LinOxide

How to Setup MySecureShell SFTP Server on Ubuntu 18.04

Updated May 18, 2018LINUX HOWTO

In this article, I will explain to you how to setup an SFTP server using MySecureShell on Ubuntu 18.04. SFTP is a secure way of transferring files using an encrypted SSH connection. Though it's widely supported by modern FTP clients, it's a completely different protocol than FTP (File Transfer Protocol).

You might ask me why MySecureShell instead of the traditional FTP server. Here are the few features,

  • Secured data transfer using SSH
  • No need to manage SSL certificates
  • Easy to install and configure
  • Limit Bandwidth usage
  • Files and folders restrictions
  • Acess Control List using IP/Username/Groups/VirtualHost
  • Restrict users to have sftp only (shell access is disabled by default)
  • Enhanced logging system

So let's start with installation first, basic knowledge of FTP is sufficient for understanding this tutorial.

Installation

From ubuntu 15.04 and above MySecureShell is available in the default repositories. We are using ubuntu 18.04 for this installation. Just run below commands to install MySecureShell.

apt-get install mysecureshell

If not available follow steps, make sure the all following steps are run as root user.

vim /etc/apt/sources.list

Add following 2 lines,

deb http://mysecureshell.free.fr/repository/index.php/ubuntu testing main
deb-src http://mysecureshell.free.fr/repository/index.php/ubuntu testing main

Now add gpg key as,

gpg --keyserver hkp://pool.sks-keyservers.net --recv-keys E328F22B; gpg --export E328F22B | apt-key add
gpg: keybox '/root/.gnupg/pubring.kbx' created
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 7601D76CE328F22B: public key "MySecureShell repository " imported
gpg: Total number processed: 1
gpg:           	imported: 1
OK

Once the repository is added, you can start with the installation

apt-get update
apt-get install mysecureshell

Now you are all good to start the service and check its status

systemctl start mysecureshell.service
systemctl status mysecureshell.service

Sample Output

# systemctl start mysecureshell.service
[email protected]:~# systemctl status mysecureshell.service
* mysecureshell.service - LSB: MySecureShell SFTP Server
   Loaded: loaded (/etc/init.d/mysecureshell; generated)
   Active: active (exited) since Fri 2018-05-18 01:02:17 UTC; 4min 44s ago
     Docs: man:systemd-sysv-generator(8)
    Tasks: 0 (limit: 2322)
   CGroup: /system.slice/mysecureshell.service

May 18 01:02:17 004-153 systemd[1]: Starting LSB: MySecureShell SFTP Server...
May 18 01:02:17 004-153 mysecureshell[1314]: Starting MySecureShell SFTP Server: mysecureshell is now online with restricted features
May 18 01:02:17 004-153 mysecureshell[1314]: Note: To enable all features you have to change mysecureshell binary rights to 4755
May 18 01:02:17 004-153 systemd[1]: Started LSB: MySecureShell SFTP Server.

# systemctl status mysecureshell.service
* mysecureshell.service - LSB: MySecureShell SFTP Server
   Loaded: loaded (/etc/init.d/mysecureshell; generated)
   Active: active (exited) since Fri 2018-05-18 01:02:17 UTC; 50min ago
     Docs: man:systemd-sysv-generator(8)
    Tasks: 0 (limit: 2322)
   CGroup: /system.slice/mysecureshell.service

May 18 01:02:17 004-153 systemd[1]: Starting LSB: MySecureShell SFTP Server...
May 18 01:02:17 004-153 mysecureshell[1314]: Starting MySecureShell SFTP Server: mysecureshell is now online with restricted features
May 18 01:02:17 004-153 mysecureshell[1314]: Note: To enable all features you have to change mysecureshell binary rights to 4755
May 18 01:02:17 004-153 systemd[1]: Started LSB: MySecureShell SFTP Server.
#

Use below commands to stop and restart mysecureshell service

systemctl stop mysecureshell.service
systemctl restart mysecureshell.service

MySecureShell SFTP User Creation

First, we have to find where MySecureShell installation Location,

whereis mysecureshell

As you see in the output below, mysecureshell installation path is /usr/bin/mysecureshell.

mysecureshell: /usr/bin/mysecureshell /usr/share/man/man8/mysecureshell.8.gz

Now, after verifying the path lets create a user

useradd -m -s /usr/bin/mysecureshell testsftpuser
passwd testsftpuser

As you see in above command, we are creating a user and assigning the path of mysecureshell location. Also, you can assign the existing users to access and use MySecureShell using the command:

sudo usermod -s /usr/bin/mysecureshell testsftpuser

User Connection

Now "testsftpuser" user can connect to your SFTP server from your clients as shown below with your machine IP address,

sftp [email protected]

Your machine’s IP

Connected to 45.33.54.153
sftp>

Also, you can login to your SFTP server with any graphical clients such as FileZilla from your client system.

MySecureShell Commands

MySecureShell has the following set of commands to administrate your SFTP server.

  • sftp-admin
  • sftp-kill
  • sftp-state
  • sftp-user
  • sftp-verif
  • sftp-who

sftp-admin

This command allows managing a MySecureShell remotely.

sftp-admin [ssh options] [email protected]

sftp-kill

It will disconnect the user from the FTP server.

sftp-kill testsftpuser
Kill testsftpuser on PID 1961
(Press "Y" when requested)

sftp-state

Show ftp server status

# sftp-state

Sample Output

# sftp-state
Server is up
#

sftp-user

This command allows you to create a SFTP user, without specifying the path we did before.

sftp-user create test

List SFTP users

sftp-user list
test
testsftpuser

Command will delete the user test

sftp-user delete test

sftp-verif

This command will verify and correct problems on a MySecureShell server.

sftp-verif
################################################################################
MySecureShell Verification Tool
################################################################################

### Verifing file existance ###

/bin/MySecureShell                                                       [ OK ]
/bin/sftp-who                                                            [ OK ]
/bin/sftp-kill                                                           [ OK ]
/bin/sftp-state                                                          [ OK ]
/bin/sftp-admin                                                          [ OK ]
/bin/sftp-verif                                                          [ OK ]
/bin/sftp-user                                                           [ OK ]

### Verifing rights ###

Verifing file rights of /etc/ssh/sftp_config                             [ OK ]
Verifing file rights of /bin/sftp-who                                    [ OK ]
Verifing file rights of /bin/sftp-verif                                  [ OK ]
Verifing file rights of /bin/sftp-user                                   [ OK ]
Verifing file rights of /bin/sftp-kill                                   [ OK ]
Verifing file rights of /bin/sftp-state                                  [ OK ]
Verifing file rights of /bin/sftp-admin                                  [ OK ]
Verifing file rights of /bin/MySecureShell                               [ OK ]

### Verifing rotation logs ###
Rotation logs have been found                                            [ OK ]
### Verifing server status ###
Verifing server status (ONLINE)                                          [ OK ]
[...]

sftp-who

This command will tell you who is currently logged-in to the FTP server.

sftp-who
# sftp-who
--- 1 / 10 clients ---
Global used bandwidth : 0 bytes/s / 0 bytes/s
PID: 2207   Name: testsftpuser   IP: pa39-178-9-194.pa.nsw.optusnet.com.au
        Home: /home/testsftpuser
        Status: idle    Path: /
        File:
        Connected: 2018/05/18 01:30:50 [since 03mins 59s]
        Speed: Download: 0 bytes/s [5.00 kbytes/s]  Upload: 0 bytes/s [unlimited]
        Total: Download: 924 bytes   Upload: 100 bytes
#

Configuration

The main MySecureShell config file is /etc/ssh/sftp_config. You can configure upload and download bandwidth, chroot users, the max amount of connections etc in the configuration file. You can set this options to either everybody or just for a particular group.

cat /etc/ssh/sftp_config

Default tag

Default tag is used if you want to apply a configuration for all of your users

#Default rules for everybody
Default
        GlobalDownload          50k     #total speed download for all clients
                                        # o -> bytes   k -> kilo bytes   m -> mega bytes
        GlobalUpload            0       #total speed download for all clients (0 for unlimited)
        Download                5k      #limit speed download for each connection
        Upload                  0       #unlimit speed upload for each connection
        StayAtHome              true    #limit client to his home
        VirtualChroot           true    #fake a chroot to the home account
        LimitConnection         10      #max connection for the server sftp
        LimitConnectionByUser   1       #max connection for the account
        LimitConnectionByIP     2       #max connection by ip for the account
        Home                    /home/$USER     #overrite home of the user but if you want you can use
                                                #       environment variable (ie: Home /home/$USER)
        IdleTimeOut             5m      #(in second) deconnect client is idle too long time
        ResolveIP               true    #resolve ip to dns
        LogFile         /var/log/sftp-server_ftp.log
#       IgnoreHidden            true    #treat all hidden files as if they don't exist
#       DirFakeUser             true    #Hide real file/directory owner (just change displayed permissions)
#       DirFakeGroup            true    #Hide real file/directory group (just change displayed permissions)
#       DirFakeMode             0400    #Hide real file/directory rights (just change displayed permissions)
                                        #Add execution right for directory if read right is set
        HideNoAccess            true    #Hide file/directory which user has no access
#       MaxOpenFilesForUser     20      #limit user to open x files on same time
#       MaxWriteFilesForUser    10      #limit user to x upload on same time
#       MaxReadFilesForUser     10      #limit user to x download on same time
        DefaultRights           0640 0750       #Set default rights for new file and new directory
#       MinimumRights           0400 0700       #Set minimum rights for files and dirs

        ShowLinksAsLinks        false   #show links as their destinations
#       ConnectionMaxLife       1d      #limits connection lifetime to 1 day

#       Charset                 "ISO-8859-15"   #set charset of computer

Default

Note: Logs are not enabled by default, you can define log file location in config file.

FileSpec tag

FileSpec tag is made to create filters on files and directories.

    # Only check against filenames/folder names only
FileSpec
    UseFullPath false

    # we can use multiple deny/allow directives for clarity
    Order DenyAllow
    Deny ".*.exe$"
    Deny ".*.sh$"
    Allow all
FileSpec

User tag
User tag defines for a specific user home folder

User tom 
Home /home/tom 
User

VirtualHost tag

VirtualHost tag can set limitations based on virtualhost name

    # Set home directory for this virtualhost
VirtualHost
    Home                    /var/www/html/www.mysftpsite.com
    # Set dedicated log file
    LogFile                 /var/log/sftp/www.mysftpsite.com
    # Override the maximum number of connection per user
    LimitConnectionByUser   5
VirtualHost

gFTP Installation

Now, let us try gFTP installation on Ubuntu 18.04 follow below steps,

sudo apt-get install gftp
  • Open gFTP from Applications
  • Enter SFTP server's IP address, Port number(Default/Specified while configuring server), Username and Password & use SSH2. Press Enter to login
  • If the login attempt is successful. We are connected to SFTP using gFTP

That’s all for now. At this stage, you will have a working SFTP server. Hope you like this tutorial and I have left some configuration part for you for self-learning, kindly comment the configuration you did for yourself which help our Linoxide Community to learn and grow. Thank you.

Yash Vasa 9:31 am

About Yash Vasa

Yash, a passionate Linux System Administrator and tech enthusiasts. He drive immerse gratification in conducting research on Industrial IoT platforms and keeping up to date with the latest technology world. He believe that combination of brilliant mind, gold ideas & utter disregards for what is possible can & will change the world.

Author's All Posts
Like to become part of Linoxide Team and contribute tips? Contact us here.

Hand-picked related articles

disable enable ubuntu services
How to Enable or Disable Services in Ubuntu Systemd/Upstart

Often, there is a need to enable or disable services temporarily or permanently on our Ubuntu system. Sometimes, we may require certain services to start up automatically on boot up e.g ssh or web servers and sometimes we may need [...]

setfacl and getfacl commands
How to Set Linux ACL using Setfacl and Getfacl

The Linux command setfacl allows users to set extensive Access Control Lists on files and directories. Normally, using chmod command, you will be able to set permissions for the owner/group/others. But, in case you may need to provide file permissions [...]

How Install Microsoft SQL Server on Ubuntu / RHEL / Centos / Docker

So that day have come now, MSFT has to port their software to Linux in order to stay relevant. MS SQL Server preview have come out and it is supported on Ubuntu, CentOS, RHEL  and Docker container. In this article, [...]

Comments

Your email address will not be published. Required fields are marked *

All comments are subject to moderation.

1 Comment

  1. Hi,
    Is there a way to define download transfer amount per user in mysecureshell? Let say a user is allowed to download 2 GB per month.
    Thnaks,
    Pawel

    Reply