Friday, 16 September 2016

Setting up a Secure FTP Server on AWS

Setting up a Secure FTP (SFTP) Server on AWS

So here's a quick and easy guide to setting up a simple Secure FTP Server on a Ubuntu 14.04 AWS EC2 instance. 
Secure FTP Servers are an ideal mechanism for transfering files to and fro between trusted users. For this tutorial, I'm using a simple Ubuntu 14.04 AMI running on a t2medium instance type.

AMI: Ubuntu Server 14.04 LTS (HVM), SSD Volume Type - ami-2d39803a
Instance Hostname: US-EAST-FTPSERVER-01
Username: ubuntu
Key name: myppkfile.ppk

Important: Make sure you update your OS using the sudo apt-get update command before following this tutorial

Login to the instance and install the ftp server package first:

# sudo apt-get install vsftpd

Create a new user (in my case its called as the blueuser)

#sudo adduser blueuser

Also create the SSH directory for your newly created user (NOTE: The SSH directory is a hidden directory):

# sudo mkdir /home/blueuser/.ssh

With this done we now need to a keypair for our blueuser. There are many ways to do this, but for now 'm going to use the AWS Console itself and create one for me quickly. From the EC2 management dashboard, select the Pairs option and click on New Key pair. provide a suitable name (blue-ftpserver) and click Create. Save the .pem locally on your machine.

Next, we need to create a public key from our newly downloaded key pair. I'm using PuttyGen for the same. Click on Load to load your blue-ftpserver.pem file.

It prompt you with a notice. Click on OK

Now here's the important part. Click on Save Public Key option as shown below. Provide a suitable name for your public key and save it locally on your system.

Next, open your saven public key using any editor (I'm using Sublime Text) and add the following two text as shown below:
First, add the text "ssh-rsa" to the beginning of the key and then add the key's name to the end of the key as shown. There are no quotations whatsoever. Save the file.

Next, in your FTP Server, create the authorized_keys file for your user:

# sudo vi /home/blueuser/.ssh/authorized_keys

Copy and paste the entire content of the Public Key file that we modified earlier here. Save and exit the file.

Next, run the following commands to set the correct permissions on your folders:

# sudo chmod 700 /home/blueuser/.ssh/

# sudo chmod 600 /home/blueuser/.ssh/authorized_keys

# sudo chown -R blueuser:blueuser /home/blueuser/.ssh/

Now, we test. To do so, transfer the PEM file the FTP Server instance using any tool such as WinSCP. This is the PEM file that was created using the AWS Management Console (blue-ftpserver)

Once transferred run the following command to verify whether your new user can login to the FTP server securely using the PEM file.

# sftp -o IdentityFile=blue-ftpserver.pem

If all goes well, your newly created user should get authenticated and you should see the FTP Server prompt as shown below. If for some reason you get a permission denied error, then please check the contents of your user's authorized_keys file. make there are no new line characters in it.

You can also use this newly created user to SSH your Ubuntu instance as well. Type in the following command:

# ssh -i blue-ftpserver.pem

Your new user should get ssh access to the FTP server instance as shown below. 

But to get really secure, you may want to disable this SSH access for your new user and restrict it only for FTP access. To do so, run the following commands as shown:

Create a group dedicated for FTP users:
# sudo groupadd sftponly

Add your newly created user to this group:
# sudo adduser blueuser sftponly

Edit the sshd_config file and append the following data towards the end of the file:

# sudo vi /etc/ssh/sshd_config

# Paste the following content towards the end of file
Match group sftponly
ChrootDirectory /home/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

Save and exit the file.

Apply the necessary permissions and restart the ssh service for the changes to take effect:

# sudo chown root:root /home/blueuser

# sudo chown -R blueuser:blueuser /home/blueuser/.ssh

# sudo /etc/init.d/ssh restart

Try logging on the FTP serer now using the same username and PEM file as earlier. Your user should have SFTP access however the SSH access should be blocked out as shown below:

Well, there you have it.. a really simple way to setup a secure FTP server the AWS environment. Stay tuned for more such tutorials coming your way soon! 


KULL said...

The blog or and best that is extremely useful to keep I can share the ideas
of the future as this is really what I was looking for, I am very comfortable and pleased to come here. Thank you very much.
five night at freddys 4 | fireboy and watergirl | five night at freddys |
2048 game| tanki online 2

Alice Taylor said...

Thanks for sharing the information. It is very useful for my future. keep sharing

cat mario | whatsapp baixar |  tank trouble |

tech howitzer said...

Awesome info , thanks for sharing and keep sharing more linux training in chennai | best linux training institute in chennai | red hat linux training in chennai

Red Ball 4 said...

I found a lot of information here to create this actually best for all newbie here. Thank you for this information.
red ball 4 | ninjago game | strike force kitty 2 | red ball | ninjago games

Srinivasan T said...

Thank you for sharing superb information. Your website is very cool. I’m impressed by the details that you have on this site.
best toilet
best toilet review
best toilets to buy

John Peter said...

Thanks for sharing your info. I really appreciate your efforts and I will be waiting for your further write.
laser level 2017
best self leveling laser
best laser level
self propelled lawn mower

Meiqing Xu said...

cheap ray bans
longchamp uk
ralph lauren sale clearance
losangeles lakers jerseys
adidas superstar shoes
cheap ray ban sunglasses
adidas yeezy
cheap oakley sunglasses
michael kors bags
rolex watches

meghanasmiley03 said...

Thanks for sharing an amazing post about Aws, I am Looking for aws jobs in hyderabad Location, Keep on posting like this.

Post a Comment