Page 2 of 2 FirstFirst 12
Results 11 to 15 of 15

Thread: Need consulting help on setting up a sftp server on Ubuntu 16.04.

  1. #11
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    17,104
    Distro
    Ubuntu Mate 16.04 Xenial Xerus

    Re: Need consulting help on setting up a sftp server on Ubuntu 16.04.

    Quote Originally Posted by roadrawts View Post
    why did you use vsftpd instead of sshd for the sftp services?
    Probably a personal preference for people formerly using plain FTP, since vsftpd has been used for that for decades.

    OTOH, for people comfortable using openssh, knowing that sftp-server is built-in and can be massively secured with little effort, provided you don't allow passwords, block brute force attacks, lock down the sourced IPs and limit the drop-off directory (all easily handled in the sshd_config file. sftp uses 1 open port to the internet. Plain FTP uses multiple ports that chance, which isn't firewall friendly. I don't know about ftps.

    I wrote a not-great, but good enough ssh-security article a few years ago.
    https://blog.jdpfu.com/2011/08/23/se...cking-failures

    You really should push using ssh-keys, not passwords. On the client-side:
    Code:
    ssh-keygen -t ed25519
    ssh-copy-id -i ~/.ssh/id_ed25519.pub userid@remote
    Failing that, you can allow passwords from specific IPs.
    Code:
    # Change to no to disable tunnelled clear text passwords
    PasswordAuthentication no
    Match Address  172.21.21.0/24,172.22.21.0/24
          PasswordAuthentication yes
    I like passwords available from my LAN into some systems, but never from outside outside.

    Use a non-standard port for ssh/sftp/scp/rsync ... I leave the default for LAN access but have the router to port translation for access from the outside world. It really helps keep attacks from spamming our log files, though it isn't really much security. Just setup the ~/.ssh/config file with the other port and forgetaboutit. You'll never need to know it again for any ssh-based connection.
    Code:
    host funny-remote_name_for_server
      user pete
      hostname remote5433.dyndns.org
      port 34022
    Block remote root - this really should be the default on all Ubuntu installs.
    Code:
    PermitRootLogin no
    Install fail2ban whenever, where ever you install openssh. The default config blocks brute force attacks on port 22. If you use the router for WAN-to-LAN port translation, nothing more than installing it is needed.

    You can use the built-in Linux firewall to block WAN IPs from accessing whatever port you've decided to use on the internet. Probably best to do this at the WAN firewall machine, not on the ssh/sftp server.

    If you only want sftp access and want to limit which users can do it and where they can drop files, I remember the sftp-server settings were fairly simple to accomplish that. ChrootDirectory is one of the settings. The sftp-server manpage spells out different options and were to enter them in the sshd_config file. I really should setup an sftp-only server somewhere. It has been a long time since I needed one.
    Code:
    sudo mkdir -p /var/sftp-chroot-dir/uploads
    sudo chown thefu:thefu /var/sftp-chroot-dir/uploads
    Add this to the bottom of the sshd_config
    Code:
    Match User thefu
       ForceCommand internal-sftp
       PasswordAuthentication yes
       ChrootDirectory /var/sftp-chroot-dir
       PermitTunnel no
       AllowAgentForwarding no
       AllowTcpForwarding no
       X11Forwarding no
    This only allows sftp for that single userid.

  2. #12
    Join Date
    Sep 2011
    Location
    Behind you!
    Beans
    1,079
    Distro
    Ubuntu 16.04 Xenial Xerus

    Re: Need consulting help on setting up a sftp server on Ubuntu 16.04.

    Quote Originally Posted by roadrawts View Post
    why did you use vsftpd instead of sshd for the sftp services?
    #1 It was a requirement from the initial source (bank) that wanted us to host an FTP over SSL server.
    #2 Compatibility issues with specific FTP clients (I cannot remember the details now but I could not make it work until I used vsftpd. My inexperience back then might have contributed to issues)
    #3 When I find a workable solution, I tend to stop looking for other solutions and refine what I have.
    #4 It needed to be rock solid, reliable, secure and capable of supporting many different vendors.

    But as TheFu said, it comes down to preference and use cases. vsftpd fit the bill and was rock solid when I implemented it back on Ubuntu 12.04 up until the end of last year when I lost my job. It was the central file transfer service for external vendors, banks and internally for databases and EMRs for various remote sites.

    LHammonds

  3. #13
    Join Date
    Feb 2006
    Location
    North Carolina
    Beans
    63
    Distro
    Ubuntu 16.04 Xenial Xerus

    Re: Need consulting help on setting up a sftp server on Ubuntu 16.04.

    Thank you all for your help but I've abandoned using SFTP. The source system tells me that large files will probably fail. That means that I would have to do a lot of monitoring and fixing. So I'm looking at other alternatives.
    Mel

  4. #14
    Join Date
    Sep 2011
    Location
    Behind you!
    Beans
    1,079
    Distro
    Ubuntu 16.04 Xenial Xerus

    Re: Need consulting help on setting up a sftp server on Ubuntu 16.04.

    Quote Originally Posted by roadrawts View Post
    The source system tells me that large files will probably fail.
    Eh...why is that? Do they have bad Internet connection? Is there a bandwidth limiter? Or does their xfer system timeout if a file does not finish within a specific amount of time? If they think SFTP will fail, then what will work?

  5. #15
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 16.04 Xenial Xerus

    Re: Need consulting help on setting up a sftp server on Ubuntu 16.04.

    Quote Originally Posted by roadrawts View Post
    Thank you all for your help but I've abandoned using SFTP. The source system tells me that large files will probably fail. That means that I would have to do a lot of monitoring and fixing. So I'm looking at other alternatives.
    Mel
    What? How large of a file are they talking about?

    There are several FTP programs that support resuming interrupted downloads and uploads if an unstable internet connection is the problem.
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

Page 2 of 2 FirstFirst 12

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •