How to set up SFTP server on Ubuntu(AWS-EC2)

Introduction About the SFTP

SFTP stands for SSH File Transfer Protocol. As its name suggests, its a secure way to transfer files between machines using an encrypted SSH connection. Despite the name, its a completely different protocol than FTP (File Transfer Protocol), though its widely supported by modern FTP clients.

In some cases, you might want only certain users to be allowed file transfers and no SSH access. In this tutorial, well set up the SSH daemon to limit SFTP access to one directory with no SSH access allowed on a per-user basis.

So, lets start the SFTP setup.

Step 1Install OpenSSH-server & SSH
If you have not done so yet, install OpenSSH on the server, you can use the following command:

$ sudo apt install openssh-server

You also need SSH on the system from where you are going to access the SFTP server.

$ sudo apt install ssh

Step 2Create SFTP user account
First, we need to create a new user who will be granted only file transfer access to the server.

$ sudo adduser sftp_user

Youll be prompted to create a password for the account, followed by some information about the user. The user information is optional, so you can press ENTER to leave those fields blank.

Enter new UNIX password: Retype new UNIX password: .....passwd: password updated successfully

You have now created a new user that we will be granted access to the restricted directory.
In the next step, we will create the directory for file transfers and set up the necessary permissions.

Step 3Creating a Directory for File Transfers
In order to restrict SFTP access to one directory, first, we have to make sure the directory complies with the SSH servers permissions requirements, which are very particular.

Specifically, the directory itself and all directories above it in the filesystem tree must be owned by root and not writable by anyone else. Consequently, its not possible to simply give restricted access to a users home directory because home directories are owned by the user, not root.

Here, well create and use /var/sftp/myfolder/data/ as the target upload directory. /var/sftp/myfolder will be owned by root and will not be writable by other users.
The subdirectory /var/sftp/myfolder/data/ will be owned by sftp_user(which we created earlier) so that the user will be able to upload files to it.

First, create the directories.

$ sudo mkdir -p /var/sftp/myfolder/data/

Set the owner of /var/sftp/myfolder to root.

$ sudo chown root:root /var/sftp/myfolder

Give root write permissions to the same directory, and give other users only read and execute rights.

$ sudo chmod 755 /var/sftp/myfolder

Change the ownership on the uploads directory to sftp_user.

$ sudo chown sftp_user:sftp_user /var/sftp/myfolder/data/

Here we have done the directory restriction.
So, our sftp_user will use only /data/ from the below path. sftp_user never changes the directory.
/var/sftp/myfolder/data/

Step 4sshd_config Settings
In this step, well modify the SSH server configuration to disallow terminal access for sftp_user but allow file transfer access.

Open the SSH server configuration file by using the below command.

$ sudo nano /etc/ssh/sshd_config

or you can do by.

$ sudo vi /etc/ssh/sshd_config

Scroll to the very bottom of the file and append the following configuration snippet:

/etc/ssh/sshd_config

Port <your_port_number>Match User sftp_userForceCommand internal-sftpPasswordAuthentication yesChrootDirectory /var/sftp/myfolderPermitTunnel noAllowAgentForwarding noAllowTcpForwarding noX11Forwarding no

Then save and close the file.[Press :wq + enter]

Heres what each of those directives does:
Match User tells the SSH server to apply the following commands only to the user-specified. Here, we specify sftp_user.
ForceCommand internal-sftp forces the SSH server to run the SFTP server upon login, disallowing shell access.
PasswordAuthentication yes allows password authentication for this user.
ChrootDirectory /var/sftp/myfolder ensures that the user will not be allowed access to anything beyond the /var/sftp/myfolder directory.
AllowAgentForwarding no, AllowTcpForwarding no. and X11Forwarding no disable port forwarding, tunneling, and X11 forwarding for this user.

In the Match User [user_name], you can also use the group by using the below command.
Match Group [sftp_group]
NOTE: You need to create a new group called, sftp_group.

Step 5Restart the service
To apply the configuration changes, restart the service.

$ sudo systemctl restart sshd

or

$ sudo /etc/init.d/ssh restart

You have now configured the SSH server to restrict access to file transfer only for sftp_user.

Step 6Open your SFTP port in the AWS-EC2 security group
If you are using the AWS-EC2 instance, then you need to open the port here.
Login to your AWS account.

Go to the services and then click on the EC2 menu -> Running Instances.

Go to your instance.

Open the Security groups.

In the Inbound Rules, Edit inbound rules

Please do the following settings
1.Type = Custom TCP
2.Protocol = TCP
3.Port range = your_port(same as set in sshd_config file)
4. Source = You need to whitelist the IP here, if you do not want then set it anywhere.
5. Description optional = You can mention here some useful info.

The last step is testing the configuration to make sure it works as intended.

Step 7Verifying the Configuration
You can verify it within your terminal and as well as third-party software, such as WinSCP.

Troubleshooting
If you encountered the below error then please do the following things.

"no supported authentication methods available server sent: public keyAuthentication Failed"

then please run the below command and check the connection again.

sudo service sshd restart

(maybe this command will run only in ubuntu 20)

Conclusion
Youve restricted a user to SFTP-only access to a single directory on a server without full shell access. While this tutorial uses only one directory and one user, you can extend this example to multiple users and multiple directories as well. The SSH server allows more complex configuration schemes, including limiting access to groups or multiple users at once, or even limited access to certain IP addresses.

I hope this article helped you in setting up an SFTP server on your Ubuntu.
If you encountered any errors then please share them with me.

If this guide has been helpful to you and your team please share it with others!