FTP (File Transfer Protocol) is a legacy protocol that should only be used for absolutely no other than publicly share non sensitive files over the Internet. For example, public repositories of open source files for download. But even for this purpose a web-server like Apache or NGINX can do better (using Directory Listing over HTTPS with Basic-Authentication [Link]).
Because the FTP protocol does not offer any encryption all the information is transferred in plain text, including the credentials (user and password) of the users. That is why FTPS and SFTP were created.
- Totaly unencrypted communication.
- It uses SSL/TLS (like HTTPS does) to wrap the FTP protocol with an encrypted layer.
- It is NOT FTP, it is actually SSH that after authenticate behaves (same commands) as if it was an FTP server.
It can allow anonymous connections (using username anonymous and anything as password). and that is the only recommended way to use this protocol directly exposed to the internet.
To safely use FTP over the internet is needed a VPN to establish the encrypted tunnel that will allow the FTP communication to go through.
Is used additional “modules” of the FTP server to establish a Secure Socket Layer (using SSL certificate) than switch the plain text communication over SSL encryption.
As mentioned, this is not FTP but SSH that behaves as if it was an FTP after the session is stated.
- Alternatively to password, it can use or enforce (recommended) the usage of SSH-Keys for authentication.
- If misconfigured, It has the potential of exposing the server with a very powerful shell. Do a risk assessment prior to implement this solution.
Since it requires SSH, make sure OpenSSH-server is installed then edit its configuration.
sudo apt update && sudo apt install openssh-server -y sudo nano /etc/ssh/sshd_config
Append the following lines to the end of the file:
Match Group sftp ForceCommand internal-sftp ChrootDirectory /sftp-root PasswordAuthentication yes # Not recommended for production. Change to no after testing. X11Forwarding no AllowTcpForwarding no
Note: the appended configuration will check if the user trying to log in is a member of the group sftp, then it overrides the configuration the parameters. It enforces the internal-sftp “mode” for the session, change the root of the file system to a safe path (/sftp-root), and disable unnecessary features. Alternatively it can be used /home but I would recommend to keep the sftp users away from the home directory of the system users.
It is not the scope of this post to harden the SSH server so keep in mind that many other tweaks might be necessary to protect your server, such as:
- Dot not allow empty passwords (preferably no passwords at all) nor root login,
- Require SSH-Keys and a secondary factor such as OTP mobile app [Link] or USB/NFC Hardware Key [Link],
- Only allow certain users or groups or use restrictive rules to allow connections that Match an specific pattern,
- Ans always use Fail2Ban in combination with most of your publicly facing services [Link].
Create sftp group and the safe path for its users.
sudo addgroup sftp sudo mkdir /sftp-root
Create the users as follows for each user:
sudo useradd -m userName -g sftp sudo mkdir /sftp-root/userName sudo chmod 700 /sftp-root/userName
Note: each user will have its own home directory automatically created /home but when they log int they will only see what is in /sftp-root and only will be allowed to access (read/write) its own directory in it.
Add the Public keys for created user into the file /home/userName/.ssh/authorized_keys.
See the post Setting Up SSH Keys [Link] to find out how create the key pair.
If everything was done correctly, it will not prompt for password anymore but will automatically authenticate with the SSH key. Time to change the PasswordAuthentication to no.