How to setup an SFTP server on

CentOS

This tutorial explains how to setup and use an SFTP server on CentOS.
Before I start, let me explain what actually SFTP represents and what it is
used for. Currently, most people know that we can use normal FTP for
transferring, downloading or uploading data from a server to client or client
to server. But this protocol is getting hacked easily (if TLS is not used) by
anonymous intruders as it the ports are wide open to anyone. Therefore,
SFTP has been introduced to as another alternative to meet the main
purpose to strengthen the security level.

SFTP stands for SSH File Transfer Protocol or Secure File Transfer
Protocol. It uses a separate protocol packaged with SSH to provide
a secure connection.

1. Preliminary Note

For this tutorial, I am using CentOS 7 in the 64bit version. The same steps
will work on CentOS 6 as well. The tutorial result will show how a client can
be provided with access to the SFTP server but unable to login to the server
itself by SSH.

2. SFTP Installation

Unlike normal FTP, there's no need to install additional packages in order to

use SFTP. We just require the prebuild SSHd package that got already
installed during installation on the server. Therefore, just check to confirm if
you already have the required SSH package. Below are the steps:

Run:

rpm -qa|grep ssh

The output should be similar to this:

[root@localhost ~]# rpm -qa|grep ssh

libssh2-1.4.3-10.el7_2.1.x86_64
openssh-7.4p1-13.el7_4.x86_64
openssh-server-7.4p1-13.el7_4.x86_64
openssh-clients-7.4p1-13.el7_4.x86_64

That's all, now we'll go on how to make the SFTP configuration.

3. SFTP Configuration

Once all prerequisites of installation are done, we'll step over to

configuration phase. For best practice, we need to create a group and user
so that we can manage all user that shall get SFTP access. But first, let's
create an additional folder called data. Below are the steps:

mkdir -p /data/sftp
chmod 701 /data

Basically what I'm trying to do with the above step is to get a separate folder
as main directory for the SFTP access. All user directories for the SFTP
users will be subdirectories of this data folder.

Let's create a group for the SFTP user, below are the steps:

groupadd sftpusers

Then create a user 'howtoforge' and assign it to the SFTPUSERS group.

Below are the steps:

useradd -g sftpusers -d /upload -s /sbin/nologin mysftpuser

passwd mysftpuser

Changing password for user mysftpuser.

New password:
Retype new password:
passwd: all authentication tokens updated successfully.

Below is the explanation of the above commands:

1. I create a user and include the user into sftpusers group using -g
command.
2. I assign the main directory for the user to be in the /upload directory by
setting the -d /upload command. This means that later the /upload
folder will be under /data/mysftpuser/upload.
3. I limit the access to the /sbin/nologin shell to ensure the user is only
able to use the SFTP protocol, not SSH.
4. I name the user "mysftpuser".
5. Set password for user "mysftpuser".
Now let's create the /upload folder under /data/mysftpuser, then assign
appropriate ownership to the folder.

mkdir -p /data/mysftpuser/upload
chown -R root:sftpusers /data/mysftpuser
chown -R mysftpuser:sftpusers /data/mysftpuser/upload

Once done, verify that the new folder under the directory /data exists and
that we made the configuration correct.

[root@localhost ~]# ls -ld /data/

drwx-----x. 5 root root 54 Mar 22 14:29 /data/

[root@localhost ~]# ls -ld /data/mysftpuser

drwxr-xr-x. 3 root sftpusers 20 Mar 22 14:29 /data/mysftpuser

[root@localhost ~]# ls -ld /data/mysftpuser/upload

drwxr-xr-x. 2 mysftpuser sftpusers 6 Mar 22 14:29 /data/mysftpuser/upload

[root@localhost ~]# cat /etc/passwd|grep mysftpuser

mysftpuser:x:1001:1001::/upload:/sbin/nologin

Now configure the SSH protocol to create an SFTP process. This can be
done by editing the configuration file under /etc/ssh/sshd_config. Below are
the steps:

nano /etc/ssh/sshd_config

Add the following lines at the end of the file.

Match Group sftpusers

ChrootDirectory /data/%u
ForceCommand internal-sftp

Once done restart the SSH services, below are the steps:

service sshd status

Redirecting to /bin/systemctl status sshd.service

? sshd.service - OpenSSH server daemon
Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor
preset: enabled)
Active: active (running) since Thu 2018-03-22 14:21:38 CET; 16min ago
Docs: man:sshd(8)
man:sshd_config(5)
Main PID: 942 (sshd)
CGroup: /system.slice/sshd.service
??942 /usr/sbin/sshd -D

Mar 22 14:21:37 localhost.localdomain systemd[1]: Starting OpenSSH

server daemon...
Mar 22 14:21:38 localhost.localdomain sshd[942]: Server listening on
0.0.0.0 port 22.
Mar 22 14:21:38 localhost.localdomain sshd[942]: Server listening on :: port
22.
Mar 22 14:21:38 localhost.localdomain systemd[1]: Started OpenSSH
server daemon.
Mar 22 14:21:49 localhost.localdomain sshd[1375]: Accepted password for
root from 192.168.1.9 port 59465 ssh2

service sshd restart

[root@localhost ~]# service sshd restart

Redirecting to /bin/systemctl restart sshd.service

4. Testing SFTP

Now everything has been configured, so let's make a test to ensure the
setup meets our purpose.
I'll access SFTP by using another server called TEST01. First, I'll verify the
Port of the SFTP server . To do that I'll use the nmap function. If your client
server didn't have it you may download and install it with yum as shown
below:

yum list nmap

Loaded plugins: fastestmirror

Loading mirror speeds from cached hostfile
* base: centos.copahost.com
* epel: mirror.imt-systems.com
* extras: mirror.imt-systems.com
* remi-php72: remi.mirror.wearetriple.com
* remi-safe: remi.mirror.wearetriple.com
* updates: ftp.rz.uni-frankfurt.de
Available Packages
nmap.x86_64 2:6.40-7.el7

yum install nmap -y

Loaded plugins: fastestmirror

Loading mirror speeds from cached hostfile
* base: centos.copahost.com
* epel: mirror.imt-systems.com
* extras: mirror.imt-systems.com
* remi-php72: remi.mirror.wearetriple.com
* remi-safe: remi.mirror.wearetriple.com
* updates: ftp.rz.uni-frankfurt.de
Resolving Dependencies
--> Running transaction check
---> Package nmap.x86_64 2:6.40-7.el7 will be installed
--> Processing Dependency: nmap-ncat = 2:6.40-7.el7 for package:
2:nmap-6.40-7.el7.x86_64
--> Running transaction check
---> Package nmap-ncat.x86_64 2:6.40-7.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

===========================================================================
Package Arch Version Repository Size
===========================================================================
Installing:
nmap x86_64 2:6.40-7.el7 base 4.0 M
Installing for dependencies:
nmap-ncat x86_64 2:6.40-7.el7 base 201 k

Transaction Summary
===========================================================================
Install 1 Package (+1 Dependent package)

Total download size: 4.2 M

Installed size: 17 M
Downloading packages:
(1/2): nmap-ncat-6.40-7.el7.x86_64.rpm | 201 kB 00:00:01
(2/2): nmap-6.40-7.el7.x86_64.rpm | 4.0 MB 00:00:14
-----------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------
Total 300 kB/s | 4.2 MB 00:00:14
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : 2:nmap-ncat-6.40-7.el7.x86_64 1/2
Installing : 2:nmap-6.40-7.el7.x86_64 2/2
Verifying : 2:nmap-ncat-6.40-7.el7.x86_64 1/2
Verifying : 2:nmap-6.40-7.el7.x86_64 2/2
Installed:
nmap.x86_64 2:6.40-7.el7

Dependency Installed:
nmap-ncat.x86_64 2:6.40-7.el7

Complete!

[root@localhost ~]# nmap -n 192.168.1.100

Starting Nmap 6.40 ( http://nmap.org ) at 2018-03-22 14:51 CET

Nmap scan report for 192.168.1.100
Host is up (0.000016s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh

Nmap done: 1 IP address (1 host up) scanned in 0.12 seconds

You'll notice that currently on our SFTP server, the only open port is SSH
22. Now, let's try to access the SFTP server (IP: 192.168.1.100 in my case)
from TEST01 client. Below are the steps:

[root@TEST01 /]# sftp mysftpuser@192.168.1.100

mysftpuser@192.168.1.100's password:
Connected to 192.168.1.100.
sftp> pwd
Remote working directory: /upload
sftp>

Great! Now our SFTP server is accessible from outside. Notice that the
default directory is /upload . This means that SFTP will only show the
default path as /upload even though our previous configuration made in the
SFTP server directory is /data/mysftpuser/upload.
Now let's try to get a file from the SFTP server directory into our testing
client. First, let's create a test file under /data/mysftpuser/upload. Below are
the steps:

cd /data/mysftpuser/upload
touch testing_file.txt

Then go back to our testing site TEST01 and see if we able to get and
download the created file.

[root@TEST01 /]# sftp mysftpuser@192.168.1.100

mysftpuser@192.168.1.100's password:
Connected to 192.168.1.100.
sftp> pwd
Remote working directory: /upload
sftp> ls
testing_file.txt
sftp> get testing_file.txt
Fetching /upload/testing_file.txt to testing_file.txt
sftp> quit

Excellent! Our SFTP test has been successful, let's try to access SSH using
the user mysftpuser. As previously, we've set configuration as /sbin/nologin,
therefore the user won't be able to use SSH services:

[root@TEST01 ~]# ssh mysftpuser@192.168.1.100

mysftpuser@192.168.1.100's password:
This service allows sftp connections only.
Connection to 192.168.1.100 closed.

Nice! Now we have a secured SFTP server up and running.