Difference between revisions of "Creating SFTP jail chroot"
From Pulsed Media Wiki
(Created page with "== Creating a Chroot SFTP Jail on Debian == Setting up a chroot jail for SFTP (Secure File Transfer Protocol) enhances security by restricting users to a specific directory....") |
|||
| Line 1: | Line 1: | ||
== Creating a Chroot SFTP Jail on Debian == | == Creating a Chroot SFTP Jail on Debian == | ||
| − | Setting up a chroot jail for SFTP (Secure File Transfer Protocol) enhances security by restricting users to a specific directory. This guide outlines how to create and configure an SFTP-only chroot jail on Debian-based systems, suitable for both VPS and dedicated servers. | + | Setting up a chroot jail for [[SFTP]] (Secure File Transfer Protocol) enhances security by restricting users to a specific directory. This guide outlines how to create and configure an [[SFTP]]-only chroot jail on Debian-based systems, suitable for both [[VPS]] and dedicated servers. |
=== Prerequisites === | === Prerequisites === | ||
| − | * Debian 10, 11, or 12 (or derivative such as Ubuntu) | + | * [[Debian]] 10, 11, or 12 (or derivative such as Ubuntu) |
* Root or sudo access | * Root or sudo access | ||
* OpenSSH server installed and running | * OpenSSH server installed and running | ||
| − | Verify SSH is installed: | + | Verify [[SSH]] is installed: |
| + | |||
| + | |||
| + | sudo apt update | ||
| + | sudo apt install openssh-server -y | ||
| − | |||
| − | |||
| − | |||
| − | |||
=== Step 1: Create an SFTP Group === | === Step 1: Create an SFTP Group === | ||
| Line 20: | Line 20: | ||
Create a dedicated group for chrooted SFTP users. | Create a dedicated group for chrooted SFTP users. | ||
| − | + | ||
| − | sudo groupadd sftpusers | + | sudo groupadd sftpusers |
| − | + | ||
=== Step 2: Create a New User with Limited Access === | === Step 2: Create a New User with Limited Access === | ||
| Line 28: | Line 28: | ||
Create a user, assign them to the SFTP group, and set a home directory outside of shared directories. | Create a user, assign them to the SFTP group, and set a home directory outside of shared directories. | ||
| − | + | ||
| − | sudo useradd -m -d /home/sftp-user -s /usr/sbin/nologin -G sftpusers sftp-user | + | sudo useradd -m -d /home/sftp-user -s /usr/sbin/nologin -G sftpusers sftp-user |
| − | sudo passwd sftp-user | + | sudo passwd sftp-user |
| − | + | ||
This ensures the user cannot SSH into the server, only access SFTP. | This ensures the user cannot SSH into the server, only access SFTP. | ||
| Line 37: | Line 37: | ||
=== Step 3: Set Up the Chroot Directory Structure === | === Step 3: Set Up the Chroot Directory Structure === | ||
| − | + | ||
| − | sudo mkdir -p /home/sftp-user/uploads | + | sudo mkdir -p /home/sftp-user/uploads |
| − | sudo chown root:root /home/sftp-user | + | sudo chown root:root /home/sftp-user |
| − | sudo chmod 755 /home/sftp-user | + | sudo chmod 755 /home/sftp-user |
| − | sudo chown sftp-user:sftpusers /home/sftp-user/uploads | + | sudo chown sftp-user:sftpusers /home/sftp-user/uploads |
| − | + | ||
* The chroot root must be owned by root and not writable by any other user. | * The chroot root must be owned by root and not writable by any other user. | ||
| Line 51: | Line 51: | ||
Edit the SSH configuration file: | Edit the SSH configuration file: | ||
| − | + | ||
| − | sudo nano /etc/ssh/sshd_config | + | sudo nano /etc/ssh/sshd_config |
| − | |||
At the bottom of the file, add: | At the bottom of the file, add: | ||
| − | + | ||
Match Group sftpusers | Match Group sftpusers | ||
ChrootDirectory %h | ChrootDirectory %h | ||
| Line 63: | Line 62: | ||
X11Forwarding no | X11Forwarding no | ||
AllowTcpForwarding no | AllowTcpForwarding no | ||
| − | + | ||
Save and close the file. | Save and close the file. | ||
| Line 71: | Line 70: | ||
Apply the new SSH configuration: | Apply the new SSH configuration: | ||
| − | + | ||
| − | sudo systemctl restart ssh | + | sudo systemctl restart ssh |
| − | + | ||
=== Step 6: Test the SFTP Jail === | === Step 6: Test the SFTP Jail === | ||
| Line 79: | Line 78: | ||
From a client system, test using: | From a client system, test using: | ||
| − | + | ||
| − | sftp sftp-user@your_server_ip | + | sftp sftp-user@your_server_ip |
| − | + | ||
The user should only be able to access the `/uploads` folder and not navigate outside their home directory. | The user should only be able to access the `/uploads` folder and not navigate outside their home directory. | ||
| Line 94: | Line 93: | ||
Example: | Example: | ||
| − | + | ||
| − | DenyUsers sftp-user | + | DenyUsers sftp-user |
| − | + | ||
=== Troubleshooting Tips === | === Troubleshooting Tips === | ||
| Line 103: | Line 102: | ||
* Check `sshd` logs for errors: | * Check `sshd` logs for errors: | ||
| − | + | ||
| − | sudo journalctl -xe | grep ssh | + | sudo journalctl -xe | grep ssh |
| − | + | ||
* Verify SSH config syntax before restarting: | * Verify SSH config syntax before restarting: | ||
| − | + | ||
| − | sudo sshd -t | + | sudo sshd -t |
| − | + | ||
=== Summary === | === Summary === | ||
| Line 136: | Line 135: | ||
* [[SFTP]] | * [[SFTP]] | ||
* [[Secure Shell]] | * [[Secure Shell]] | ||
| + | |||
| + | [[Category:Guides]] | ||
Latest revision as of 23:02, 28 May 2025
Contents
- 1 Creating a Chroot SFTP Jail on Debian
- 1.1 Prerequisites
- 1.2 Step 1: Create an SFTP Group
- 1.3 Step 2: Create a New User with Limited Access
- 1.4 Step 3: Set Up the Chroot Directory Structure
- 1.5 Step 4: Configure SSH for Chroot SFTP
- 1.6 Step 5: Restart SSH
- 1.7 Step 6: Test the SFTP Jail
- 1.8 Optional: Restrict Permissions Further
- 1.9 Troubleshooting Tips
- 1.10 Summary
- 1.11 See Also
Creating a Chroot SFTP Jail on Debian
Setting up a chroot jail for SFTP (Secure File Transfer Protocol) enhances security by restricting users to a specific directory. This guide outlines how to create and configure an SFTP-only chroot jail on Debian-based systems, suitable for both VPS and dedicated servers.
Prerequisites
- Debian 10, 11, or 12 (or derivative such as Ubuntu)
- Root or sudo access
- OpenSSH server installed and running
Verify SSH is installed:
sudo apt update sudo apt install openssh-server -y
Step 1: Create an SFTP Group
Create a dedicated group for chrooted SFTP users.
sudo groupadd sftpusers
Step 2: Create a New User with Limited Access
Create a user, assign them to the SFTP group, and set a home directory outside of shared directories.
sudo useradd -m -d /home/sftp-user -s /usr/sbin/nologin -G sftpusers sftp-user sudo passwd sftp-user
This ensures the user cannot SSH into the server, only access SFTP.
Step 3: Set Up the Chroot Directory Structure
sudo mkdir -p /home/sftp-user/uploads sudo chown root:root /home/sftp-user sudo chmod 755 /home/sftp-user sudo chown sftp-user:sftpusers /home/sftp-user/uploads
- The chroot root must be owned by root and not writable by any other user.
- The actual upload area should be owned by the SFTP user.
Step 4: Configure SSH for Chroot SFTP
Edit the SSH configuration file:
sudo nano /etc/ssh/sshd_config
At the bottom of the file, add:
Match Group sftpusers
ChrootDirectory %h ForceCommand internal-sftp X11Forwarding no AllowTcpForwarding no
Save and close the file.
Step 5: Restart SSH
Apply the new SSH configuration:
sudo systemctl restart ssh
Step 6: Test the SFTP Jail
From a client system, test using:
sftp sftp-user@your_server_ip
The user should only be able to access the `/uploads` folder and not navigate outside their home directory.
Optional: Restrict Permissions Further
If you want to ensure additional restrictions:
- Use ACLs to manage access to shared folders
- Deny SSH access via `DenyUsers` directive if needed
Example:
DenyUsers sftp-user
Troubleshooting Tips
- Ensure `/home/sftp-user` is owned by `root:root` and has `755` permissions.
- Check `sshd` logs for errors:
sudo journalctl -xe | grep ssh
- Verify SSH config syntax before restarting:
sudo sshd -t
Summary
| Step | Command or File | Purpose |
|---|---|---|
| 1 | groupadd sftpusers |
Create SFTP-only group |
| 2 | useradd -m -d /home/sftp-user -s /usr/sbin/nologin -G sftpusers sftp-user |
Add restricted user |
| 3 | mkdir /uploads, permission setup |
Isolate upload area |
| 4 | /etc/ssh/sshd_config |
Force internal-sftp in chroot |
| 5 | systemctl restart ssh |
Apply config |
| 6 | sftp user@ip |
Test restricted login |
