essentially by isolating an application running on your SFTP server from the rest of the operations. In this tutorial, we are going to explore a similar implementation to restrict a user's access to a single directory.

Prerequisites

You will need the following to follow through this tutorial:

  1. Alibaba Cloud ECS instance running Ubuntu 18.04
  2. A non-root sudo user running on your server
  3. Enabled firewall
  4. If you need more information about this setup, please follow this tutorial from the Alibaba community.

Installing Open SSH

In this step, you will need to install Open SSH Server on your ECS instance:

sudo update
sudo apt install openssh-server

Allow some time for the command to execute after which, you should run the commands below to restart the SSH service and enforce startup at booting of the server:

sudo systemctl stop ssh.service
sudo systemctl start ssh.service
sudo systemctl enable ssh.service

Create a New System User

In this step, we will create a new user on our server with permission for transferring files. We will be using the username Aliuser for the purposes of this tutorial.

sudo adduser aliuser

Create a password for the new user following the system prompt from your Alibaba ECS instance. You can provide further information about the new user or just press Enter to leave it blank.

After this step, we will create a file transfers directory with all the required permissions.

In my case, I like to use the root user for this step, it is not mandatory but if you, like me would also want to use, switch to the root user like so:

sudo -s

To add anew user from the root user, run the command below:

adduser [aliuser]

As was expected in the method we have explored above, you will be required to add a password. We will now proceed with the directory creation for transferring files

Create a File Transfer Directory

In this step, we will create a directory that is compliant with our SSH server permissions requirements. The requirements are explicit and require that such a directory and all subdirectories or all those forming a tree must originate from the root and do not enable write access to any other user.

For purposes of this tutorial, we will create our target directory to be /var/sftp/alibaba, which will be the target directory for uploads.

You will need to create the requisite directories:

sudo mkdir -p /var/sftp/alibaba

Make root the owner of the /var/sftp tree:

sudo chown root:root /var/sftp

Now, we need to issue root with the write permissions for the directory we created and only read and execute rights to all other users:

sudo chmod 755 /var/sftp

Next, we will assign to aliuser the exclusive ownership of the alibaba directory that we just created like so:

sudo chown aliuser:aliuser /var/sftp/alibaba

Let us now restrict terminal access for the aliuser. We will do that by modifying the /etc/ssh/sshd_config file of our SSH server running on Alibaba Cloud.

sudo nano /etc/ssh/sshd_config

You will then scroll to the bottom of the configuration file and append the following lines.

Match User aliuser
ForceCommand internal-sftp
PasswordAuthentication yes
ChrootDirectory /var/sftp
PermitTunnel no
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no

Save the changes in your file and close the editor.

Run the command below to restart the server and enforce the configurations changes that we have saved in the configuration file:

sudo systemctl restart sshd

We have restricted file transfer to aliuser only through the SSH server configurations above. In the next step, we need to test and ensure that the configurations are in proper functioning order.

Testing the Configurations

In this test, we will check to see that aliuser can transfer files from the restricted directory. Testing is straightforward and consists of two steps:

  1. Making sure access is limited to SFTP only
  2. Making sure that user is unable to change to a directory with higher privileges

The first step is to log into our Alibaba ECS server. Because we disabled shell access, you should see an error message when executing the command below:

ssh aliuser@localhost

Now let us test SFTP file transfer and confirm that the connection is successful. Run the command below for this operation:

sftp aliuser@localhost

Once connected, we can perform the second test. The test is pretty simple, we will be using the cd and ls commands. First, run ls to see all available files under this directory, which should only return alibaba.

Now, let us check to ensure that aliuser can only access this directory and not any above it in the tree. Run the command below to attempt making changes to the directory above it:

cd ..

You should not expect any errors but you should also not see any changes when you list the directory content with ls as we did above. This is because the user cannot switch to the parent directory.

Conclusion

In this tutorial, we have configured restricted SFTP access to a single directory by our test user on an Alibaba Cloud Elastic Compute Service (ECS) instance. The setup also disables shell access. It is possible to set up multiple users and multiple directories. The setup is considered secure because such users do not have access to sensitive system files.

0 0 0
Share on

Alex

17 posts | 2 followers

You may also like

Comments

Alex

17 posts | 2 followers

Related Products

  • Managed Security Service

    Identify vulnerabilities and improve security management of Alibaba Cloud WAF and Anti-DDoS and with a fully managed security service

    Learn More
  • Mobile Security

    Alibaba Cloud Mobile Security is an online mobile application security service that protects applications from potential risks, threats and vulnerabilities

    Learn More
  • Super Computing Cluster

    Super Computing Service provides ultimate computing performance and parallel computing cluster services for high-performance computing through high-speed RDMA network and heterogeneous accelerators such as GPU.

    Learn More
  • ECS(Elastic Compute Service)

    An online computing service that offers elastic and secure virtual cloud servers to cater all your cloud hosting needs.

    Learn More