Friday, 16 September 2016

Setting up a Secure FTP Server on AWS

Setting up a Secure FTP (SFTP) Server on AWS

So here's a quick and easy guide to setting up a simple Secure FTP Server on a Ubuntu 14.04 AWS EC2 instance. 
Secure FTP Servers are an ideal mechanism for transfering files to and fro between trusted users. For this tutorial, I'm using a simple Ubuntu 14.04 AMI running on a t2medium instance type.

AMI: Ubuntu Server 14.04 LTS (HVM), SSD Volume Type - ami-2d39803a
Instance Hostname: US-EAST-FTPSERVER-01
Username: ubuntu
Key name: myppkfile.ppk

Important: Make sure you update your OS using the sudo apt-get update command before following this tutorial

Login to the instance and install the ftp server package first:

# sudo apt-get install vsftpd


Create a new user (in my case its called as the blueuser)

#sudo adduser blueuser

Also create the SSH directory for your newly created user (NOTE: The SSH directory is a hidden directory):

# sudo mkdir /home/blueuser/.ssh



With this done we now need to a keypair for our blueuser. There are many ways to do this, but for now 'm going to use the AWS Console itself and create one for me quickly. From the EC2 management dashboard, select the Pairs option and click on New Key pair. provide a suitable name (blue-ftpserver) and click Create. Save the .pem locally on your machine.


Next, we need to create a public key from our newly downloaded key pair. I'm using PuttyGen for the same. Click on Load to load your blue-ftpserver.pem file.


It prompt you with a notice. Click on OK


Now here's the important part. Click on Save Public Key option as shown below. Provide a suitable name for your public key and save it locally on your system.


Next, open your saven public key using any editor (I'm using Sublime Text) and add the following two text as shown below:
First, add the text "ssh-rsa" to the beginning of the key and then add the key's name to the end of the key as shown. There are no quotations whatsoever. Save the file.


Next, in your FTP Server, create the authorized_keys file for your user:

# sudo vi /home/blueuser/.ssh/authorized_keys

Copy and paste the entire content of the Public Key file that we modified earlier here. Save and exit the file.


Next, run the following commands to set the correct permissions on your folders:

# sudo chmod 700 /home/blueuser/.ssh/

# sudo chmod 600 /home/blueuser/.ssh/authorized_keys

# sudo chown -R blueuser:blueuser /home/blueuser/.ssh/


Now, we test. To do so, transfer the PEM file the FTP Server instance using any tool such as WinSCP. This is the PEM file that was created using the AWS Management Console (blue-ftpserver)


Once transferred run the following command to verify whether your new user can login to the FTP server securely using the PEM file.

# sftp -o IdentityFile=blue-ftpserver.pem blueuser@ec2.compute-1.amazonaws.com

If all goes well, your newly created user should get authenticated and you should see the FTP Server prompt as shown below. If for some reason you get a permission denied error, then please check the contents of your user's authorized_keys file. make there are no new line characters in it.


You can also use this newly created user to SSH your Ubuntu instance as well. Type in the following command:

# ssh -i blue-ftpserver.pem blueuser@ec2.compute-1.amazonaws.com

Your new user should get ssh access to the FTP server instance as shown below. 


But to get really secure, you may want to disable this SSH access for your new user and restrict it only for FTP access. To do so, run the following commands as shown:

Create a group dedicated for FTP users:
# sudo groupadd sftponly

Add your newly created user to this group:
# sudo adduser blueuser sftponly


Edit the sshd_config file and append the following data towards the end of the file:

# sudo vi /etc/ssh/sshd_config

# Paste the following content towards the end of file
Match group sftponly
ChrootDirectory /home/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

Save and exit the file.


Apply the necessary permissions and restart the ssh service for the changes to take effect:

# sudo chown root:root /home/blueuser

# sudo chown -R blueuser:blueuser /home/blueuser/.ssh

# sudo /etc/init.d/ssh restart


Try logging on the FTP serer now using the same username and PEM file as earlier. Your user should have SFTP access however the SSH access should be blocked out as shown below:



Well, there you have it.. a really simple way to setup a secure FTP server the AWS environment. Stay tuned for more such tutorials coming your way soon!