How to set up an SFTP server on Debian 11 Server

In this guide we are going to set up an sftp server on an Debian 11. We will also set up a form of chroot where users can only access sftp with the shared credentials.

The File Transfer Protocol is a standard communication protocol used for the transfer of computer files from a server to a client on a computer network.

FTP isn’t popular today because it Lacks Security. When a file is sent using this protocol, the data, username, and password are all shared in plain text, which means a hacker can access this information with little to no effort. For data to be secure, you need to use an upgraded version of FTP like SFTP.

SFTP Secure File Transfer Protocol is a file transfer protocol that provide secure access to a remote computer to deliver secure communications. It leverages SSH - Secure Socket Shell and is frequently also referred to as ‘Secure Shell File Transfer Protocol’.

Related Content

# Prerequisites

To follow along this guide ensure you have the following:

  • A Debian 11 Server
  • Root access to the server or a user with root access
  • Internet access from the server

# Ensuring that the server is up to date

Before proceeding, ensure your system is up to date. Use this command to refresh the system packages and update them.

1
2
sudo apt update
sudo apt upgrade -y

# Ensuring that the SSH service is installed

Verify that the ssh is installed:

1
2
3
4
5
6
$ sudo apt install -y openssh-server
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
openssh-server is already the newest version (1:8.4p1-5).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

Now that it is installed, start the service

1
sudo systemctl start sshd

Confirm its status

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
$ sudo systemctl status sshd
● ssh.service - OpenBSD Secure Shell server
     Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
     Active: active (running) since Fri 2021-12-03 10:18:03 UTC; 2 days ago
       Docs: man:sshd(8)
             man:sshd_config(5)
    Process: 665 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
   Main PID: 682 (sshd)
      Tasks: 1 (limit: 4626)
     Memory: 6.2M
        CPU: 9.132s
     CGroup: /system.slice/ssh.service
             └─682 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups

Dec 05 09:20:46 ip-10-2-40-122 sshd[14717]: Received disconnect from 221.181.185.94 port 47597:11:  [preauth]
Dec 05 09:20:46 ip-10-2-40-122 sshd[14717]: Disconnected from authenticating user root 221.181.185.94 port 47597 [preauth]
Dec 05 10:34:30 ip-10-2-40-122 sshd[14797]: Received disconnect from 222.186.30.76 port 23207:11:  [preauth]
Dec 05 10:34:30 ip-10-2-40-122 sshd[14797]: Disconnected from authenticating user root 222.186.30.76 port 23207 [preauth]
Dec 05 10:34:41 ip-10-2-40-122 sshd[14799]: Received disconnect from 221.181.185.151 port 18104:11:  [preauth]
Dec 05 10:34:41 ip-10-2-40-122 sshd[14799]: Disconnected from authenticating user root 221.181.185.151 port 18104 [preauth]
Dec 05 11:11:54 ip-10-2-40-122 sshd[14830]: Received disconnect from 221.131.165.65 port 19729:11:  [preauth]
Dec 05 11:11:54 ip-10-2-40-122 sshd[14830]: Disconnected from authenticating user root 221.131.165.65 port 19729 [preauth]
Dec 05 11:19:03 ip-10-2-40-122 sshd[14840]: Accepted publickey for admin from 105.231.148.146 port 60649 ssh2: RSA SHA256:nDQ1FMciYtGpPYjdOwbUTVg7kQxEFtAjoSdWulRilIA
Dec 05 11:19:03 ip-10-2-40-122 sshd[14840]: pam_unix(sshd:session): session opened for user admin(uid=1000) by (uid=0)

# Creating users and groups and adding the necessary directories

Next we will ensure that the necessary users are present in the system. In my case, I would like to have the sftp users home as /srv/sftp

Let us create the home /srv/sftp with this command:

1
sudo mkdir /srv/sftp

Then let us create an umbrella group for SFTP only

1
sudo groupadd sftpusers

Then create an sftp only user called citizix:

1
sudo useradd -G sftpusers -d /srv/sftp/citizix -s /sbin/nologin citizix

The above options do the following:

  • -G sftpusers: Create user, append to sftpusers group
  • -d /srv/sftp/citizix: Set home dir as /srv/sftp/citizix
  • -s /sbin/nologin: We do not want the user to login, so no ssh login shell
  • Finally, username as citizix

Then add password to the created user using this command:

1
2
3
4
$ sudo passwd citizix
New password:
Retype new password:
passwd: password updated successfully

# Configuring the ssh service

Now that we have installed the necessary software and created the users and groups, let us configure ssh.

Ensure password authentication is enabled for ssh. Edit the config file here /etc/ssh/sshd_config:

1
sudo vim /etc/ssh/sshd_config

Then ensure this line is not commented:

1
PasswordAuthentication yes

Next, we need to add rules for the users in the sftpusers group to be considered as sftp. Edit the config file:

1
sudo vim /etc/ssh/sshd_config

Add this content at the bottom of the file:

1
2
3
4
5
Match Group sftpusers
    X11Forwarding no
    AllowTcpForwarding no
    ChrootDirectory /srv/sftp
    ForceCommand internal-sftp

Then restart sshd to reload the config:

1
sudo systemctl restart sshd

Verify that sshd is running as expected:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
$ sudo systemctl status sshd
● ssh.service - OpenBSD Secure Shell server
     Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
     Active: active (running) since Sun 2021-12-05 11:22:02 UTC; 12s ago
       Docs: man:sshd(8)
             man:sshd_config(5)
    Process: 15292 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
   Main PID: 15293 (sshd)
      Tasks: 1 (limit: 4626)
     Memory: 1.0M
        CPU: 159ms
     CGroup: /system.slice/ssh.service
             └─15293 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups

Dec 05 11:22:02 ip-10-2-40-122 systemd[1]: Starting OpenBSD Secure Shell server...
Dec 05 11:22:02 ip-10-2-40-122 sshd[15293]: Server listening on 0.0.0.0 port 22.
Dec 05 11:22:02 ip-10-2-40-122 sshd[15293]: Server listening on :: port 22.
Dec 05 11:22:02 ip-10-2-40-122 systemd[1]: Started OpenBSD Secure Shell server.

# Verifying that the set up is working as expected

After successfully creating the user and adding sftp configurations, let is test the set up using the command:

1
2
3
4
$ sftp citizix@18.236.122.10
citizix@18.236.122.10's password:
Connected to 18.236.122.10.
sftp>

Now we have sftp server up and running with a user configured!

The users will be able to login to the server and access files and directories located in their home directory. If you want to give the user to other directories outside their own directory, just make sure the user has enough rights to access. These directories and files have to be within the sftp directory - /srv/sftp.

Example: if i want user to access the directory /srv/sftp/paymentfiles, do the following:

Create the directory

1
sudo mkdir /srv/sftp/paymentfiles

Then assign the user(citizix) access by making them own the directory:

1
sudo chown citizix:sftpusers /srv/sftp/paymentfiles

That is it. Users should now have access.

# Conclusion

We managed to set up sftp server in an Debian 11 in this guide.

Last updated on Mar 20, 2024 17:19 +0300
comments powered by Disqus
Citizix Ltd
Built with Hugo
Theme Stack designed by Jimmy