OpenSSH includes an SFTP server which is enabled by default. This is a secure approach which use a single port and normal Linux user accounts and passwords for authentication. It also supports date/time stamp synchronization since you are actually copying files over an SSH connection unlike FTP.
While a great solution, it may not be ideal for public access, a large user base, or anonymous access. Suffice to say that there are a significant number of security considerations that need to be taken into account when implementing such a solution. For example, do you need a log of file transfers?
Installing OpenSSH on Ubuntu
If you didn't select it when you first installed your Ubuntu server, it's not too late. Simply enter the following command at a shell prompt:
sudo apt-get install openssh-server
Once installed, you can test it by entering the following command:
Whether you are using ssh or sftp, you may be prompted to accept an authentication key the first time you connect. This is normal. Just accept.
When done, just type exit.
Managing the OpenSSH Service
|Start SSH Server||sudo start ssh|
|Stop SSH Server||sudo stop ssh|
|Status of OpenSSH server||sudo status ssh|
Limiting OpenSSH to SFTP Server Access
You can prevent users from having shell access and running commands by setting their home directory to /dev/null and setting their shell to /usr/bin/false. See Chrooted SFTP access with OpenSSH and limiting access to only the required areas of the server for details. Also see SFTP only chroot with nullfs or bind mounts
Obscuring Your OpenSSH/SFTP Server
While it doesn't make it any safer, making a well known open port a little harder to find by changing the default port 22 helps. It's like the difference between having a big neon sign pointing to the opening and having the opening blend into the background. It's still there but most won't see it unless they are looking for it.
Setting up User Accounts
It is recommended to create individual user accounts for the following reasons:
- Configurability: You can limit individual user access to the areas that they need.
- Trackability: When something goes wrong, you have a better chance of figuring out where and why it happened if you have a specific user account rather than a communal account.
- Manageability: When someone leaves the organization or you no longer have dealings with a business partner, you can simply delete their account.
System Wide Login Script
You can just drop a custom script (ending in .sh) in the /etc/profile.d directory and it will be called automatically when users connect over ssh or sftpd.
Configuring the User Home Directory
In the root of the users home directory, creating symlinks to different parts of the server outside of the users home directory won't work as symlinks are relative to the root directory, which in this case is the user's chrooted home directory (Pure-FTPd virtualizes this for you). Instead, you must use mount with --bind.
You first need to create a directory and them mount a directory somewhere else on the server to that directory. For example:
sudo mkdir /home/sftpuser/www
sudo mount --bind /var/www /home/sftpuser/www
This won't work if the /home/sftpuser/www directory existed previously.
Made a mistake? You can unmount a drive using the following command:
sudo umount /home/sftpuser/www
Since typical users don't have the required root access to execute these commands, and they would be lost as soon as you reboot the server. However you can make these mounts permanent by adding them to the /etc/fstab file using the following command:
sudo nano /etc/fstab
Add the following line to the end of the file and save:
/var/www /home/sftpuser/www none bind
The next time you reboot your server, the directories will automatically be mounted.