How to Install, Configure and Secure a SFTP Server on Ubuntu 22

SFTP (Secure File Transfer Protocol) is a secure way to transfer files between systems using an encrypted connection. It’s a great way to ensure your files are secure while transferring them from one location to another. If you’re using Ubuntu 22, you can easily set up an SFTP server to transfer files securely.

In this article, we will show you how to install, configure and secure a SFTP server on Ubuntu 22 in a few simple steps.

Step 1: Install SSH Server

To set up an SFTP server, you need to have an SSH server installed. To install SSH server, open your terminal and type the following command:

sudo apt update
sudo apt install ssh

Step 2: Create SFTP Group and User

It’s always a good practice to create a new user for SFTP transfers. This way, you can limit the access and permissions of the user to only the files and directories that you want to share.

To create a new user group called sftp, run the following command:

sudo addgroup sftp

To create a new user called sftpuser and add it to the sftp group, run the following command:

sudo useradd -m sftpuser -g sftp

To set a password for the sftpuser, run the following command:

sudo passwd sftpuser

Step 3: Configure SSH Server

Next, we need to configure the SSH server to allow SFTP access for the sftp group and user. To do this, we need to edit the SSHD configuration file. Use nano or your favorite text editor to open it with root privileges:

sudo nano /etc/ssh/sshd_config

Scroll to the bottom of the file and add the following lines at the very end:

Match group sftp
ChrootDirectory /home
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

These lines will allow users in the sftp group to access their home directories via SFTP, but denies them normal SSH access, so they can never access a shell.

After adding these lines, save and close the configuration file.

To apply the changes, restart the SSH service with the following command:

sudo systemctl restart ssh

Step 4: Test SFTP Server

Now that we have set up our SFTP server, we can test it by connecting to it from another machine. You can use any SFTP client software such as FileZilla, WinSCP or Cyberduck.

To connect to your SFTP server, you need to provide the following information:

  • Host: The IP address or hostname of your Ubuntu 22 machine running the SFTP server.
  • Port: The port number of your SSH service, usually 22 by default.
  • Username: The username of your SFTP user, in our case sftpuser.
  • Password: The password of your SFTP user, in our case whatever you set in step 2.

Once you connect, you should be able to see the home directory of your SFTP user and transfer files securely.

Step 5: Secure Your SFTP Server

To make your SFTP server more secure, you can do some additional steps such as:

  • Change the default port of your SSH service to something other than 22. This will make it harder for attackers to find your SSH service and try to brute force it.
  • Disable password authentication and use public key authentication instead. This will make it impossible for attackers to guess your password and access your SFTP server.
  • Use strong passwords or passphrase for your SFTP user and SSH key. This will make it harder for attackers to crack your credentials and access your SFTP server.
  • Use firewall rules to restrict access to your SSH service only from trusted IP addresses or networks. This will prevent unauthorized access attempts from unknown sources.

You can find more details on how to do these steps below.

Changing the Default Port of SSH Service

To change the default port of your SSH service, you need to edit the SSHD configuration file again. Open it with root privileges:

sudo nano /etc/ssh/sshd_config

Find the line that says:

#Port 22

Uncomment it by removing the # sign and change 22 to any port number you want. For example:

Port 2222

Save and close the file.

Restart the SSH service to apply the changes:

sudo systemctl restart ssh

Now, your SSH service will listen on the new port number. To connect to your SFTP server, you need to specify the new port number in your SFTP client software.

Disabling Password Authentication and Using Public Key Authentication

To disable password authentication and use public key authentication, you need to generate a pair of SSH keys on your local machine and copy the public key to your server.

On your local machine, open a terminal and run the following command:

ssh-keygen

You will be asked to enter a file name and a passphrase for your key pair. You can accept the default file name by pressing ENTER, but it is recommended to enter a strong passphrase for security reasons.

This will generate two files: a private key (id_rsa) and a public key (id_rsa.pub) in your ~/.ssh directory.

Next, you need to copy the public key to your server. You can do this by using the ssh-copy-id command:

ssh-copy-id -i ~/.ssh/id_rsa.pub -p 2222 sftpuser@your_server_ip

Replace 2222 with the port number of your SSH service, sftpuser with the username of your SFTP user, and your_server_ip with the IP address or hostname of your server.

You will be asked to enter the password of your SFTP user. After that, your public key will be appended to the ~/.ssh/authorized_keys file on your server.

Now, you need to disable password authentication on your server. Open the SSHD configuration file with root privileges:

sudo nano /etc/ssh/sshd_config

Find the line that says:

#PasswordAuthentication yes

Uncomment it by removing the # sign and change yes to no. For example:

PasswordAuthentication no

Save and close the file.

Restart the SSH service to apply the changes:

sudo systemctl restart ssh

Now, password authentication is disabled and only public key authentication is allowed. To connect to your SFTP server, you need to provide the private key file and the passphrase in your SFTP client software.

Using Strong Passwords or Passphrase for Your SFTP User and SSH Key

To use strong passwords or passphrase for your SFTP user and SSH key, you need to change them periodically and make sure they are not easy to guess or crack.

To change the password of your SFTP user, run the following command on your server:

sudo passwd sftpuser

You will be asked to enter a new password and confirm it.

To change the passphrase of your SSH key, run the following command on your local machine:

ssh-keygen -p -f ~/.ssh/id_rsa

You will be asked to enter the old passphrase and then a new passphrase.

A strong password or passphrase should be at least 12 characters long and contain a mix of upper and lower case letters, numbers and symbols. You can use a password generator tool such as https://passwordsgenerator.net/ to create a random and secure password or passphrase.

Using Firewall Rules to Restrict Access to Your SSH Service

To use firewall rules to restrict access to your SSH service, you need to enable a firewall on your server and allow only certain IP addresses or networks to access your SSH service.

On Ubuntu 22, you can use UFW (Uncomplicated Firewall) as a simple and easy-to-use firewall tool. To enable UFW, run the following command:

sudo ufw enable

To allow access to your SSH service from a specific IP address, run the following command:

sudo ufw allow from ip_address to any port 2222 proto tcp

Replace ip_address with the IP address you want to allow. For example:

sudo ufw allow from 192.168.0.10 to any port 2222 proto tcp

To allow access from a specific network, run the following command:

sudo ufw allow from network_address/netmask to any port 2222 proto tcp

Replace network_address/netmask with the network address and netmask you want to allow. For example:

sudo ufw allow from 192.168.0.0/24 to any port 2222 proto tcp

To check the status of UFW and see the active rules, run the following command:

sudo ufw status verbose

You should see something like this:

Status: active

To                         Action      From
--                         ------      ----
2222/tcp                   ALLOW IN    192.168.0.10              
2222/tcp                   ALLOW IN    192.168.0.0/24            

Now, only the IP addresses or networks that you have allowed can access your SSH service.