Set up SFTP Server on AlmaLinux 9 with Easy Steps – OrcaCore

By Posted on

Set up SFTP Server on AlmaLinux 9 with Easy Steps – OrcaCore

This guide will walk you through the process of how to Set up SFTP Server on AlmaLinux 9. Secure File Transfer Protocol (SFTP) is crucial for businesses that need to securely transfer sensitive information, such as billing data, financial transactions, and data recovery files. SFTP enhances the standard File Transfer Protocol (FTP) by leveraging the secure shell (SSH) protocol for file transfers and mandating client authentication by the server, thereby significantly bolstering security.

The key advantage of SFTP lies in its commitment to security. Regardless of the type of file being shared, SFTP encrypts all commands and data, safeguarding passwords and sensitive information from exposure on the network. This ensures that no information is transmitted in plain text. Follow the steps provided in this guide to Set up SFTP Server on AlmaLinux 9.

Before you begin, ensure you are logged into your AlmaLinux 9 server as a non-root user with sudo privileges. If you need assistance with this, refer to our guide on Initial Server Setup with AlmaLinux 9. Let’s explore how to Set up SFTP Server on AlmaLinux 9.

1. Install SSH For SFTP Setup on AlmaLinux 9

SSH (Secure Shell) is a prerequisite for setting up an SFTP server. If you don’t have SSH already installed, the following steps will guide you through the installation process.

First, update your local package index to ensure you have the latest package information:

sudo dnf update -y

Next, install the OpenSSH server package:

sudo dnf install openssh-server -y

Start and Enable SSH Service

Once the installation is complete, start the SSH service and enable it to launch automatically at boot time. Use the following commands:

# sudo systemctl start sshd
# sudo systemctl enable sshd

Verify that the SSH service is running correctly:

sudo systemctl status sshd
Install SSH For SFTP Setup on AlmaLinux 9

2. Configure SFTP User Account on AlmaLinux 9

Now, you need to configure a dedicated user account for SFTP access. This involves creating a group and a user, and then assigning the user to the group.

Create a group specifically for SFTP users. You can name it "sftp" or any other name you prefer:

sudo groupadd sftp

Next, create a user account that will be used for SFTP access. Replace "orca" with your desired username:

sudo useradd orca

Confirm the user account has been created:

less /etc/passwd | grep orca
**Output**
orca:x:1000:1001::/home/orca:/bin/bash

Set a password for the newly created user:

sudo passwd orca
**Output**
Changing password for user orca.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.

Add the user to the SFTP group:

sudo usermod -a -G sftp orca

Verify the user has been added to the SFTP group:

grep sftp /etc/group
**Output**
sftp:x:1000:orca

3. Configure a Transfer File for SFTP on AlmaLinux 9

To restrict SFTP users to a specific directory, you need to create a chroot jail. This prevents them from accessing the entire file system.

Create a directory that will serve as the root directory for SFTP users:

sudo mkdir -p /var/sftp/Document

Change the ownership of the /var/sftp directory to the root user:

sudo chown root:root /var/sftp

Set the appropriate permissions for /var/sftp:

sudo chmod 755 /var/sftp

Grant the SFTP user (orca) ownership of the "Documents" directory within the chroot jail:

sudo chown orca:orca /var/sftp/Document

Now, edit the SSH configuration file to enforce the chroot jail. Open the file using a text editor like vi:

sudo vi /etc/ssh/sshd_config

Locate the line Subsystem sftp /usr/lib/openssh/sftp-server and add the following configuration block at the end of the file:

**Subsystem sftp  /usr/libexec/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       PermitTTY no
#       ForceCommand cvs server
Match User orca
ChrootDirectory /var/sftp
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp**

Save the changes and close the file. Restart the SSH service to apply the new configuration:

sudo systemctl restart sshd

4. Login to SFTP Server on AlmaLinux 9

Test the SFTP setup by connecting to the server using the newly created user account.

First, attempt to connect using standard SSH to confirm the chroot is working as expected.

ssh orca@localhost

You should not be able to get a normal shell prompt. If you do, double check your sshd_config settings.

Now, connect to the SFTP server using the sftp command:

sftp orca@127.0.0.1

List the contents of the SFTP directory:

**sftp> ls
Document**

Exit the SFTP session:

**sftp> exit**

5. Uninstall SFTP From AlmaLinux 9

If you need to remove the SFTP server, you can uninstall the OpenSSH server package:

sudo dnf remove openssh-server -y

This will remove the SFTP server and its associated files.

Conclusion

You have now successfully learned how to Set up SFTP Server on AlmaLinux 9. This is a valuable tool for securely managing files on remote servers, especially when dealing with sensitive data.

We hope you found this guide helpful. Please follow us on Facebook, Twitter, and YouTube.

You might also be interested in these articles:

Install and Configure Laravel on AlmaLinux 9

Install and Configure Fail2ban on AlmaLinux 9

How To Install Slack on AlmaLinux 9

Install and Use FFmpeg on AlmaLinux 9

Alternative Solutions for Setting Up a Secure File Transfer Server on AlmaLinux 9

While the method described above using OpenSSH’s internal-sftp is a common and effective approach, there are alternative ways to achieve secure file transfer on AlmaLinux 9. Here are two different solutions:

1. Using vsftpd with SSL/TLS encryption

vsftpd (Very Secure FTP Daemon) is another popular FTP server that supports SSL/TLS encryption for secure data transfer. While technically FTP over SSL/TLS (FTPS) and not SFTP, it provides similar security benefits for file transfer. This setup is well-suited for environments where compatibility with older FTP clients is required but security is paramount.

Installation and Configuration:

  1. Install vsftpd:

    sudo dnf install vsftpd -y

  2. Configure SSL/TLS:

    • Create a self-signed certificate (or obtain one from a Certificate Authority):

      sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/vsftpd/vsftpd.pem -out /etc/vsftpd/vsftpd.pem

      Answer the prompts to generate the certificate.

    • Edit the vsftpd configuration file (/etc/vsftpd/vsftpd.conf):

      sudo vi /etc/vsftpd/vsftpd.conf

      Add or modify the following settings:

      anonymous_enable=NO
local_enable=YES
write_enable=YES
chroot_local_user=YES
listen=NO
listen_ipv6=YES
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
rsa_cert_file=/etc/vsftpd/vsftpd.pem
rsa_private_key_file=/etc/vsftpd/vsftpd.pem

      Explanation of Settings:

      • anonymous_enable=NO: Disables anonymous logins.
      • local_enable=YES: Enables local user logins.
      • write_enable=YES: Allows users to upload files.
      • chroot_local_user=YES: Jails all local users to their home directory.
      • ssl_enable=YES: Enables SSL/TLS encryption.
      • allow_anon_ssl=NO: Disallows anonymous SSL connections.
      • force_local_data_ssl=YES: Requires SSL for data connections.
      • force_local_logins_ssl=YES: Requires SSL for logins.
      • ssl_tlsv1=YES: Enables TLSv1 protocol.
      • ssl_sslv2=NO, ssl_sslv3=NO: Disables older SSL versions.
      • rsa_cert_file: Specifies the path to the SSL certificate file.
      • rsa_private_key_file: Specifies the path to the private key file.

  3. Start and Enable vsftpd:

    sudo systemctl start vsftpd
sudo systemctl enable vsftpd

  4. Firewall Configuration:

    Open ports 20 and 21 (for FTP control), and the passive port range you configure (if any) in the firewall. Since FTPS uses different ports, make sure they are properly configured and opened in the firewall.

Security Considerations:

  • Always use strong passwords for user accounts.
  • Keep vsftpd updated to the latest version to patch security vulnerabilities.
  • Consider using a firewall to restrict access to the FTP server.
  • Monitor the FTP server logs for suspicious activity.

2. Using a Cloud-Based SFTP Server

Another alternative is to leverage cloud-based SFTP server solutions. Several providers offer managed SFTP services, abstracting away the complexities of server administration, security patching, and infrastructure maintenance. This option is attractive for businesses lacking the resources or expertise to manage their own SFTP servers.

Example Providers:

  • AWS Transfer Family: Provides fully managed SFTP, FTPS, and FTP servers directly into and out of Amazon S3 or Amazon EFS.
  • Azure Blob Storage with SFTP support: Securely transfer files to Azure Blob Storage using SFTP.
  • SFTP To Go: A simple, managed SFTP service that’s easy to set up and use.

Benefits:

  • Simplified Management: No need to manage server infrastructure, operating systems, or security updates.
  • Scalability: Easily scale storage and bandwidth as needed.
  • High Availability: Cloud providers offer high availability and redundancy.
  • Security: Benefit from the security expertise and infrastructure of the cloud provider.
  • Cost-Effective: Pay-as-you-go pricing can be more cost-effective than managing your own server.

Considerations:

  • Vendor Lock-in: Consider the potential for vendor lock-in when choosing a cloud provider.
  • Data Residency: Ensure the cloud provider’s data centers comply with your data residency requirements.
  • Compliance: Verify that the cloud provider meets your compliance requirements (e.g., HIPAA, GDPR).
  • Cost: Carefully evaluate the pricing model to ensure it aligns with your usage patterns.

By considering these alternative solutions, you can choose the method that best suits your specific needs and technical capabilities when setting up a secure file transfer server on AlmaLinux 9.

Related posts: