How to Setup SFTP Chroot Jail on Linux

How to Setup SFTP Chroot Jail on Linux with Google Cloud Platform. Ever wonder how to lock down a user to their own home directory on your Ubuntu or CentOS servers.

By default a SFTP user can access all the folders in your server including other user’s directory also. No one wants the users to navigate around the server and view other users files.

In this tutorial you are going to learn how to setup SFTP Jail environment and lock down a user to their home directory. We will also restrict the access to SSH and allow SFTP only. This guide works on all Linux based distributions.

Prerequisites

A running Compute Engine, see the Setting up Compute Engine Instance with Ubuntu 18.04
Initial Ubuntu Server Set up.

Step 1: Create a new Chroot Group

Create a new group to add all the users to this chrooted group.

sudo groupadd jailgroup

Step 2: Add Users to the Chroot Group

Now create a user and add the user to the jailgroup group.

sudo useradd -g jailgroup -s /bin/false -m -d /home/username username

-g jailgroup will add the user to the restricted group we created above.
-s /bin/false will restrict he SSH access for the user.
-d /home/username will create a directory for the user in the /home

if you want to add the user who exists already you can just add the user to the group and restrict shell access.

sudo usermod -g jailgroup -s /bin/false username

Step 3: Setup password for the user

By default Google Cloud does not allows password based authentication. If you have allowed password auth to yes you can setup password for the user or you can setup SFTP to access your instance or server.

To setup password you can follow this.

sudo passwd username

Step 4: Setup Correct Permissions

Important: The users home directory must be owned by the root user and must have the 755 permission to prevent the users to create additional directories in their own home directory.

sudo chown root: /home/username
sudo chmod 755 /home/username

Now you can create new directories inside the users home directory and setup full access to the respective users.

sudo mkdir /home/username/{public,logs}
sudo chmod 755 /home/username/{public,logs}
sudo chown username:jailgroup /home/username/{public,logs}

By default Apache or Nginx runs with the user www-data, as these directories are owned by the respective user you need to configure PHP-FPM pools to run as the user owning the files.

Step 5: Configure SSH

Open the SSH configuration file /etc/ssh/sshd_config

sudo nano /etc/ssh/sshd_config

Go to the bottom of the file by pressing ALT + / to find the line starting with Subsystem sftp /usr/lib/openssh/sftp-server

Replace it with the following.

Subsystem sftp internal-sftp

Finally to the bottom add these.

Match Group jailgroup
  ChrootDirectory %h
  ForceCommand internal-sftp
  AllowTcpForwarding no
  X11Forwarding no

Hit CTRL + X followed by Y and Enter to save and exit the file.

Now restart the SSH service to apply the changes.

sudo systemctl restart ssh

For CentOS or Fedora you can use the following command to restart the SSH service.

sudo systemctl restart sshd

Step 6: Test the Setup

If you dont have password based authentication enabled you can setup SFTP to access your instance or server and test your configuration using FileZilla or WinSCP or CyberDuck.

You you have your passwords setup you can use these commands to check.

Open a SFTP connection to your server with the sftp command.

sftp username@IP_ADDRESS

Enter the password you have setup before when prompted.

Now you will be logged in to the server and can see the sftp> prompt.

Run the pwd command, if the configuration is working fine you will get the output as /.

Output
sftp> pwd
Remote working directory: /

Run the ls command to list all files and directories. You can see the directories we have created before.

Output
sftp> ls
public  logs

Prepare yourself for a role working as an Information Technology Professional with Linux operating system

Conclusion

Now you have learned how to setup a chroot environment and restrict access to the user to their own home directory.

If you have any questions or feedback, please feel free to leave a comment below.

Write A Comment Cancel Reply

Recent Articles
- Top 5 Data Science Courses in 2023 for Better Job Opportunities
  March 1, 2023
  
  Looking for the best data science courses in 2023 that can help you secure better job opportunities? Check out this list of top-rated courses with ratings, reviews, and duration.
- Building an Effective ML Deployment Stack with Docker on Ubuntu 22.04
  February 28, 2023
  
  In this comprehensive guide, we’ll walk you through the process of building a powerful ML deployment stack on Ubuntu 22.04, complete with step-by-step instructions and commands.
- 10 Ways How ChatGPT Can Help Data Scientists Enhance Their Work
  February 27, 2023
  
  Discover how ChatGPT, the powerful language model, can assist data scientists in various aspects of their work. Read on to learn about 10 ways ChatGPT can help data scientists achieve better results.
- Build a Successful Career in Data Science: Essential Skills and Tips
  February 25, 2023
  
  Want to build a career in data science? This comprehensive guide will provide you with essential skills, tips, and resources to help you succeed in this rapidly growing field.

How to Setup SFTP Chroot Jail on Linux – Google Cloud

Prerequisites

Step 1: Create a new Chroot Group

Step 2: Add Users to the Chroot Group

Step 3: Setup password for the user

Step 4: Setup Correct Permissions

Step 5: Configure SSH

Step 6: Test the Setup

Conclusion

Install Mattermost on Ubuntu 18.04 with Nginx – Google Cloud

How to Install PHP-FPM with Apache on Ubuntu 18.04 – Google Cloud

Related Posts

Best Performance WordPress with Google Cloud CDN and Load Balancing

How to Install cPanel & WHM on Ubuntu 20.04

How to Install WordPress on Google Cloud Run with SSL

Write A Comment Cancel Reply