SFTP (Secure File Transfer Protocol) is a secure way to transfer files between systems using an encrypted connection. It’s a great way to ensure your files are secure while transferring them from one location to another. If you’re using Ubuntu 22, you can easily set up an SFTP server to transfer files securely.
In this article, we will show you how to install, configure and secure a SFTP server on Ubuntu 22 in a few simple steps.
Step 1: Install SSH Server
To set up an SFTP server, you need to have an SSH server installed. To install SSH server, open your terminal and type the following command:
sudo apt update
sudo apt install ssh
Step 2: Create SFTP Group and User
It’s always a good practice to create a new user for SFTP transfers. This way, you can limit the access and permissions of the user to only the files and directories that you want to share.
To create a new user group called sftp, run the following command:
sudo addgroup sftp
To create a new user called sftpuser and add it to the sftp group, run the following command:
sudo useradd -m sftpuser -g sftp
To set a password for the sftpuser, run the following command:
sudo passwd sftpuser
Step 3: Configure SSH Server
Next, we need to configure the SSH server to allow SFTP access for the sftp group and user. To do this, we need to edit the SSHD configuration file. Use nano or your favorite text editor to open it with root privileges:
sudo nano /etc/ssh/sshd_config
Scroll to the bottom of the file and add the following lines at the very end:
Match group sftp
ChrootDirectory /home
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
These lines will allow users in the sftp group to access their home directories via SFTP, but denies them normal SSH access, so they can never access a shell.
After adding these lines, save and close the configuration file.
To apply the changes, restart the SSH service with the following command:
sudo systemctl restart ssh
Step 4: Test SFTP Server
Now that we have set up our SFTP server, we can test it by connecting to it from another machine. You can use any SFTP client software such as FileZilla, WinSCP or Cyberduck.
To connect to your SFTP server, you need to provide the following information:
- Host: The IP address or hostname of your Ubuntu 22 machine running the SFTP server.
- Port: The port number of your SSH service, usually 22 by default.
- Username: The username of your SFTP user, in our case sftpuser.
- Password: The password of your SFTP user, in our case whatever you set in step 2.
Once you connect, you should be able to see the home directory of your SFTP user and transfer files securely.
Step 5: Secure Your SFTP Server
To make your SFTP server more secure, you can do some additional steps such as:
- Change the default port of your SSH service to something other than 22. This will make it harder for attackers to find your SSH service and try to brute force it.
- Disable password authentication and use public key authentication instead. This will make it impossible for attackers to guess your password and access your SFTP server.
- Use strong passwords or passphrase for your SFTP user and SSH key. This will make it harder for attackers to crack your credentials and access your SFTP server.
- Use firewall rules to restrict access to your SSH service only from trusted IP addresses or networks. This will prevent unauthorized access attempts from unknown sources.
You can find more details on how to do these steps below.
Changing the Default Port of SSH Service
To change the default port of your SSH service, you need to edit the SSHD configuration file again. Open it with root privileges:
sudo nano /etc/ssh/sshd_config
Find the line that says:
#Port 22
Uncomment it by removing the # sign and change 22 to any port number you want. For example:
Port 2222
Save and close the file.
Restart the SSH service to apply the changes:
sudo systemctl restart ssh
Now, your SSH service will listen on the new port number. To connect to your SFTP server, you need to specify the new port number in your SFTP client software.
Disabling Password Authentication and Using Public Key Authentication
To disable password authentication and use public key authentication, you need to generate a pair of SSH keys on your local machine and copy the public key to your server.
On your local machine, open a terminal and run the following command:
ssh-keygen
You will be asked to enter a file name and a passphrase for your key pair. You can accept the default file name by pressing ENTER, but it is recommended to enter a strong passphrase for security reasons.
This will generate two files: a private key (id_rsa) and a public key (id_rsa.pub) in your ~/.ssh directory.
Next, you need to copy the public key to your server. You can do this by using the ssh-copy-id command:
ssh-copy-id -i ~/.ssh/id_rsa.pub -p 2222 sftpuser@your_server_ip
Replace 2222 with the port number of your SSH service, sftpuser with the username of your SFTP user, and your_server_ip with the IP address or hostname of your server.
You will be asked to enter the password of your SFTP user. After that, your public key will be appended to the ~/.ssh/authorized_keys file on your server.
Now, you need to disable password authentication on your server. Open the SSHD configuration file with root privileges:
sudo nano /etc/ssh/sshd_config
Find the line that says:
#PasswordAuthentication yes
Uncomment it by removing the # sign and change yes to no. For example:
PasswordAuthentication no
Save and close the file.
Restart the SSH service to apply the changes:
sudo systemctl restart ssh
Now, password authentication is disabled and only public key authentication is allowed. To connect to your SFTP server, you need to provide the private key file and the passphrase in your SFTP client software.
Using Strong Passwords or Passphrase for Your SFTP User and SSH Key
To use strong passwords or passphrase for your SFTP user and SSH key, you need to change them periodically and make sure they are not easy to guess or crack.
To change the password of your SFTP user, run the following command on your server:
sudo passwd sftpuser
You will be asked to enter a new password and confirm it.
To change the passphrase of your SSH key, run the following command on your local machine:
ssh-keygen -p -f ~/.ssh/id_rsa
You will be asked to enter the old passphrase and then a new passphrase.
A strong password or passphrase should be at least 12 characters long and contain a mix of upper and lower case letters, numbers and symbols. You can use a password generator tool such as https://passwordsgenerator.net/ to create a random and secure password or passphrase.
Using Firewall Rules to Restrict Access to Your SSH Service
To use firewall rules to restrict access to your SSH service, you need to enable a firewall on your server and allow only certain IP addresses or networks to access your SSH service.
On Ubuntu 22, you can use UFW (Uncomplicated Firewall) as a simple and easy-to-use firewall tool. To enable UFW, run the following command:
sudo ufw enable
To allow access to your SSH service from a specific IP address, run the following command:
sudo ufw allow from ip_address to any port 2222 proto tcp
Replace ip_address with the IP address you want to allow. For example:
sudo ufw allow from 192.168.0.10 to any port 2222 proto tcp
To allow access from a specific network, run the following command:
sudo ufw allow from network_address/netmask to any port 2222 proto tcp
Replace network_address/netmask with the network address and netmask you want to allow. For example:
sudo ufw allow from 192.168.0.0/24 to any port 2222 proto tcp
To check the status of UFW and see the active rules, run the following command:
sudo ufw status verbose
You should see something like this:
Status: active
To Action From
-- ------ ----
2222/tcp ALLOW IN 192.168.0.10
2222/tcp ALLOW IN 192.168.0.0/24
Now, only the IP addresses or networks that you have allowed can access your SSH service.