Setup SFTP and Prevent SSH on Ubuntu 20.04. SFTP (Secure File transfer Protocol), a secure way to transfer files to servers using encrypted SSH connections. All servers with SSH will have SFTP enabled by default.
In this guide you are going to learn how to limit SFTP access to a directory for a particular user and prevent SSH access.
This setup is tested on a virtual machine running Ubuntu 20.04 OS. So this tutorial should work on any severs with Ubuntu.
Prerequisites
SSH access to server with sudo privileges.
Step 1: Create New user
Create a new user who has SFTP access to perform certain actions on a particular directory.
sudo adduser usernameYou will be prompted to setup a password and other optional details which you can setup or ignore it.
If you wish to use SSH keys based login, check how to setup SSH access on your Ubuntu.
Step 2: Setup SFTP access
To setup SFTP access you need to configure correct directory permissions the parent directory of the new directory you are about to create should be owned by root and not by any other users.
For example, if you are going to create a directory named /sftp/folder, the sftp directory should be owned by root and the folder directory should be owned by the particular user who is accessing it.
Create directories.
sudo mkdir -p /sftp/folderConfigure correct permissions.
sudo chmod 755 /sftp
sudo chown root:root /sftp
sudo chmod -R 755 /sftp/folder
sudo chown username:username /sftp/folderStep 3: Prevent SSH access and Restrict SFTP Access
Now we can modify SSH configuration to prevent SSH access for the user and restrict the user to access only the particular directory.
Edit your SSH configuration file.
sudo nano /etc/ssh/sshd_configAdd the following to the end of the file.
Match User username
ForceCommand internal-sftp
PasswordAuthentication yes
ChrootDirectory /sftp
PermitTunnel no
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding noMatch Usertells the SSH server to apply the following commands only to the specified user.ForceCommand internal-sftpforces the SSH server to run the SFTP server upon login and prevent SSH access.PasswordAuthentication yesallows password authentication for this user. If you use SSH keys based login you can prevent password based authentication by setting the value tono.ChrootDirectory /sftpensures that the user will not be allowed access to anything beyond the/sftpdirectory.AllowAgentForwarding no,AllowTcpForwarding no, andX11Forwarding nodisables port forwarding, tunneling, and X11 forwarding, respectively.
Hit CTRL + X followed by Y and then ENTER to save and exit the file.
Now the configurations are in place which allows only SFTP access and prevents SSH login for the user.
Restart SSH service for the changes to take effect.
sudo systemctl restart sshdFor more details on configuring access for multiple usernames, you can follow this Chroot setup guide.
Step 4: Verify SFTP setup
Try loging in to the server using your SFTP details with SSH command. You will be denied access to SSH.
ssh [email protected]_ipYou will receive an output similar to the one below.
Output
This service allows sftp connections only.
Connection to server_ip closed.Now verify using sftp command.
sftp [email protected]_ipNow you should be logged in to the server and have access to the directory you have configured earlier.
Output
Connected to server_ip
sftp>Use the ls command to list the directories you will see the directory named folder you have created and configured permissions.
sftp> lsOutput
folderConclusion
Now you have learned how to setup SFTP and prevent SSH access to user over a specific directory.
Thanks for your time. If you face any problem or any feedback, please leave a comment below.
