Secure FTP access

How to setup Secure FTP access to your Linode

We get asked about how to setup and use FTP a lot. As it's quite common that users wish to have the ability to easily transfer files to and from their server(s), I wanted to write up a guide on how to set this up correctly, and securely. It is important to note that while many people still refer to the process of transferring files to/from a server as 'FTP', it is not really recommended to use standard FTP over the internet. Instead, we recommend the use of SFTP.

What's the difference?

Simply put - security. Read on for more information.

FTP

Does not use any encryption, and so it leaves your data vulnerable to interception by anyone who may be watching.

SFTP

Is built into the SSH protocol, and so it contains a number of security features that are absent from standard FTP, not the least of which being that it encrypts your data as it travels over the internet.

So why is regular FTP even a thing?

Depending on your specific security needs, lack of encryption may not be as big of an issue when transferring over a properly secured
local network/VPN, as the traffic is hidden from the rest of the internet.

If you're uncertain, it is best to err on the side of caution and opt for SFTP. FTP can also provide faster transfer speeds than SFTP due to having less overhead (it doesn't have to encrypt/decrypt the data).

Since security and usability exist at opposite ends of the same spectrum, it's important to consider all angles when determining which setup is right for you. In all cases where access will occur over the open internet, you should not use standard FTP, regardless of other factors.

How hard is it to set this up?

SFTP is part of the SSH service that comes pre-installed and set to run in a basic configuration on all Linode images. The default configuration requires some tweaking in order to provide any real security benefit, so read on to learn more.

Basic Security (Authentication)

For the full rundown on this, see our guide on Securing your Server. There are 3 main points to cover in this section:

  • Disable root login
    You are not going to be disabling root login entirely, but rather only over SSH. The reason for this is that there really is no need for the root user to be accessible over the internet. Anything that you need to do as root once connected can be accomplished using the su or sudo commands. To do this, you can open the file /etc/ssh/sshd_config and edit the line that says PermitRootLogin yes to say PermitRootLogin no

  • Disable Password Authentication
    You will want to disable all password authentication via SSH. This will make it so that even if an attacker knows a valid username/password combination for your system, they still cannot login.

  • Enable Public Key Authentication
    This will dramatically increase the security of your system by requiring that a system first install the Private Key which matches your Linode's Public Key before authentication is possible. This also mitigates standard brute force attacks, because you've now eliminated the ability to even enter, let alone guess, a user's password from the SSH login prompt.

If you are writing this into a bash script, you can use code similar to the following to accomplish all of the above tasks at once. This code assumes that your Public Key is stored in a file called 'id_rsa.pub', but can be modified and used however you prefer. You will also need to assign values to $USERHOME and $USER:

## Configure and enable SSH Public Key Authentication using the Public Key found in 'id_rsa.pub'.
USERHOME="/path/to/home"
USER="username"
mkdir -p "${USERHOME}"/.ssh/
chown -R "${USER}":"${USER}" "${USERHOME}"
chmod -R 700 "${USERHOME}"/.ssh/
cat id_rsa.pub > "${USERHOME}"/.ssh/authorized_keys
chown -R "${USER}":"${USER}" "${USERHOME}"/.ssh/
chmod 600 "${USERHOME}"/.ssh/authorized_keys

echo "Enabling Public Key Authentication and disabling Root Login over SSH..."
sed -i -e "s/PermitRootLogin yes/PermitRootLogin no/" /etc/ssh/sshd_config
sed -i -e "s/#PermitRootLogin no/PermitRootLogin no/" /etc/ssh/sshd_config
sed -i -e "s/PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config
sed -i -e "s/#PasswordAuthentication no/PasswordAuthentication no/" /etc/ssh/sshd_config

echo "Restarting SSH to apply changes..."
## All of Linode's images have a file called '/etc/os-release', which contains the information
## we need to determine which OS family the system in use belongs to
[[ $(egrep '(Debian|Ubuntu)' /etc/os-release) ]] && service ssh restart
[[ $(egrep '(CentOS|Fedora|RedHat)' /etc/os-release) ]] && service sshd restart

This will give you a basic security setup. I would also encourage you to look into using some other tools, such as fail2ban, to automatically place temporary bans on any IP addresses from which it detects signs of an automated attack.

1 Reply

Taking it a little further (Advanced Security)

Just wanted to add on one last thing. There are a number of advanced security configurations for OpenSSH, and I encourage anyone reading this to check out our guide on Using Advanced OpenSSH Features to Harden Access to your Linode, as well as to drop any pointers that they may have in the comments below.

The main point that I want to cover here is limiting access to a specific folder, so that a user is only able to access what they should have access to, and nothing else. This can be useful, for example, if you desire to give access to your developer so that they can work on your website, but do not wish for them to have access to the whole system. It is worth noting that this configuration will only permit SFTP access, and will disable access via regular SSH. This only applies to the user/group you are configuring, so it may make sense to designate a specific user for SFTP access.

  • Chroot Users
    As I explained above, this will let you restrict a user's access to only a specific folder, effectively making that folder the root of their filesystem. To accomplish this, simply follow the steps in our guide on Limiting Access with SFTP Jails on Debian and Ubuntu.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct