Simple SFTP setup

This SFTP setup is NOT chrooted, nor otherwise restricted against root connections

A minimal initial install was spun up. Then, the packages were installed beyond a minimal base install: rsync man and openssh-clients

 

[[email protected] ~]# reset 
[[email protected] ~]# cat sftp-setup.txt 

    5  yum install rsync man 
    6  yum install openssh-clients 
   11  grep sftp /etc/services     
   12  cd /etc/sysconfig/          
   13  joe iptables                
   14  vi iptables                 
   15  service iptables restart    
   18  passwd                      
   19  sftp localhost              
   20  ssh localhost               
   21  history > sftp-setup.txt    

We explicitly open the sftp port; it is not clear that this is required:

 

# Firewall configuration written by system-config-firewall 
# Manual customization of this file is not recommended.   
*filter                                                   
:INPUT ACCEPT [0:0]                                       
:FORWARD ACCEPT [0:0]                                     
:OUTPUT ACCEPT [0:0]                                      
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT   
-A INPUT -p icmp -j ACCEPT                                
-A INPUT -i lo -j ACCEPT                                  
-A INPUT -i eth1 -j ACCEPT                                
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport sftp -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited             
-A FORWARD -j REJECT --reject-with icmp-host-prohibited           
COMMIT

This is the list of services running:

 

acpid           0:off   1:off   2:on    3:on    4:on    5:on    6:off 
atd             0:off   1:off   2:off   3:on    4:on    5:on    6:off
auditd          0:off   1:off   2:on    3:on    4:on    5:on    6:off
crond           0:off   1:off   2:on    3:on    4:on    5:on    6:off
ip6tables       0:off   1:off   2:on    3:on    4:on    5:on    6:off
iptables        0:off   1:off   2:on    3:on    4:on    5:on    6:off
netfs           0:off   1:off   2:off   3:on    4:on    5:on    6:off
network         0:off   1:off   2:on    3:on    4:on    5:on    6:off
restorecond     0:off   1:off   2:on    3:on    4:on    5:on    6:off
rsyslog         0:off   1:off   2:on    3:on    4:on    5:on    6:off
sendmail        0:off   1:off   2:on    3:on    4:on    5:on    6:off
snmpd           0:off   1:off   2:on    3:on    4:on    5:on    6:off
udev-post       0:off   1:on    2:on    3:on    4:on    5:on    6:off

And proof of concept -- note that we did NOT alter /etc/ssh/sshd_config in this example:

 

[roothost-172-16-1-198 ~]# sftp localhost 
Connecting to localhost...
[email protected]'s password:
sftp> ls
sftp-setup.txt
sftp> ls -l
-rw-r--r--    1 root     root         1830 Oct 15 08:31 sftp-setup.txt
sftp> quit
[[email protected] ~]#

and ssh access:

 

[[email protected] ~]# ssh localhost 
[email protected]'s password:
Last login: Mon Oct 15 08:30:29 2012 from 10.16.1.106
[[email protected] ~]# logout
Connection to localhost closed.
[[email protected] ~]#

Both 'keyed ssh' authentication, and password based authentication will work. From a remote host, when the key is present, we are NOT challenged for the password. Then after an edit to disable the key from being offered remotely, we are then prompted for the password:

 

[[email protected] ~]$ # keyed ssh set up 
[[email protected] ~]$ date
Mon Oct 15 12:57:07 EDT 2012
[[email protected] ~]$ sftp [email protected]
Connecting to 10.16.1.194...
sftp> ls
sftp-setup.txt
sftp> quit
[[email protected] ~]$ # remove the key
[[email protected] ~]$ sftp [email protected]
Connecting to 10.16.1.194...
[email protected]'s password:
sftp> ls
sftp-setup.txt
sftp> quit
[[email protected] ~]$ date
Mon Oct 15 12:57:33 EDT 2012
[[email protected] ~]$

We do not address hardening issues here such as wrappers or more restrictive iptables rules, as they are out of scope of this article.

 

Was this answer helpful?

 Print this Article

Also Read

How to install firewall using ConfigServer Firewall (CSF) on CentOS cPanel server

ConfigServer firewall is a popular linux firewall security suite. It is easy to install, flexible...

Install Squid on CentOS / RHEL 5

Use yum command as follows:# yum install squidOutput: Loading "installonlyn" plugin Setting up...

Setting up IPtables

1. Introduction CentOS has an extremely powerful firewall built in, commonly referred to as...

CentOS / Red Hat Linux Install VSFTPD FTP Server

Q. How do I configure and install an FTP server in CentOS / RHEL 5 / Fedora Linux...

Install vnStat Network Traffic Monitor To Keep a Log Of Daily Traffic on CentOS / RHEL

How do I install vnstat software - a console-based network traffic monitor under CentOS or RHEL...