In this article, I will explain to you how to setup an SFTP server using MySecureShell on Ubuntu 18.04. SFTP is a secure way of transferring files using an encrypted SSH connection. Though it's widely supported by modern FTP clients, it's a completely different protocol than FTP (File Transfer Protocol).
You might ask me why MySecureShell instead of the traditional FTP server. Here are the few features,
- Secured data transfer using SSH
- No need to manage SSL certificates
- Easy to install and configure
- Limit Bandwidth usage
- Files and folders restrictions
- Acess Control List using IP/Username/Groups/VirtualHost
- Restrict users to have sftp only (shell access is disabled by default)
- Enhanced logging system
So let's start with installation first, basic knowledge of FTP is sufficient for understanding this tutorial.
Installation
From ubuntu 15.04 and above MySecureShell is available in the default repositories. We are using ubuntu 18.04 for this installation. Just run below commands to install MySecureShell.
apt-get install mysecureshell
If not available follow steps, make sure the all following steps are run as root user.
vim /etc/apt/sources.list
Add following 2 lines,
deb http://mysecureshell.free.fr/repository/index.php/ubuntu testing main deb-src http://mysecureshell.free.fr/repository/index.php/ubuntu testing main
Now add gpg key as,
gpg --keyserver hkp://pool.sks-keyservers.net --recv-keys E328F22B; gpg --export E328F22B | apt-key add
gpg: keybox '/root/.gnupg/pubring.kbx' created gpg: /root/.gnupg/trustdb.gpg: trustdb created gpg: key 7601D76CE328F22B: public key "MySecureShell repository " imported gpg: Total number processed: 1 gpg: imported: 1 OK
Once the repository is added, you can start with the installation
apt-get update
apt-get install mysecureshell
Now you are all good to start the service and check its status
systemctl start mysecureshell.service
systemctl status mysecureshell.service
Sample Output
# systemctl start mysecureshell.service [email protected]:~# systemctl status mysecureshell.service * mysecureshell.service - LSB: MySecureShell SFTP Server Loaded: loaded (/etc/init.d/mysecureshell; generated) Active: active (exited) since Fri 2018-05-18 01:02:17 UTC; 4min 44s ago Docs: man:systemd-sysv-generator(8) Tasks: 0 (limit: 2322) CGroup: /system.slice/mysecureshell.service May 18 01:02:17 004-153 systemd[1]: Starting LSB: MySecureShell SFTP Server... May 18 01:02:17 004-153 mysecureshell[1314]: Starting MySecureShell SFTP Server: mysecureshell is now online with restricted features May 18 01:02:17 004-153 mysecureshell[1314]: Note: To enable all features you have to change mysecureshell binary rights to 4755 May 18 01:02:17 004-153 systemd[1]: Started LSB: MySecureShell SFTP Server. # systemctl status mysecureshell.service * mysecureshell.service - LSB: MySecureShell SFTP Server Loaded: loaded (/etc/init.d/mysecureshell; generated) Active: active (exited) since Fri 2018-05-18 01:02:17 UTC; 50min ago Docs: man:systemd-sysv-generator(8) Tasks: 0 (limit: 2322) CGroup: /system.slice/mysecureshell.service May 18 01:02:17 004-153 systemd[1]: Starting LSB: MySecureShell SFTP Server... May 18 01:02:17 004-153 mysecureshell[1314]: Starting MySecureShell SFTP Server: mysecureshell is now online with restricted features May 18 01:02:17 004-153 mysecureshell[1314]: Note: To enable all features you have to change mysecureshell binary rights to 4755 May 18 01:02:17 004-153 systemd[1]: Started LSB: MySecureShell SFTP Server. #
Use below commands to stop and restart mysecureshell service
systemctl stop mysecureshell.service
systemctl restart mysecureshell.service
MySecureShell SFTP User Creation
First, we have to find where MySecureShell installation Location,
whereis mysecureshell
As you see in the output below, mysecureshell installation path is /usr/bin/mysecureshell.
mysecureshell: /usr/bin/mysecureshell /usr/share/man/man8/mysecureshell.8.gz
Now, after verifying the path lets create a user
useradd -m -s /usr/bin/mysecureshell testsftpuser
passwd testsftpuser
As you see in above command, we are creating a user and assigning the path of mysecureshell location. Also, you can assign the existing users to access and use MySecureShell using the command:
sudo usermod -s /usr/bin/mysecureshell testsftpuser
User Connection
Now "testsftpuser" user can connect to your SFTP server from your clients as shown below with your machine IP address,
sftp [email protected]
Your machine’s IP
Connected to 45.33.54.153 sftp>
Also, you can login to your SFTP server with any graphical clients such as FileZilla from your client system.
MySecureShell Commands
MySecureShell has the following set of commands to administrate your SFTP server.
- sftp-admin
- sftp-kill
- sftp-state
- sftp-user
- sftp-verif
- sftp-who
sftp-admin
This command allows managing a MySecureShell remotely.
sftp-admin [ssh options] [email protected]
sftp-kill
It will disconnect the user from the FTP server.
sftp-kill testsftpuser
Kill testsftpuser on PID 1961 (Press "Y" when requested)
sftp-state
Show ftp server status
# sftp-state
Sample Output
# sftp-state Server is up #
sftp-user
This command allows you to create a SFTP user, without specifying the path we did before.
sftp-user create test
List SFTP users
sftp-user list test testsftpuser
Command will delete the user test
sftp-user delete test
sftp-verif
This command will verify and correct problems on a MySecureShell server.
sftp-verif
################################################################################ MySecureShell Verification Tool ################################################################################ ### Verifing file existance ### /bin/MySecureShell [ OK ] /bin/sftp-who [ OK ] /bin/sftp-kill [ OK ] /bin/sftp-state [ OK ] /bin/sftp-admin [ OK ] /bin/sftp-verif [ OK ] /bin/sftp-user [ OK ] ### Verifing rights ### Verifing file rights of /etc/ssh/sftp_config [ OK ] Verifing file rights of /bin/sftp-who [ OK ] Verifing file rights of /bin/sftp-verif [ OK ] Verifing file rights of /bin/sftp-user [ OK ] Verifing file rights of /bin/sftp-kill [ OK ] Verifing file rights of /bin/sftp-state [ OK ] Verifing file rights of /bin/sftp-admin [ OK ] Verifing file rights of /bin/MySecureShell [ OK ] ### Verifing rotation logs ### Rotation logs have been found [ OK ] ### Verifing server status ### Verifing server status (ONLINE) [ OK ] [...]
sftp-who
This command will tell you who is currently logged-in to the FTP server.
sftp-who
# sftp-who
--- 1 / 10 clients ---
Global used bandwidth : 0 bytes/s / 0 bytes/s
PID: 2207 Name: testsftpuser IP: pa39-178-9-194.pa.nsw.optusnet.com.au
Home: /home/testsftpuser
Status: idle Path: /
File:
Connected: 2018/05/18 01:30:50 [since 03mins 59s]
Speed: Download: 0 bytes/s [5.00 kbytes/s] Upload: 0 bytes/s [unlimited]
Total: Download: 924 bytes Upload: 100 bytes
#
Configuration
The main MySecureShell config file is /etc/ssh/sftp_config. You can configure upload and download bandwidth, chroot users, the max amount of connections etc in the configuration file. You can set this options to either everybody or just for a particular group.
cat /etc/ssh/sftp_config
Default tag
Default tag is used if you want to apply a configuration for all of your users
#Default rules for everybody
Default
GlobalDownload 50k #total speed download for all clients
# o -> bytes k -> kilo bytes m -> mega bytes
GlobalUpload 0 #total speed download for all clients (0 for unlimited)
Download 5k #limit speed download for each connection
Upload 0 #unlimit speed upload for each connection
StayAtHome true #limit client to his home
VirtualChroot true #fake a chroot to the home account
LimitConnection 10 #max connection for the server sftp
LimitConnectionByUser 1 #max connection for the account
LimitConnectionByIP 2 #max connection by ip for the account
Home /home/$USER #overrite home of the user but if you want you can use
# environment variable (ie: Home /home/$USER)
IdleTimeOut 5m #(in second) deconnect client is idle too long time
ResolveIP true #resolve ip to dns
LogFile /var/log/sftp-server_ftp.log
# IgnoreHidden true #treat all hidden files as if they don't exist
# DirFakeUser true #Hide real file/directory owner (just change displayed permissions)
# DirFakeGroup true #Hide real file/directory group (just change displayed permissions)
# DirFakeMode 0400 #Hide real file/directory rights (just change displayed permissions)
#Add execution right for directory if read right is set
HideNoAccess true #Hide file/directory which user has no access
# MaxOpenFilesForUser 20 #limit user to open x files on same time
# MaxWriteFilesForUser 10 #limit user to x upload on same time
# MaxReadFilesForUser 10 #limit user to x download on same time
DefaultRights 0640 0750 #Set default rights for new file and new directory
# MinimumRights 0400 0700 #Set minimum rights for files and dirs
ShowLinksAsLinks false #show links as their destinations
# ConnectionMaxLife 1d #limits connection lifetime to 1 day
# Charset "ISO-8859-15" #set charset of computer
Default
Note: Logs are not enabled by default, you can define log file location in config file.
FileSpec tag
FileSpec tag is made to create filters on files and directories.
# Only check against filenames/folder names only
FileSpec
UseFullPath false
# we can use multiple deny/allow directives for clarity
Order DenyAllow
Deny ".*.exe$"
Deny ".*.sh$"
Allow all
FileSpec
User tag
User tag defines for a specific user home folder
User tom Home /home/tom User
VirtualHost tag
VirtualHost tag can set limitations based on virtualhost name
# Set home directory for this virtualhost
VirtualHost
Home /var/www/html/www.mysftpsite.com
# Set dedicated log file
LogFile /var/log/sftp/www.mysftpsite.com
# Override the maximum number of connection per user
LimitConnectionByUser 5
VirtualHost
gFTP Installation
Now, let us try gFTP installation on Ubuntu 18.04 follow below steps,
sudo apt-get install gftp
- Open gFTP from Applications
- Enter SFTP server's IP address, Port number(Default/Specified while configuring server), Username and Password & use SSH2. Press Enter to login
- If the login attempt is successful. We are connected to SFTP using gFTP
That’s all for now. At this stage, you will have a working SFTP server. Hope you like this tutorial and I have left some configuration part for you for self-learning, kindly comment the configuration you did for yourself which help our Linoxide Community to learn and grow. Thank you.
Hi,
Is there a way to define download transfer amount per user in mysecureshell? Let say a user is allowed to download 2 GB per month.
Thnaks,
Pawel