Setup SFTP and Prevent SSH on Ubuntu 20.04

Setup SFTP and Prevent SSH on Ubuntu 20.04. SFTP (Secure File transfer Protocol), a secure way to transfer files to servers using encrypted SSH connections. All servers with SSH will have SFTP enabled by default.

In this guide you are going to learn how to limit SFTP access to a directory for a particular user and prevent SSH access.

This setup is tested on a virtual machine running Ubuntu 20.04 OS. So this tutorial should work on any severs with Ubuntu.

Prerequisites

SSH access to server with sudo privileges.

Step 1: Create New user

Create a new user who has SFTP access to perform certain actions on a particular directory.

sudo adduser username

You will be prompted to setup a password and other optional details which you can setup or ignore it.

If you wish to use SSH keys based login, check how to setup SSH access on your Ubuntu.

Step 2: Setup SFTP access

To setup SFTP access you need to configure correct directory permissions the parent directory of the new directory you are about to create should be owned by root and not by any other users.

For example, if you are going to create a directory named /sftp/folder, the sftp directory should be owned by root and the folder directory should be owned by the particular user who is accessing it.

Create directories.

sudo mkdir -p /sftp/folder

Configure correct permissions.

sudo chmod 755 /sftp
sudo chown root:root /sftp
sudo chmod -R 755 /sftp/folder
sudo chown username:username /sftp/folder

Step 3: Prevent SSH access and Restrict SFTP Access

Now we can modify SSH configuration to prevent SSH access for the user and restrict the user to access only the particular directory.

Edit your SSH configuration file.

sudo nano /etc/ssh/sshd_config

Add the following to the end of the file.

Match User username
  ForceCommand internal-sftp
  PasswordAuthentication yes
  ChrootDirectory /sftp
  PermitTunnel no
  AllowAgentForwarding no
  AllowTcpForwarding no
  X11Forwarding no

• Match User tells the SSH server to apply the following commands only to the specified user.
• ForceCommand internal-sftp forces the SSH server to run the SFTP server upon login and prevent SSH access.
• PasswordAuthentication yes allows password authentication for this user. If you use SSH keys based login you can prevent password based authentication by setting the value to no.
• ChrootDirectory /sftp ensures that the user will not be allowed access to anything beyond the /sftp directory.
• AllowAgentForwarding no, AllowTcpForwarding no, and X11Forwarding no disables port forwarding, tunneling, and X11 forwarding, respectively.

Hit CTRL + X followed by Y and then ENTER to save and exit the file.

Now the configurations are in place which allows only SFTP access and prevents SSH login for the user.

Restart SSH service for the changes to take effect.

sudo systemctl restart sshd

For more details on configuring access for multiple usernames, you can follow this Chroot setup guide.

Step 4: Verify SFTP setup

Try loging in to the server using your SFTP details with SSH command. You will be denied access to SSH.

ssh username@server_ip

You will receive an output similar to the one below.

Output
This service allows sftp connections only.
Connection to server_ip closed.

Now verify using sftp command.

sftp username@server_ip

Now you should be logged in to the server and have access to the directory you have configured earlier.

Output
Connected to server_ip
sftp>

Use the ls command to list the directories you will see the directory named folder you have created and configured permissions.

sftp> ls

Output
folder

Conclusion

Now you have learned how to setup SFTP and prevent SSH access to user over a specific directory.

Thanks for your time. If you face any problem or any feedback, please leave a comment below.