Secure FTP access
Linode
Linode Staff
How to setup Secure FTP access to your Linode
We get asked about how to setup and use FTP a lot. As it's quite common that users wish to have the ability to easily transfer files to and from their server(s), I wanted to write up a guide on how to set this up correctly, and securely. It is important to note that while many people still refer to the process of transferring files to/from a server as 'FTP', it is not really recommended to use standard FTP over the internet. Instead, we recommend the use of SFTP.
What's the difference?
Simply put - security. Read on for more information.
FTP
Does not use any encryption, and so it leaves your data vulnerable to interception by anyone who may be watching.
SFTP
Is built into the SSH protocol, and so it contains a number of security features that are absent from standard FTP, not the least of which being that it encrypts your data as it travels over the internet.
So why is regular FTP even a thing?
Depending on your specific security needs, lack of encryption may not be as big of an issue when transferring over a properly secured
local network/VPN, as the traffic is hidden from the rest of the internet.
If you're uncertain, it is best to err on the side of caution and opt for SFTP. FTP can also provide faster transfer speeds than SFTP due to having less overhead (it doesn't have to encrypt/decrypt the data).
Since security and usability exist at opposite ends of the same spectrum, it's important to consider all angles when determining which setup is right for you. In all cases where access will occur over the open internet, you should not use standard FTP, regardless of other factors.
How hard is it to set this up?
SFTP is part of the SSH service that comes pre-installed and set to run in a basic configuration on all Linode images. The default configuration requires some tweaking in order to provide any real security benefit, so read on to learn more.
Basic Security (Authentication)
For the full rundown on this, see our guide on Securing your Server. There are 3 main points to cover in this section:
- Disable root login
You are not going to be disabling root login entirely, but rather only over SSH. The reason for this is that there really is no need for the root user to be accessible over the internet. Anything that you need to do as root once connected can be accomplished using thesuorsudocommands. To do this, you can open the file/etc/ssh/sshd_configand edit the line that saysPermitRootLogin yesto sayPermitRootLogin no - Disable Password Authentication
You will want to disable all password authentication via SSH. This will make it so that even if an attacker knows a valid username/password combination for your system, they still cannot login. - Enable Public Key Authentication
This will dramatically increase the security of your system by requiring that a system first install the Private Key which matches your Linode's Public Key before authentication is possible. This also mitigates standard brute force attacks, because you've now eliminated the ability to even enter, let alone guess, a user's password from the SSH login prompt.
If you are writing this into a bash script, you can use code similar to the following to accomplish all of the above tasks at once. This code assumes that your Public Key is stored in a file called 'id_rsa.pub', but can be modified and used however you prefer. You will also need to assign values to $USERHOME and $USER:
## Configure and enable SSH Public Key Authentication using the Public Key found in 'id_rsa.pub'.
USERHOME="/path/to/home"
USER="username"
mkdir -p "${USERHOME}"/.ssh/
chown -R "${USER}":"${USER}" "${USERHOME}"
chmod -R 700 "${USERHOME}"/.ssh/
cat id_rsa.pub > "${USERHOME}"/.ssh/authorized_keys
chown -R "${USER}":"${USER}" "${USERHOME}"/.ssh/
chmod 600 "${USERHOME}"/.ssh/authorized_keys
echo "Enabling Public Key Authentication and disabling Root Login over SSH..."
sed -i -e "s/PermitRootLogin yes/PermitRootLogin no/" /etc/ssh/sshd_config
sed -i -e "s/#PermitRootLogin no/PermitRootLogin no/" /etc/ssh/sshd_config
sed -i -e "s/PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config
sed -i -e "s/#PasswordAuthentication no/PasswordAuthentication no/" /etc/ssh/sshd_config
echo "Restarting SSH to apply changes..."
## All of Linode's images have a file called '/etc/os-release', which contains the information
## we need to determine which OS family the system in use belongs to
[[ $(egrep '(Debian|Ubuntu)' /etc/os-release) ]] && service ssh restart
[[ $(egrep '(CentOS|Fedora|RedHat)' /etc/os-release) ]] && service sshd restart
This will give you a basic security setup. I would also encourage you to look into using some other tools, such as fail2ban, to automatically place temporary bans on any IP addresses from which it detects signs of an automated attack.
9 Replies
tommydavidson
Linode Staff
Taking it a little further (Advanced Security)
Just wanted to add on one last thing. There are a number of advanced security configurations for OpenSSH, and I encourage anyone reading this to check out our guide on Using Advanced OpenSSH Features to Harden Access to your Linode, as well as to drop any pointers that they may have in the comments below.
The main point that I want to cover here is limiting access to a specific folder, so that a user is only able to access what they should have access to, and nothing else. This can be useful, for example, if you desire to give access to your developer so that they can work on your website, but do not wish for them to have access to the whole system. It is worth noting that this configuration will only permit SFTP access, and will disable access via regular SSH. This only applies to the user/group you are configuring, so it may make sense to designate a specific user for SFTP access.
- Chroot Users
As I explained above, this will let you restrict a user's access to only a specific folder, effectively making that folder the root of their filesystem. To accomplish this, simply follow the steps in our guide on Limiting Access with SFTP Jails on Debian and Ubuntu.
Much secure but my key pair doesn't work, so it is so secure that I can't do FTP.
I don't understand why on Amazon EC2 i could do sftp with my key pair and here doesn't work.
Why don't give the option to use normal FTP?
@inmobiliarialima writes:
Why don't give the option to use normal FTP?
The reason is that "normal ftp" is not secure…everything (including passwords) is sent as clear text. It's use (as well as use of telnet) has been being discouraged for more than a decade because of this.
Note that you can still use ftp and telnet if you want. It's just not a very wise thing to do.
-- sw
I was in the process to install vsftpd, but i'm too old for reading documentation like crazy, as when I was in my 20.
Almost every hosting service offers FTP right of the bat, not secure, but I could transfer files. This is secure, but I can transfer nothing because I couldn't login.
I couldn't create a valid key-pair correctly with Putty here, although tried more than 10 times, but in Amazon EC2 i did at the second try and was able to log in with sFTP.
Almost every hosting service offers FTP right of the bat, not secure, but I could transfer files.
Maybe that's your experience but generalizing that to "every hosting service" is a dangerous fallacy…
Maybe you should endeavor to find a different way forward than with PuTTY. That seems to be the common element in all your comments in the three threads you posted to about your problem.
All the commands outlined in the tutorial are offered when you invoke them from cmd.exe.
-- sw
I saw that the keylength you are using is 4,096 and Putty is set by default to 2,048 (maybe that was the error), so I'm creating a key with this and in openSSH format (that I discovered yesterday in a thread) and I will try a bunch of times…
See what happens….
Just connected with sFTP !!
You have to tell this things in the interface to be easier to spot errors:
-The format has to be OpenSSH
-The Keylength is 4,096