SFTP is a popular way to remotely access your website files in Linode server. For this to work, we need to give SSH access for the user.
But, that provides them access to whole file system, which is not desirable.
At Bobcares, we help Linode owners to setup restricted SFTP access as part of our Managed Cloud Services.
Today, we’ll see how our Cloud Engineers setup Linode SFTP access with proper security restrictions.
Why SFTP?
Remote access to website files will be a necessity at some point of time. This includes scenarios like website developer working from a remote location, checking web files while you are on a travel and so on. Although there are many methods to access files remotely, SFTP is a top choice.
Before proceeding further, we’ll see why SFTP(Secure File Transfer Protocol) is preferred over normal FTP (File Transfer Protocol). In normal FTP, all file transfer between ftp client and server happens without the use of encryption. And, an eavesdropper can easily grab your website confidential information.
Unlike FTP, in SFTP all data transfer is secure. It encrypts all data prior to the transfer. No wonder, that becomes a top choice for file transfers.
How we setup SFTP access in Linode?
We’ve seen the benefits of SFTP. The prime requirement for SFTP to work is to enable SSH access for users. Therefore, we need to think of server security while giving SFTP access.
We have to restrict users to their home directories, and to SFTP access only. Otherwise, they will be able to access or view your Linode’s entire filesystem.
Let’s now have a look on how our Support Engineers set up SFTP in Linode server.
There is no need to install any additional packages to enable SFTP in Linode. The steps include:
1. Modifying Linode SSH
As the first step, we modify the SSH configuration of Linode to restrict user access only to SFTP.
For example, in a CentOS7 Linode server, our Dedicated Engineers modify the file /etc/ssh/sshd_config
We comment out the following line.
# Subsystem sftp /usr/libexec/openssh/sftp-server
Then add couple of entries to over-ride user settings. And, the final modifications will look like :
# override default of no subsystems
# Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp
# Example of overriding settings on a per-user basis
Match Group filetransfer
ChrootDirectory %h
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
After this, we need to restart SSH for the changes to take effect.
Adding SFTP user
Now, its time to add SFTP user. We use the useradd command and modify the password of the user. Then, we add the user to the group filetransfer, and modify the user’s file permissions.
For example, to add a user ‘bob‘, we use the following commands.
groupadd --system filetransfer
usermod -G filetransfer bob
chown root:root /home/bob
chown bob:filetransfer /home/bob/*
Now, you will be able to connect to the Linode server via SFTP. When everything is setup correctly, an attempt to connect via SSH should show this error:
bob@50.xx.xx.241's password:
This service allows sftp connections only.
Connection to 50.xx.xx.241 closed.
This message clearly shows that user do not have SSH access.
Firewall restrictions
Next comes the firewall modifications. This includes allowing the IP address for SSH connection in Linode firewall. For custom SSH ports, the firewall in the customer’s computer also need modifications.
Common Linode sftp setup errors and their fixes
Although Linode SFTP setup is pretty straightforward, we often see customers reporting problems with it. Let’s check them in detail.
1. Problems with SSH restart
Recently, a Linode customer reported problems with SSH restart after modifying configuration for restricting SFTP access. The error said:
[root@lixx-xx1 ~]# service sshd restart
Redirecting to /bin/systemctl restart sshd.service
Job for sshd.service failed because the control process exited with error code. See "systemctl status sshd.service" and "journalctl -xe" for details.
On checking the Linode, we understood that the customer was trying for SSH restart from the current SSH session. And, it reported errors. To fix, our Dedicated Engineers restarted SSH access from the Lish console.
2. Firewall restrictions
Often, users report problems with SFTP connection due to firewall restrictions too. This firewall can be at the Linode side or at user’s computer.
Here, our Dedicated Engineers first check the server logs and see whether the SFTP connection is reaching the server or not. If there are entries in the logs, it means that it is the server firewall that is causing the problem. We tweak the firewall and that fixes the problem. Or, when connection drops before reaching server, we suggest customer to check with their internet provider for restrictions.
3. User access rights
Similarly, user access rights can also create problems with SFTP access in Linode. A typical error message in Filezilla ftp client will be:
Error: error while writing: failure
Error: File transfer failed
Here, our Dedicated Engineers checked the server and found that the files and folders of user’s home directory had wrong permissions. We gave write privilege for the user and file upload worked correctly.
[Trouble with SFTP access in Linode? We can fix it for you.]
Conclusion
In short, enabling SFTP in Linode involves a series of steps. Today, we saw how our Dedicated Engineers set up SFTP access in Linode servers and restrict user access to it. Also, we had a look at the common SFTP setup errors and their fixes.
0 Comments