FTP is very helpful for businesses as it allows them to perform important functions such as the transfer of large and bulky files on a routine basis. These activities cannot be done over email or through other basic file-sharing programs. It is also used to upload and manage website files to the server.

The FTP is still a very popular way for transferring files but due to the security regions, many peoples prefer SFTP. Use this article to create SFTP only users without shell access.

In this write-up, we will be focusing on how to set up an FTP server with VSFTPD on Ubuntu 20.04.

Installing vsftpd on Ubuntu

VSFTPD is the default FTP server for most Linux distributions. We will start off by installing it on our system. Use the command given below to install VSFTPD.:

sudo apt update 
sudo apt install vsftpd 

Now verify the successful installation of VSFTPD by executing the following command:

sudo systemctl status vsftpd 

How to Configure vsftpd on Ubuntu

Now we will configure the newly installed vsftpd. The configuration rules of vsftpd are stored in /etc/vsftpd.conf. Open the configuration file in any text editor. Here we will use nano to open the configuration file:

sudo nano /etc/vsftpd.conf 

Update the following configuration settings:

1. FTP access

   To only allow local users to access FTP server, make sure your configuration file matches the one given below:

   anonymous_enable=NO
   local_enable=YES
   

2. FTP Passive connections

   VSFTPD works on the active mode by default. To allow VSFTPD to work on passive mode copy the below-given lines into your configuration file:

   pasv_min_port=40000
   pasv_max_port=45000
   

   You can give any range of ports to the configuration file. The system will connect a random port from the range you’ve chosen.

   The connection is established by the server in active mode whereas in the passive mode the connection is established by the client’s side.

3. Enable Uploads

   To allow the FTP user to modify the filesystem, search for the following line in the configuration file and uncomment it by removing the ‘#’ (hash) symbol from the beginning of the line:

   write_enable=YES
   

4. Restrict FTP access

   To allow only certain users to access VSFTPD, copy the below given lines at the end of the configuration file:

   userlist_enable=YES
   userlist_file=/etc/vsftpd.user_list
   userlist_deny=NO
   

These configuration settings are very basic. You can set the configuration rules according to your own needs.

Press Ctrl + X and then hit Enter to save and exit the text file. Now run the following command to restart the VSFTPD service:

sudo systemctl restart vsftpd 

How to Configure the Firewall For FTP on Ubuntu

Now we will configure the firewall to allow FTP traffic. We will open ports 20 and 21, the default/recommended ports for FTP, and ports 40000:45000 for passive FTP. But first, let’s allow SSH by using the command given below otherwise we may get locked out of our server:

sudo ufw allow OpenSSH 

If you get an error “ERROR: Could not find a profile matching ‘OpenSSH’” then you first need to install OpenSSH before running the above command. Use the following command to install OpenSSH on your system:

sudo apt install ssh

Once everything is set up, open the default ports 20 and 21 for FTP:

sudo ufw allow 20:21/tcp

Open the ports 40000:45000 for passive FTP as well:

sudo ufw allow 40000:45000/tcp

Now run the firewall by using the following command. Ignore, if it gives a warning about the disruption of SSH connection. Press y and hit Enter:

sudo ufw enable

The firewall is already active and enabled on my system.

You may run the following command to verify the firewall rules that were just added:

sudo ufw status

How to Create a user for FTP on Ubuntu

Use the “adduser” command to create a new user. We will use this user to login into FTP.

sudo adduser test_user 

The terminal will ask you to set the password of the new user. It will also ask for a few other details. Just press Enter if you do not want to provide these details.

You can restrict this user’s SSH access if you only want them to log in through FTP. Use the nano editor to open the SSH configuration files:

sudo nano /etc/ssh/sshd_config 

Now copy the following line and paste it into the configuration file to restrict the users access:

DenyUsers test_user

(Do remember to replace “test_user” with the actual name of your user)

Save and exit the configuration file and reboot the SSH service using the below-given command to let the changes take effect:

sudo systemctl restart ssh

Now add the user to the list of FTP users by running the following command:

echo "test_user" | sudo tee -a /etc/vsftpd.user_list

Next make a new directory for the user to use for uploading the files:

sudo mkdir -p /home/test_user/ftp/test_dir 

Now give permissions to the new user according to your requirements. Here we are giving the following permission to the test_user:

sudo chmod 550 /home/test_user/ftp 
sudo chmod 750 /home/test_user/ftp/test_dir 
sudo chown -R test_user: /home/test_user/ftp 

Here 550 gives the “read” and “execute” permission in the following way:

While 750 gives the “write” permission as well to the owner in the following way:

That’s it. Your FTP server has been fully set up.

Conclusion

FTP is used to transfer files between computers on a network. It is a protocol that dictates (instructs) how data is transferred between computers on the network. People still use FTB but it is not as secure as SCP or SFTP.

In this write-up, we focused on how to install, set up, and configure VSFTPD. Moreover, we comprehended how to configure firewalls and create a new user for FTP.

You may also like another tutorial, how to download and upload files using ftp command line.

The post How To Setup FTP Server with VSFTPD on Ubuntu 20.04 appeared first on TecAdmin.

Files are transferred through a single control channel in SFTP. It requires authentication and runs on port 22. In SFTP, the SSH shell provides encryption that helps protect usernames, passwords, and other personal data transferred through SFTP.

In this how-to guide, we will learn to create SFTP users for web server document root.

Step 1 – Installing SSH (Secure Shell)

SFTP is a very secure file transfer protocol because of the encryption that SSH provides for the data as it is transferred over the network. SSH is mainly installed on Linux distributions by default, but if it is not pre-installed in your system, then you can use the below-given command to install it:

sudo apt install ssh 

If already installed, the command will upgrade OpenSSH packages.

Step 2 – Configuring SSH to use the SFTP Server Code

Now open the configuration file of SSH in a text editor to modify it for SFTP server code. Here we will use the nano editor to edit the configuration file.

sudo nano /etc/ssh/sshd_config 

Locate the line starting from “Subsystem sftp”.

Comment the line by adding # at the start of the line and write the following line after this line as shown in the screenshot given below:

Subsystem sftp internal-sftp

The SSHD will use the SFTP server code instead of running the SFTP server by changing the above line.

Once you have changed the configuration file, save the file and exit from it using the keyboard shortcut keys CTRL+S and CTRL+X.

After changes, we need to restart the SSHD daemon to let the changes work.

sudo systemctl restart sshd 

Step 3 – Creating a User(SFTP User)

It is an excellent practice to create a new user that only has SFTP access to the document root. It is not recommended to add a user with Sudo privileges to the webserver document root. Create a new user using the adduser command:

sudo adduser sftpuser 

The terminal will ask for a couple of things like setting the password, and user information. It will also ask for a few other details, so either leave them empty or provide the proper information.

A new user with the name of sftpuser is successfully created.

Step 4 – Creating Match User Directive in the SSH configuration file

Now we will restrict this user to the document root and we will also disable the user’s access to SSH so that the user will log in through SFTP.

To restrict the user’s access, open up the configuration file of SSH in any text editor:

sudo nano /etc/ssh/sshd_config 

Now go to the end of the file and add the following content in the “sshd_config” configuration file:

Match User sftpuser
        ForceCommand internal-sftp 
        ChrootDirectory /var/www/
        PasswordAuthentication yes
        X11Forwarding no 
        AllowTcpForwarding no 

Make sure to replace the “sftpuser” username with the username you set.

Once the above content is added to the SSH configuration file, save and exit using CTRL+S and CTRL+X shortcut keys.

To check the syntax and verify if everything went well, you can execute the command:

sudo sshd -t 

If no error occurred, we could reload the SSH service for the changes to work.

sudo systemctl restart sshd 

Step 5 – Adding SFTP User to www-data Group

Now we will add the user to the www-data group by executing the following command:

sudo usermod -a -G www-data sftpuser 

On a successful run, no output will be displayed.

Step 6 – Setting Document Root Directory Permission

Please follow the subsequent instructions very carefully as SFTP is very strict regarding chroot directory permissions.

1. We will start by checking the current permissions and ownership of var:

   sudo ls -ld /var/ 
   

2. The permissions should be 755 and the owner should be root by default. If not, then execute the command given below to set the proper permissions:

   sudo chmod 755 /var/ 
   

3. Now use this command to set the correct ownership:

   sudo chown root:root /var/ 
   

Similarly, apply the same permissions to the chroot:

sudo chmod 755 /var/www/ 

4. Since we have set “/var/www/” to the chroot directory. Now set the right ownership of the chroot directory:

   sudo chown root:root /var/www/ 
   

5. To allow a group to write to the document root directory, set its permission to 755:

   sudo chmod 755 /var/www/html/ 
   

6. To grant the ownership of the “/var/www/html” document root and its further directories and files to the www-data group, use the below-given command:

   sudo chown -R www-data:www-data /var/www/html* 
   

7. Now give 755 permissions to the content placed in the “/var/www/html” document root using the command:

   sudo find /var/www/html/ -type d -exec chmod 775 {} \; 
   

8. The above command will grant the SFTP user read, write, and executable permissions of the directories.

   We also need to give 664 permissions to all the files that are present in the document root to allow the owner and the SFTP users’ group to read and write the files:

   sudo find /var/www/html/ -type f -exec chmod 664 {} \; 
   

9. Now for the last step, make certain that all the new files and directories acquire the www-data group that are created the newly created SFTP user:

   sudo find /var/www/html -type d -exec chmod g+s {} \; 
   

Congratulations! your new SFTP user has been created and added to the webserver document root. You can now log in to SFTP.

Conclusion

In this how-to guide, we have learned how to install and configure SSH for using the SFTP server code. After that, we created a new user, restricted them to document root, and disabled their SSH access. Then we added the user to the webserver document root to allow the user to read, write and execute files in the document root.

The post How To Create SFTP User for a Web Server Document Root appeared first on TecAdmin.

This blog post describes you create SFTP-only users without shell access on Ubuntu and Debian systems.

Step 1- Creating a New User

First of all, create a user account in your system to use as an SFTP user. The following command will create a new account named sftpuser with no shell access. You can change the username of your choice

sudo adduser --shell /bin/false sftpuser 

The command will prompt for the password to be set for a new account.

Step 2 – Create Directory for SFTP

Now, create the directory structure to be accessible by the SFTP user.

sudo mkdir -p /var/sftp/files 

Here we will allow users to access the “files” directory only.

Now, change the ownership of the files directory to the sftpuser. So that SFTP users can read and write on this directory only. No files outside of this directory will be accessible.

sudo chown sftpuser:sftpuser /var/sftp/files 

And set the owner and group owner of the /var/sftp to root. The root user has read/write access on this access. Group members and other accounts have only read and execute permissions.

sudo chown root:root /var/sftp 
sudo chmod 755 /var/sftp 

It will restrict SFTP users from writing files under /var/sftp directory.

Step 3 – Configure sshd for SFTP Only

/etc/ssh/sshd_config is the main configuration file of the OpenSSH server. Be careful with changing this configuration file, because any mistake can lead to connection loss.

Edit the SSH configuration file in a text editor:

sudo vim /etc/ssh/sshd_config 

then add the following settings at end of the file.

Match User sftpuser
	ForceCommand internal-sftp
	PasswordAuthentication yes
	ChrootDirectory /var/sftp
	PermitTunnel no
	AllowAgentForwarding no
	AllowTcpForwarding no
	X11Forwarding no

Save the file and close.

The directives are:

• Match User Defines the username, on which the SFTP only configurations applied. In our case it is: sftpuser
• ForceCommand internal-sftp enforce the SFTP only access to user and restrict for the shell access.
• PasswordAuthentication yes allows password authentication for the user.
• ChrootDirectory /var/sftp Restrict user to access directories under this directory only. Here /var/sftp is act as the root directory of the user.
• AllowAgentForwarding no Specifies whether ssh-agent forwarding is permitted. The default is yes.
• AllowTcpForwarding no Specifies whether TCP forwarding is permitted. The default is yes.
• X11Forwarding no Specified where the graphical application is permitted for not

Restart SSH service to apply new settings:

sudo systemctl restart ssh 

That’s it. You have successfully completed the instructions to create an SFTP-only user on Debian-based systems.

Step 4 – Security Tips (Options)

Here are some basic but important security tips for SFTP accounts in a production environment.

1. Run SSH server on a non-standard port
2. Disallow the password authentication and configure key-based authentication
3. Make sure the firewall is restricted to specific IP addresses only
4. And keep the OpenSSH package up to date

Conclusion

This tutorial describes you create SFTP-only users in the Ubuntu system. It will disabled shell access for the same users to restrict to a specified directory only.

The post How to Create SFTP Only User in Ubuntu & Debian appeared first on TecAdmin.

This tutorial will help you to create SFTP only user (without ssh shell access) on Ubuntu systems. And restrict (chroot) the SFT user account to specific directory only. Also disable the shell access to user.

Prerequisites

• A running Ubuntu 20.04 LTS system
• You must have sudo privileged account with shell access

Step 1 – Create User

First of all, create a user account in your system to use as sftp user. The following command will create a new account named sftpuser with no shell access. You can change the username of your choice

sudo adduser --shell /bin/false sftpuser 

Step 2 – Create Directory for SFTP

Now, create the directory structure to be accessible by the sftp user.

sudo mkdir -p /var/sftp/files 

Here we will allow user to access “files” directory only.

Now, change the ownership of the files directory to the sftpuser. So that sftpuser can read and write on this directory only.

sudo chown sftpuser:sftpuser /var/sftp/files 

And set the owner and group owner of the /var/sftp to root. The root user has read/write access on this access. Group member and other account have only read and execute permissions.

sudo chown root:root /var/sftp 
sudo chmod 755 /var/sftp 

Step 3 – Configure sshd for SFTP Only

Now edit the SSH configuration file in a text editor

sudo vim /etc/ssh/sshd_config 

and add the following settings at end of file.

Match User sftpuser
	ForceCommand internal-sftp
	PasswordAuthentication yes
	ChrootDirectory /var/sftp
	PermitTunnel no
	AllowAgentForwarding no
	AllowTcpForwarding no
	X11Forwarding no

Save the configuration and restart SSH service to apply changes.

sudo systemctl restart ssh 

All done, SFTP only use is successfully created on your Ubuntu system. Now try logging into the remote system with the new user’s credentials, and check if everything is working correctly.

Step 4 – Connect to SFTP User

Once can connect to remote SFTP server using command line or graphical applications like Filezilla or WinSCP. In this tutorial, I will show you both ways to connect sftp only account on Ubuntu system.

Linux users can use sftp command line utility to connect to remote sftp instance.

sftp sftpuser@sftp.tecadmin.net 

sftpuser@sftp.tecadmin.net's password:
sftp>

GUI interface or Windows users can use graphical sftp clients. For example, use filezilla client to connect remote sftp only account on remote system.

Verify no shell access:

As this account is configured for SFTP only connection. So if any user tried to connect via SSH will be disconnected immediately after successful authentication. User will get below message:

ssh sftpuser@sftp.tecadmin.net 

sftpuser@sftp.tecadmin.net's password:
This service allows sftp connections only.
Connection to sftp.tecadmin.net closed.

Conclusion

This tutorial describes you to create a sftp only user account on Ubuntu system. Disabled shell access for the same account to restrict user to sftp access only.

The post How to Create SFTP Only User in Ubuntu 20.04 appeared first on TecAdmin.

Step 1 – Create Account

First of all, create a user account for the sftp access. For this tutorial, we are creating a user named sftpuser with no shell access. Also, set a strong password for the user.

sudo adduser --shell /bin/false sftpuser
sudo passwd sftpuser

Changing password for user sftpuser.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.

Step 2 – Create Directory

Now, create the directory structure to be accessible by sftp user. we will restrict the new user to this directory only. So the user can’t access files to other directories.

sudo mkdir -p /var/sftp/files

Change the ownership of the directory to newly created sftp users. So that sftpuser can read and write on this directory.

sudo chown sftpuser:sftpuser /var/sftp/files

You must set the owner and group owner of the /var/sftp to root. The root user has read/write access on this access. Group members and other accounts have only read and execute permissions.

sudo chown root:root /var/sftp
sudo chmod 755 /var/sftp

Step 3 – Configure SSH for SFTP

As we know the SFTP runs over the SSH protocol, So we need to configure this in the configuration file. Edit the SSH configuration file in a text editor.

sudo vim /etc/ssh/sshd_config

And add the following settings at end of the file.

Match User sftpuser
	ForceCommand internal-sftp
	PasswordAuthentication yes
	ChrootDirectory /var/sftp
	PermitTunnel no
	AllowAgentForwarding no
	AllowTcpForwarding no
	X11Forwarding no

Save the configuration and restart SSH service to apply changes.

sudo systemctl restart sshd.service

All done, Your system is ready to accept sftp only connection for the created account. Let’s test the sftp connection and also make sure that the user is not authorized to SSH.

Step 4 – Test SFTP Connection

I am using FileZilla for the connection to the SFTP instance from my Windows systems. Linux desktop users can also use Filezilla for connection.

For the Linux server, users can use sftp command-line utility to connect to remote sftp instance.

sftp sftpuser@sftp.tecadmin.net

Connecting to sftp.tecadmin.net...
sftpuser@sftp.tecadmin.net's password:
sftp>

Connect with FileZilla:

This account is configured for SFTP only connection. So if any user tried to connect via SSH will be disconnected immediately after successful authentication. User will get below message:

ssh sftpuser@sftp.tecadmin.net

sftpuser@sftp.tecadmin.net's password:
This service allows sftp connections only.
Connection to sftp.tecadmin.net closed.

The above message (This service allows sftp connections only.) shows that the user has sftp access only. Users can’t connect server over SSH.

The post How to Create SFTP User without Shell Access on CentOS/RHEL 8 appeared first on TecAdmin.

You can also use this or this tutorial to configure sftp only user on your Linux system without SSH access.

In this tutorial you will learn:

1. Connect to remote sftp server
2. Navigation in file system
3. Upload files to SFTP server
4. Download files from SFTP server
5. Close SFTP connection

Connect to Remote SFTP Server

Use sftp command-line utility to connect remote sftp system. You need the sftp user and hostname or IP address of the remote host.

sftp sftpuser@sftp.tecadmin.net 

Enter sftpuser account password to connect:

sftpuser@sftp.tecadmin.net's password:
sftp>

Navigate and View Files

Navigation in directories on SFTP is as simple as the local system. Use ‘pwd’ command to check the current working directory.

 pwd 

Remote working directory: /

Then use the ‘ls’ command to list all files and directories in the current directory.

 ls 

To navigate to other directories use ‘cd’ command followed by destination directory.

 cd uploads 

Use ‘cd ..’ to navigate to the parent directory.

 cd .. 

Upload files to SFTP

Now, I need to upload some files under uploads directory. Use the ‘put’ command to upload README.md from the local system to the remote sftp directory.

put README.md 

You can also provide the absolute path of the local file and remote directory without navigating directories.

put /var/www/README.md /uploads/20191115/ 

Download Files from SFTP

To download files from the remote sftp directory use the ‘get’ command. For example to download REMOTE_FILE.md from the remote system to the current local directory.

get REMOTE_FILE.md

Similarly, you can provide an absolute path to download files.

get /uploads/REMOTE_FILE.md /var/www/

Quit the SFTP Connection

Simply say bye to your remote SFTP server. This will disconnect the SFTP connection and return to your local shell.

bye 

Alternatively, you can also use quit or exit commands to close the SFTP session.

Conclusion

In this tutorial, you have learned to how to download and upload files using sftp command line.

The post How to Download and Upload files with SFTP Command appeared first on TecAdmin.

Step 1 – Create Account

First of all, create a user account to use for sftp access. Below command will create user named sftpuser with no shell access.

sudo adduser --shell /bin/false sftpuser
sudo passwd sftpuser

Step 2 – Create Directory

Now, create the directory structure to be accessible by sftp user.

sudo mkdir -p /var/sftp/files

Change the ownership of the files directory to sftp user. So that the sftpuser can read and write on this directory.

sudo chown sftpuser:sftpuser /var/sftp/files

And set the owner and group owner of the /var/sftp to root. The root user has read/write access on this access. Group members and other accounts have only read and execute permissions.

sudo chown root:root /var/sftp
sudo chmod 755 /var/sftp

Step 3 – Configure SSH for SFTP

Now edit the SSH configuration file in a text editor

sudo vim /etc/ssh/sshd_config

and add the following settings at end of file.

Match User sftpuser
	ForceCommand internal-sftp
	PasswordAuthentication yes
	ChrootDirectory /var/sftp
	PermitTunnel no
	AllowAgentForwarding no
	AllowTcpForwarding no
	X11Forwarding no

Save the configuration and restart SSH service to apply changes.

sudo systemctl restart sshd.service

Step 4 – Test SFTP Connection

I am using FileZilla for the connection to the SFTP instance from my Windows systems. Linux desktop users can also use Filezilla for connection.

For the Linux server, users can use sftp command-line utility to connect to remote sftp instance.

sftp sftpuser@sftp.tecadmin.net

Connecting to sftp.tecadmin.net...
sftpuser@sftp.tecadmin.net's password:
sftp>

Connect with FileZilla:

As this account is configured for SFTP only connection. So if any user tried to connect via SSH will be disconnected immediately after successful authentication. User will get below message:

ssh sftpuser@sftp.tecadmin.net

sftpuser@sftp.tecadmin.net's password:
This service allows sftp connections only.
Connection to sftp.tecadmin.net closed.

The post How to Create SFTP User without Shell Access on CentOS/RHEL 7 appeared first on TecAdmin.