There are many developers who would wish to set up secure FTP to manage files hosted on their servers using a standard Guided User Interface (GUI). In this tutorial, we are going to explore how you can try this out on your Alibaba Cloud Elastic Compute Service (ECS) instance running Ubuntu 18.04.
So, why would you want to set up an SFTP server on your ECS instance? The most obvious reason is the secure protocol that enables you to transfer files between servers and clients. SFTP is an acronym for SSH File Transfer Protocol and is a secure implementation of the FTP protocol. If your server has SSH access, then SFTP will normally be available as a default configuration.
However, you will need to reconfigure the default settings as they enable unlimited shell access and file transfer to all users on the system.You should enable chroot for more robust security, essentially by isolating an application running on your SFTP server from the rest of the operations. In this tutorial, we are going to explore a similar implementation to restrict a user’s access to a single directory.
You will need the following to follow through this tutorial:
- Alibaba Cloud ECS instance running Ubuntu 18.04
- A non-root sudo user running on your server
- Enabled firewall
- If you need more information about this setup, please follow this tutorial from the Alibaba community.
Installing Open SSH
In this step, you will need to install Open SSH Server on your ECS instance:
sudo apt install openssh-server
Allow some time for the command to execute after which, you should run the commands below to restart the SSH service and enforce startup at booting of the server:
sudo systemctl stop ssh.service
sudo systemctl start ssh.service
sudo systemctl enable ssh.service
Create a New System User
In this step, we will create a new user on our server with permission for transferring files. We will be using the username Aliuser for the purposes of this tutorial.
sudo adduser aliuser
Create a password for the new user following the system prompt from your Alibaba ECS instance. You can provide further information about the new user or just press Enter to leave it blank.
After this step, we will create a file transfers directory with all the required permissions.
In my case, I like to use the root user for this step, it is not mandatory but if you, like me would also want to use, switch to the root user like so:
To add anew user from the root user, run the command below:
As was expected in the method we have explored above, you will be required to add a password. We will now proceed with the directory creation for transferring files
Create a File Transfer Directory
In this step, we will create a directory that is compliant with our SSH server permissions requirements. The requirements are explicit and require that such a directory and all subdirectories or all those forming a tree must originate from the root and do not enable write access to any other user.
For purposes of this tutorial, we will create our target directory to be
/var/sftp/alibaba, which will be the target directory for uploads.
You will need to create the requisite directories:
sudo mkdir -p /var/sftp/alibaba
Make root the owner of the
sudo chown root:root /var/sftp
Now, we need to issue root with the write permissions for the directory we created and only read and execute rights to all other users:
sudo chmod 755 /var/sftp
Next, we will assign to aliuser the exclusive ownership of the
alibaba directory that we just created like so:
sudo chown aliuser:aliuser /var/sftp/alibaba
Let us now restrict terminal access for the aliuser. We will do that by modifying the
/etc/ssh/sshd_config file of our SSH server running on Alibaba Cloud.
sudo nano /etc/ssh/sshd_config
You will then scroll to the bottom of the configuration file and append the following lines.
Match User aliuser
Save the changes in your file and close the editor.
Run the command below to restart the server and enforce the configurations changes that we have saved in the configuration file:
sudo systemctl restart sshd
We have restricted file transfer to aliuser only through the SSH server configurations above. In the next step, we need to test and ensure that the configurations are in proper functioning order.
Testing the Configurations
In this test, we will check to see that aliuser can transfer files from the restricted directory. Testing is straightforward and consists of two steps:
- Making sure access is limited to SFTP only
- Making sure that user is unable to change to a directory with higher privileges
The first step is to log into our Alibaba ECS server. Because we disabled shell access, you should see an error message when executing the command below:
Now let us test SFTP file transfer and confirm that the connection is successful. Run the command below for this operation:
Once connected, we can perform the second test. The test is pretty simple, we will be using the
ls commands. First, run
ls to see all available files under this directory, which should only return alibaba.
Now, let us check to ensure that aliuser can only access this directory and not any above it in the tree. Run the command below to attempt making changes to the directory above it:
You should not expect any errors but you should also not see any changes when you list the directory content with
ls as we did above. This is because the user cannot switch to the parent directory.
In this tutorial, we have configured restricted SFTP access to a single directory by our test user on an Alibaba Cloud Elastic Compute Service (ECS) instance. The setup also disables shell access. It is possible to set up multiple users and multiple directories. The setup is considered secure because such users do not have access to sensitive system files.