Restricted Access SFTP In Linux
Restricted Access SFTP In Linux – This is a short guide to providing users with restricted SFTP access to a single directory using built-in OpenSSH functionality and or denied to access SFTP.
What is SFTP?
SFTP, which stands for SSH File Transfer Protocol, or Secure File Transfer Protocol, is a separate protocol packaged with SSH that works in a similar way over a secure connection. The advantage is the ability to leverage a secure connection to transfer files and traverse the filesystem on both the local and remote system. In almost all cases, SFTP is preferable to FTP because of its underlying security features and ability to piggy-back on an SSH connection.
Restricted Access SFTP In Linux
1. Disabled All user to Access SFTP
First, login to your linux box via ssh and edit file /etc/ssh/sshd_config
[root@TengineC7 ~]# nano /etc/ssh/sshd_config
and then scroll down and find line :
Subsystem sftp /usr/libexec/openssh/sftp-server
and change to
Subsystem sftp /bin/false
Save and close, then restart sshd service
[root@TengineC7 ~]# systemctl restart sshd.service
The Effect of this config is all users (including root) cannot access to SFTP (but user root allowed login to ssh)
2. Disable All User Except root to Access SFTP
Login to your linux box via ssh and edit file /etc/ssh/sshd_config
[root@TengineC7 ~]# nano /etc/ssh/sshd_config
and then scroll down and find line : Subsystem sftp /usr/libexec/openssh/sftp-server
And add this line AllowUsers root
Like the following example :
Subsystem sftp /usr/libexec/openssh/sftp-server
AllowUsers root
Save and close, then restart sshd service
[root@TengineC7 ~]# systemctl restart sshd.service
The Effect of this config is all users (except root) cannot access to SFTP, and user root still allowed to access SFTP and SSH.
3. Restricted SFTP-only Access to a Single Directory
Login to your linux box via ssh and edit file /etc/ssh/sshd_config
[root@TengineC7 ~]# nano /etc/ssh/sshd_config
Edit or adjust the following lines:
Subsystem sftp /usr/libexec/openssh/sftp-server
change to :
Subsystem sftp internal-sftp
Match Group sftpgtoup
ForceCommand internal-sftp
ChrootDirectory /home/mydirectory
Next find this line and make sure as follows :
PermitTunnel no
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no
Save and closed
Next lets create the new user, group and directory:
[root@TengineC7 ~]# groupadd sftpgroup
[root@TengineC7 ~]# mkdir /home/mydirectory
[root@TengineC7 ~]# chmod g+rx /home/mydirectory/
[root@TengineC7 ~]# mkdir -p /home/mydirectory/files/
[root@TengineC7 ~]# chmod g+rwx /home/mydirectory/files/
[root@TengineC7 ~]# chgrp -R sftpgroup /home/mydirectory/
[root@TengineC7 ~]# useradd -g sftpgroup -d /home/mydirectory/ -s /sbin/nologin username
Save and close, then restart sshd service
[root@TengineC7 ~]# systemctl restart sshd.service
The Effect of this config is the user username only allowed access the directory /home/directory/ via SFTP, other that directory is not allowed.
That’s all and Good Luck
Mitigating Layer7 HTTP Flood
Tutorial Install Let’s Encrypt Centos7
Basic Hardening Security Tips for Linux Servers
About Author
