When dealing with private information, it’s good to use a secure transfer method.
SFTP is a secure method of data transfer over an SSH channel.
At 1 onlyhost, we help server owners setup restricted SFTP access on their Vultr instances as part of our Managed Cloud Services.
Today, we’ll discuss how we setup SFTP access with proper security restrictions on a Vultr Cloud Compute.
Why you need SFTP on a Vultr instance?
At times, you need to transfer private and critical information such as passwords, confidential information, etc. Although there are many methods to transfer the files, SFTP is the most preferred one.
Traditional FTP doesn’t encrypt data which is unsafe for critical files. Anyone can snoop on the network packets and grab the confidential data. However, SFTP(Secure File Transfer protocol) encrypts the files that you send and receive to a remote system. So, there is no loop hole for data leakage. That’s why, it’s one of the top choices for file transfers.
Linux systems provide SFTP client by default. But, Windows doesn’t provide any SFTP client software by default. We just need to install separate FTP client like Filezilla.
How to setup SFTP on a Vultr instance?
Now, we know the importance of using SFTP in file transfer. Most importantly, we restrict the user accounts to manage their own files via SFTP, and disable login to the system using any other means. Otherwise, these users will have access to whole file system.
Now, let’s see how our Dedicated Engineers enable restricted SFTP access on a Vultr instance.
1) Create SFTP group and SFTP user
Firstly, our Support Experts create and assign a dedicated SFTP user to the dedicated SFTP group. For instance, we use the useradd command to create a user on CentOS servers, while on Ubuntu servers we use adduser command. Further, we create a dedicated SFTP group using groupadd command and assign the user to this group.
groupadd sftp
useradd -g sftp -s /sbin/nologin user1
passwd user1
Here the name of the dedicated SFTP group is sftp and the dedicated SFTP user is user1. And, this user isn’t permitted to login via SSH.
Once done, the user can connect to the Vultr instance via SFTP. However, an attempt to login to the Vultr instance via SSH throws error.
2) Modify Vultr SSH configuration
Secondly, our Support Experts modify the SSH configuration file to restrict users to only use SFTP. For example, we comment out the following line on CentOS servers.
Subsystem sftp /usr/libexec/openssh/sftp-server
Further, we add the following entries in the SSH configuration file to enable chrooted environment(restricted) for the SFTP user.
Subsystem sftp internal-sftp
Match Group stp
X11Forwarding no
AllowTcpForwarding no
ChrootDirectory /home
ForceCommand internal-sftp
This would restrict all the users of the group sftp to the /home directory. Most importantly, we restart the SSH service to bring the changes into effect. For example, we use the following command to restart ssh service on Ubuntu servers.
service ssh restart
3) Create default directory for SFTP user
Next, we’ll create a dedicated directory for this SFTP user and restrict the user to this directory. As a result, users see only this directory when they login.
chown -R root /home/user1
chmod -R 755 /home/user1
mkdir /home/user1/test
chown user1. /home/user1/test
In this way, our Support Engineers ensure that the user1 can upload/download files to the directory /home/user1/test and this user1 can’t manipulate any other files.
4) Firewall modifications
Finally, our Dedicated Engineers ensure that firewall settings on the Vultr instance are intact to accept SSH connections. We make necessary modifications to allow connections to SSH port.
If we want to create multiple SFTP users, our Support Experts combine the above steps into a single function. So creating users can be done easily by calling this function.
[Need help in setting up SFTP on your Vultr VPS? Click here and get one of our Support Experts to fix it for you.]
Setup SFTP on Vultr – Common errors
Setting up SFTP on a Vultr server is an easy process. However, we’ve seen instances where users report problems with SFTP setup. Let’s discuss some of the common errors and how our Support Engineers fix them.
1) Firewall restrictions
One of the common problems raised by the customers is that they receive connection timeout errors when using SFTP. This can be due to firewall restrictions on the server or at the customer’s side.
We’ve seen instances where some public networks block SFTP port. Similarly, the server firewall can block access from certain IP addresses or IP ranges. In all these cases, customers will receive SFTP connection error.
In such cases, our Support Engineers check the firewall rules and remove the offending rules from the firewall configuration. Further, we allow firewall configuration to allow connections to the SFTP port. Similarly, if we find connection not reaching the server, we suggest customers to check with their ISP.
2) Improper access rights
Similarly, insufficient user access rights can also create problems with SFTP access. One such error is given below.
Error: File transfer failed
Here, our Support Engineers found that the files in the user’s home directory were having wrong permissions. Further, we assigned correct permissions for the user and it’s directory to fix the issue.
[Need a server expert to resolve this error? Our Server Administrators can help you here.]
Conclusion
In short, setting up SFTP on a Vultr instance involves a series of steps. Today, we’ve discussed how our Dedicated Engineers enable SFTP on a Vultr instance and fix the common errors with it.