{"id":921,"date":"2024-10-25T02:28:39","date_gmt":"2024-10-24T21:28:39","guid":{"rendered":"https:\/\/blake.azuela.info\/?p=921"},"modified":"2024-10-28T21:46:33","modified_gmt":"2024-10-28T16:46:33","slug":"setting-up-sftp-on-almalinux-centos-or-debian-ubuntu","status":"publish","type":"post","link":"https:\/\/blake.azuela.info\/index.php\/2024\/10\/25\/setting-up-sftp-on-almalinux-centos-or-debian-ubuntu\/","title":{"rendered":"Setting Up SFTP on AlmaLinux\/CentOS or Debian\/Ubuntu"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\"><br>Setting up an SFTP server should be smooth and efficient, and with this guide, you&#8217;ll have it done in no time! Whether you&#8217;re using <strong>AlmaLinux\/CentOS<\/strong> or <strong>Ubuntu\/Debian<\/strong>, this step-by-step tutorial will walk you through the setup for a secure, organized, and scalable SFTP solution. Let\u2019s get into it and enjoy the process! \ud83d\ude80<br>Looking for something even easier than this guide? <br>I created a script to do all this for you on <a href=\"https:\/\/github.com\/blakelton\/SetupSFTP\" target=\"_new\" rel=\"noopener\" title=\"GitHub here\">GitHub here<\/a>.\ud83e\udd13 Enjoy!<br><br>You can run the following command to download and run the script (requires root\/sudo) directly. No waiting!\u26a1:<br><code>curl -sSL https:\/\/raw.githubusercontent.com\/blakelton\/SetupSFTP\/main\/SetupSFTP.sh -o SetupSFTP.sh &amp;&amp; chmod +x SetupSFTP.sh &amp;&amp; sudo .\/SetupSFTP.sh<\/code><br><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Step 1: Installing OpenSSH \ud83d\udee0\ufe0f<\/strong><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">First things first: installing the OpenSSH server. Since SFTP runs on SSH, we\u2019ll need this set up before anything else.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>For AlmaLinux\/CentOS:<\/strong><\/li>\n\n\n\n<li><code>sudo dnf install openssh-server<\/code><\/li>\n\n\n\n<li><strong>For Ubuntu\/Debian:<\/strong><\/li>\n\n\n\n<li><code>sudo apt update <\/code><\/li>\n\n\n\n<li><code>sudo apt install openssh-server<\/code><\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Once installed, let\u2019s make sure SSH starts up right away and on boot:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>For AlmaLinux\/CentOS:<\/strong><\/li>\n\n\n\n<li><code>sudo systemctl start sshd <\/code><\/li>\n\n\n\n<li><code>sudo systemctl enable sshd<\/code><\/li>\n\n\n\n<li><strong>For Ubuntu\/Debian:<\/strong><\/li>\n\n\n\n<li><code>sudo systemctl start ssh <\/code><\/li>\n\n\n\n<li><code>sudo systemctl enable ssh<\/code><\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">\ud83c\udf89 <em>With SSH installed and running, we\u2019re ready for the next step!<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Step 2: Creating an SFTP Group \ud83d\udc65<\/strong><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">We\u2019re all about keeping things tidy and secure, so let\u2019s create a dedicated group for our SFTP users. This ensures that only certain users can access SFTP, making management easier.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>For Both AlmaLinux\/CentOS and Ubuntu\/Debian:<\/strong><\/li>\n\n\n\n<li><code>sudo groupadd sftpusers<\/code><\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><em>\ud83d\udcda This step keeps things organized and helps us stay in control of who can access the system.<\/em><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Step 3: Creating Your SFTP User \ud83d\udc64<\/strong><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Next, let\u2019s create the user who will actually use SFTP. We\u2019ll assign them to the <code>sftpusers<\/code> group we just created and give them a proper shell for flexibility.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>For Both AlmaLinux\/CentOS and Ubuntu\/Debian:<\/strong><\/li>\n\n\n\n<li><code>sudo useradd -m -G sftpusers -s \/bin\/bash sftpuser <\/code><\/li>\n\n\n\n<li><code>sudo passwd sftpuser<\/code><\/li>\n\n\n\n<li><\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">\ud83d\ude80 <em>Our user is set up and ready to start uploading!<\/em><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Step 4: Setting Up the SFTP Directory \ud83d\udcc2<\/strong><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">To keep things secure and prevent issues with <code>.ssh<\/code> files, we\u2019ll create a dedicated directory for SFTP uploads. This ensures that everything is neatly separated and secure.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>For Both AlmaLinux\/CentOS and Ubuntu\/Debian:<\/strong><\/li>\n\n\n\n<li><code>sudo mkdir -p \/srv\/sftp\/shared\/ <\/code><\/li>\n\n\n\n<li><code>sudo chown root:root \/srv\/sftp\/shared\/ <\/code><\/li>\n\n\n\n<li><code>sudo chmod 755 \/srv\/sftp\/shared\/<\/code><\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code><code>\n<\/code>\ud83d\udca1 <em>Now, we have a clean, secure location for file transfers!<\/em><\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Step 5: Configuring SSH \u2699\ufe0f<\/strong><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Next, we\u2019ll configure SSH to restrict users in the <code>sftpusers<\/code> group to SFTP and prevent them from accessing the entire system.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>For AlmaLinux\/CentOS:<\/strong><br><code>sudo nano \/etc\/ssh\/sshd_config<\/code><\/li>\n\n\n\n<li><strong>For Ubuntu\/Debian:<\/strong><br><code>sudo nano \/etc\/ssh\/sshd_config<\/code><\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Add the following lines at the end of the file to enforce SFTP access and set the directory to <code>\/srv\/sftp\/shared\/<\/code>:<\/p>\n\n\n\n<pre class=\"wp-block-code has-text-color has-link-color wp-elements-6c708e3f574e91bf8c97b25bfd30e505\" style=\"color:#d22e93\"><code><code>Match Group sftpusers\n    ChrootDirectory \/srv\/sftp\/shared\/\n    ForceCommand internal-sftp\n    AllowTcpForwarding no\n    X11Forwarding no\nPasswordAuthentication yes\nPubkeyAuthentication yes<\/code><\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Restart the SSH service to apply the changes:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>For AlmaLinux\/CentOS:<\/strong><\/li>\n\n\n\n<li><code>sudo systemctl restart sshd<\/code><\/li>\n\n\n\n<li><strong>For Ubuntu\/Debian:<\/strong><\/li>\n\n\n\n<li><code>sudo systemctl restart ssh<\/code><\/li>\n\n\n\n<li><\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">\ud83d\udd10 <em>Your SFTP users are now securely locked into the shared directory!<\/em><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Step 6: Configuring the Firewall \ud83d\udd12<\/strong><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">To ensure that your SFTP server is accessible, we need to open the right ports. Let\u2019s allow SSH (which includes SFTP) through the firewall.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>For AlmaLinux\/CentOS (Firewalld):<\/strong><\/li>\n\n\n\n<li><code>sudo firewall-cmd --zone=public --permanent --add-service=ssh <\/code><\/li>\n\n\n\n<li><code>sudo firewall-cmd --reload<\/code><\/li>\n\n\n\n<li><strong>For Ubuntu\/Debian (UFW):<\/strong><\/li>\n\n\n\n<li><code>sudo ufw allow OpenSSH <\/code><\/li>\n\n\n\n<li><code>sudo ufw enable<\/code><\/li>\n\n\n\n<li><\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">\ud83c\udf89 <em>The firewall is configured, and your server is now ready for connections!<\/em><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Step 7: Testing Your Setup \ud83e\uddea<\/strong><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">It\u2019s time to test your configuration and ensure everything is working. Depending on your setup, you\u2019ll use either a local IP address, a hostname, or a domain.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>If using a local network<\/strong> (e.g., testing on a home or office network):<\/h4>\n\n\n\n<pre class=\"wp-block-preformatted has-text-color has-link-color wp-elements-4a149904329a878994e035f5dd947a24\" style=\"color:#d22e93\">sftp sftpuser@&lt;local-ip-address&gt;<br><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Example:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted has-text-color has-link-color wp-elements-fdba99d5aab030f7b30dbb8e4a622915\" style=\"color:#d22e93\"><code>sftp sftpuser@192.168.1.100<br><\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>If using a domain name<\/strong> (e.g., a registered domain):<\/h4>\n\n\n\n<pre class=\"wp-block-preformatted has-text-color has-link-color wp-elements-d8b7760c6e715081d6651e6bc5f60f4e\" style=\"color:#d22e93\"><code>sftp sftpuser@&lt;your-domain-name&gt;<br><\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Example:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted has-text-color has-link-color wp-elements-aa6efbd66ae3cd599364f003a477d836\" style=\"color:#d22e93\"><code>sftp sftpuser@yourdomain.com<br><\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">This command will attempt to connect to your SFTP server. Once connected, you\u2019ll be able to transfer files securely within the <code>\/srv\/sftp\/shared\/<\/code> directory.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">If all went well, you should be able to log in and only access the <code>\/srv\/sftp\/shared<\/code> directory. Success! \ud83d\udc4f<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Optional: Changing the SSH Port for Extra Security \ud83d\udd12<\/strong><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">For enhanced security, it\u2019s common to change the default SSH port (22) to something less common. Let\u2019s walk through how to do that and how to test the connection.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Step 1: Update the SSH Configuration<\/strong><\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">Edit the <code>\/etc\/ssh\/sshd_config<\/code> file and change the default port (22) to something like 2222 or 8022:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>For AlmaLinux\/CentOS and Ubuntu\/Debian:<\/strong><\/li>\n\n\n\n<li><code>sudo nano \/etc\/ssh\/sshd_config<\/code><\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Find the line that says <code>Port 22<\/code> and change it to your desired port:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted has-text-color has-link-color wp-elements-2a569d300c56b85774df10b9bd8a27c1\" style=\"color:#d22e93\"><code>Port 2222<br><\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Save the file and restart SSH:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>For AlmaLinux\/CentOS:<\/strong><\/li>\n\n\n\n<li><code>sudo systemctl restart sshd<\/code><\/li>\n\n\n\n<li><strong>For Ubuntu\/Debian:<\/strong><\/li>\n\n\n\n<li><code>sudo systemctl restart ssh<\/code><\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Step 2: Open the New Port in the Firewall<\/strong><\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">Make sure the new port is allowed through the firewall:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>For AlmaLinux\/CentOS (Firewalld):<\/strong><\/li>\n\n\n\n<li><code>sudo firewall-cmd --zone=public --permanent --add-port=2222\/tcp <\/code><\/li>\n\n\n\n<li><code>sudo firewall-cmd --reload<\/code><\/li>\n\n\n\n<li><strong>For Ubuntu\/Debian (UFW):<\/strong><\/li>\n\n\n\n<li><code>sudo ufw allow 2222\/tcp <\/code><\/li>\n\n\n\n<li><code>sudo ufw reload<\/code><\/li>\n\n\n\n<li><\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Step 3: Close Port 22 (Remove the Original Firewall Rules)<\/strong><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Now that the new port is opened, you can close the default SSH port (port 22) for better security.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>For AlmaLinux\/CentOS (Firewalld):<\/strong><\/li>\n\n\n\n<li><code>sudo firewall-cmd --zone=public --permanent --remove-service=ssh sudo firewall-cmd --reload<\/code><\/li>\n\n\n\n<li><strong>For Ubuntu\/Debian (UFW):<\/strong><\/li>\n\n\n\n<li><code>sudo ufw delete allow OpenSSH <\/code><\/li>\n\n\n\n<li><code>sudo ufw reload<\/code><\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Step 4: Restart SSH<\/strong><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Restart the SSH service to apply the port change:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>For AlmaLinux\/CentOS:<\/strong><\/li>\n\n\n\n<li><code>sudo systemctl restart sshd<\/code><\/li>\n\n\n\n<li><strong>For Ubuntu\/Debian:<\/strong><\/li>\n\n\n\n<li><code>sudo systemctl restart ssh<\/code><\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Step 5: Test the Connection on the New Port<\/strong><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Once the port change is active, use the following command to connect via SFTP using the new port number:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>sftp -P 2222 sftpuser@yourdomain.com<br><\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><em>(Replace <code>2222<\/code> with your custom port and <code>yourdomain.com<\/code> with your actual domain or IP address.)<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Set up a secure and efficient SFTP server on Linux with this comprehensive guide. Whether you&#8217;re using AlmaLinux, CentOS, Ubuntu, or Debian, follow step-by-step instructions to configure a scalable file transfer solution.<\/p>\n","protected":false},"author":1,"featured_media":923,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_regular_price":[],"currency_symbol":[],"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[110,1],"tags":[111,129,148,122,112,133,141,158,140,139,147,146,125,120,131,137,123,118,154,159,162,134,151,149,119,161,150,127,138,124,144,130,155,117,132,115,113,145,156,114,160,143,121,142,135,157,126,153,152,116,128,136],"class_list":["post-921","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-guides","category-uncategorized","tag-almalinux","tag-automation","tag-automation-script","tag-bash-script","tag-centos","tag-chroot-jail","tag-custom-ssh-port","tag-data-security","tag-debian","tag-file-sharing","tag-file-transfer","tag-file-transfer-protocol","tag-firewall-configuration","tag-firewalld","tag-ftp-alternative","tag-github-script","tag-group-management","tag-linux","tag-linux-commands","tag-linux-firewall","tag-linux-network","tag-linux-server","tag-linux-tutorial","tag-network-security","tag-openssh","tag-port-forwarding","tag-root-access","tag-scalable-server","tag-secure-file-storage","tag-secure-file-transfer","tag-secure-server","tag-server-firewall","tag-server-management","tag-server-security","tag-server-tutorial","tag-sftp","tag-sftp-server-setup","tag-sftpuser","tag-sftpusers-group","tag-ssh","tag-ssh-access","tag-ssh-configuration","tag-ssh-port-change","tag-ssh-users","tag-step-by-step-guide","tag-sudo-privileges","tag-system-administration","tag-system-security","tag-system-setup","tag-ubuntu","tag-ufw","tag-user-management"],"aioseo_notices":[],"post_slider_layout_featured_media_urls":{"thumbnail":["https:\/\/blake.azuela.info\/wp-content\/uploads\/2024\/10\/Logos-150x150.png",150,150,true],"post_slider_layout_landscape_large":["https:\/\/blake.azuela.info\/wp-content\/uploads\/2024\/10\/Logos-1200x569.png",1200,569,true],"post_slider_layout_portrait_large":["https:\/\/blake.azuela.info\/wp-content\/uploads\/2024\/10\/Logos-1200x569.png",1200,569,true],"post_slider_layout_square_large":["https:\/\/blake.azuela.info\/wp-content\/uploads\/2024\/10\/Logos-1200x569.png",1200,569,true],"post_slider_layout_landscape":["https:\/\/blake.azuela.info\/wp-content\/uploads\/2024\/10\/Logos-600x400.png",600,400,true],"post_slider_layout_portrait":["https:\/\/blake.azuela.info\/wp-content\/uploads\/2024\/10\/Logos-600x569.png",600,569,true],"post_slider_layout_square":["https:\/\/blake.azuela.info\/wp-content\/uploads\/2024\/10\/Logos-600x569.png",600,569,true],"full":["https:\/\/blake.azuela.info\/wp-content\/uploads\/2024\/10\/Logos.png",1912,569,false]},"_links":{"self":[{"href":"https:\/\/blake.azuela.info\/index.php\/wp-json\/wp\/v2\/posts\/921","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blake.azuela.info\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blake.azuela.info\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blake.azuela.info\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blake.azuela.info\/index.php\/wp-json\/wp\/v2\/comments?post=921"}],"version-history":[{"count":10,"href":"https:\/\/blake.azuela.info\/index.php\/wp-json\/wp\/v2\/posts\/921\/revisions"}],"predecessor-version":[{"id":1024,"href":"https:\/\/blake.azuela.info\/index.php\/wp-json\/wp\/v2\/posts\/921\/revisions\/1024"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blake.azuela.info\/index.php\/wp-json\/wp\/v2\/media\/923"}],"wp:attachment":[{"href":"https:\/\/blake.azuela.info\/index.php\/wp-json\/wp\/v2\/media?parent=921"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blake.azuela.info\/index.php\/wp-json\/wp\/v2\/categories?post=921"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blake.azuela.info\/index.php\/wp-json\/wp\/v2\/tags?post=921"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}