Configuring an SFTP server on Centos 7

In this guide, you will learn how to:

  • Deploy an SFTP server in the Yandex.Cloud infrastructure.
  • Perform scheduled backups of configuration files from the SFTP client to the SFTP server.

To deploy the necessary infrastructure, follow the instructions:

  1. Before you start.
  2. Create a VM for the SFTP server.
  3. Configure the SFTP server.
  4. Create an SFTP user.
  5. Create a VM for the SFTP client.
  6. Back up configuration files to the SFTP server.
  7. Set up a backup schedule.
  8. Make sure backups work.
  9. Restore settings from a backup.
  10. Check the restore results.
  11. Delete the created cloud resources.

Before you start

Before deploying the server, you need to sign up for Yandex.Cloud and create a billing account:

  1. Go to the management console. Then log in to Yandex.Cloud or sign up if don't already have an account.
  2. On the billing page, make sure you linked a billing account, and it has the ACTIVE or TRIAL_ACTIVE status. If you don't have a billing account, create one.

If you have an active billing account, you can create or select a folder to run your VM in. Go to the Yandex.Cloud homepage and select or create a folder where you want to create a VM for your server. Learn more about the resource hierarchy in Yandex.Cloud.

Required paid resources

The infrastructure cost in the example includes:

Create a VM for the SFTP server

To create a VM:

  1. On the folder page in the management console, click Create resource and select Virtual machine.

  2. In the Name field, enter a name for the VM, like sftp-server.

    The name must be unique within the folder. The name may contain lowercase Latin letters, numbers, and hyphens. The first character must be a letter. The last character can't be a hyphen. The maximum length of the name is 63 characters.

  3. Select the availability zone to host the VM in.

  4. In the Public images section, click Centos 7.

  5. In the Computing resources section, select the following configuration:

    • Platform: Intel Cascade Lake.
    • Guaranteed vCPU share: 20%.
    • vCPU: 2.
    • RAM: 2 GB.
  6. In the Network settings section, select the network and subnet to connect the VM to. If you don't have a network or subnet yet, you can create them on the VM creation page.

  7. In the Public address field, leave the Automatically value to assign a random external IP address from the Yandex.Cloud pool. To ensure that the external IP address doesn't change after the VM is stopped, make it static.

  8. Specify data required for accessing the VM:

    • Enter the username in the Login field.
    • Under SSH key, paste the contents of the public key file. You need to create a key pair for the SSH connection yourself. Learn how to connect to VMs via SSH.

    Warning

    The IP address and host name (FQDN) for connecting to the VM will be assigned when it's created. If you selected the No address option in the Public address field, you won't be able to access the VM from the internet.

  9. Click Create VM.

Creating the VM may take several minutes.

Configure the SFTP server

SFTP server functionality is included in the standard SSH program that comes with the Centos 7 distribution. To configure the SFTP server, edit the /etc/ssh/sshd_config configuration file:

  1. Open the configuration file with the vi editor. The editor comes with the distribution and doesn't have to be installed. If you aren't familiar with this editor, you can learn more in the official documentation.

    $ sudo vi /etc/ssh/sshd_config
    
  2. Add the following lines at the end of the file:

    Match User fuser
    ForceCommand internal-sftp
    PasswordAuthentication no
    ChrootDirectory /var/sftp
    PermitTunnel no
    AllowAgentForwarding no
    AllowTcpForwarding no
    X11Forwarding no
    

    Setting parameters:

    • Match User fuser: Indicates that all subsequent rows will be applied only when connecting the user fuser.
    • ForceCommand internal-sftp: Connect the user only in SFTP mode and disable access to the shell.
    • PasswordAuthentication no: Disable login and password-based access.
    • ChrootDirectory /var/sftp: Restrict user access only within the /var/sftp directory.
    • PermitTunnel no, AllowAgentForwarding no, AllowTcpForwarding no, X11Forwarding no: Disable tunneling and port and graphical app forwarding via an SSH session.
  3. Save the file.

  4. Output the configuration file without commented or empty lines:

    $ cat /etc/ssh/sshd_config | grep -v -e '^#' -e '^$'
    
  5. Make sure that the output of the previous command matches the following lines:

    HostKey /etc/ssh/ssh_host_rsa_key
    HostKey /etc/ssh/ssh_host_ecdsa_key
    HostKey /etc/ssh/ssh_host_ed25519_key
    SyslogFacility AUTHPRIV
    AuthorizedKeysFile .ssh/authorized_keys
    PasswordAuthentication no
    ChallengeResponseAuthentication no
    GSSAPIAuthentication yes
    GSSAPICleanupCredentials no
    UsePAM yes
    X11Forwarding yes
    AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
    AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
    AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
    AcceptEnv XMODIFIERS
    Subsystem sftp  /usr/libexec/openssh/sftp-server
    Match User fuser
    ForceCommand internal-sftp
    PasswordAuthentication no
    ChrootDirectory /var/sftp
    PermitTunnel no
    AllowAgentForwarding no
    AllowTcpForwarding no
    X11Forwarding no
    
  6. Save the file.

  7. Restart the SFTP service for the settings to take effect:

    $ sudo systemctl restart sshd
    
  8. Create a group for SFTP users:

    $ sudo groupadd ftpusers
    
  9. Create directories to save files to:

    $ sudo mkdir -p /var/sftp/backups
    
    • sftp: The root directory of the SFTP server.
    • backups: The directory for storing backups on the SFTP server.
  10. Set folder permissions so that all users in the ftpusers group can write and read files on the SFTP server:

    $ sudo chown root:ftpusers /var/sftp/backups
    $ sudo chmod 770 /var/sftp/backups
    
  11. Check whether the permissions are correct:

    $ ls -la /var | grep sftp
    $ ls -la /var/sftp
    

    The result should be as follows:

    drwxr-xr-x.  4 root root   37 Aug  7 11:35 sftp
    drwxrwx---. 2 root ftpusers 80 Aug  7 08:41 backups
    

Create an SFTP user

  1. Create an SFTP user, like fuser:

    $ sudo useradd fuser
    
  2. Create a password for the SFTP user

    $ sudo passwd fuser
    
  3. Create SSH keys for the fuser user. The command must be run on behalf of the fuser user:

    $ sudo runuser -l  fuser -c 'ssh-keygen'
    

    The key generation process is given below. Leave the passphrase field blank.

    [yc-user@ftp-server ~]$ sudo runuser -l fuser -c 'ssh-keygen'      
    Generating public/private rsa key pair.
    Enter file in which to save the key (/home/fuser/.ssh/id_rsa): 
    Created directory '/home/fuser/.ssh'.
    Enter passphrase (empty for no passphrase): 
    Enter same passphrase again: 
    Your identification has been saved in /home/fuser/.ssh/id_rsa.
    Your public key has been saved in /home/fuser/.ssh/id_rsa.pub.
    The key fingerprint is:
    SHA256:S2jRD3/A6ClHW/RZUOeOrl6BsK3pfWdhusGBGZiHE44 fuser@ftp-server.ru-central1.internal
    The key's randomart image is:
    +---[RSA 2048]----+
    |         .. .oo .|
    |       .o+=. o o |
    |      .E=*=oo   .|
    |       = Bo=+. o |
    |      + S +o+.o .|
    |     . + . +...+ |
    |        . o  o= .|
    |         . . +o o|
    |          ..+o.o |
    +----[SHA256]-----+
    
  4. Create a file to save the SFTP client's public SSH keys to. Set the necessary permissions.

    $ sudo touch /home/fuser/.ssh/authorized_keys
    $ sudo chmod 600 /home/fuser/.ssh/authorized_keys
    $ sudo chown fuser:fuser /home/fuser/.ssh/authorized_keys
    
  5. Make sure that the permissions are set correctly:

    $ ls -la /home/fuser/.ssh/
    

    The output should be as follows:

    -rw-------. 1 fuser fuser  421 Aug  7 08:31 authorized_keys
    -rw-------. 1 fuser fuser 1675 Aug  7 08:29 id_rsa
    -rw-r--r--. 1 fuser fuser  419 Aug  7 08:29 id_rsa.pub
    
  6. Add the SFTP user to the SFTP group:

    $ sudo usermod -G ftpusers fuser
    

Create a VM for the SFTP client

The process for creating a VM for the SFTP client is exactly the same as the one for the SFTP server.

  1. Perform steps 1-9 from the section Create a VM for the SFTP server (for the VM name, enter a name like sftp-client).

  2. Create an SSH key pair on the SFTP client. The process is similar to the one described for the fuser user in the previous section:

    $ ssh-keygen
    
  3. Output the public key on the SFTP client screen:

    $ cat ~/.ssh/id_rsa.pub
    
  4. Log in to the SFTP server and open the /home/fuser/.ssh/authorized_keys file:

    $ sudo vi /home/fuser/.ssh/authorized_keys
    
  5. Copy the SSH key received on the SFTP client to the end of the file.

  6. Save the file.

  7. Make sure that the SFTP client VM is accessible from the SFTP server and vice versa:

    1. Log in to the SFTP server via SSH.

    2. Find the public or internal IP address of the SFTP client in the Yandex.Cloud console under VM settings.

      Important

      The internal addresses of the SFTP client and server must be located in the same subnet or be linked via routing settings.

    3. Enter the following command in the SFTP server terminal by substituting the appropriate value:

      $ ping <SFTP client IP address>
      
    4. Make sure that packages are sent and received successfully:

      $ ping 84.201.170.171
      PING 84.201.170.171 (84.201.170.171) 56(84) bytes of data.
      64 bytes from 84.201.170.171: icmp_seq=1 ttl=55 time=8.59 ms
      64 bytes from 84.201.170.171: icmp_seq=2 ttl=55 time=6.32 ms
      64 bytes from 84.201.170.171: icmp_seq=3 ttl=55 time=5.95 ms
      ^C
      --- 84.201.170.171 ping statistics ---
      3 packets transmitted, 3 received, 0% packet loss, time 2003ms
      rtt min/avg/max/mdev = 5.955/6.959/8.595/1.168 ms
      
    5. Repeat the check on the SFTP client.

Make a backup of configuration files on the SFTP server

These instructions describe how to back up configuration files (with the .conf extension) from the /etc folder.

Backup process:

  1. Archive all the necessary configuration files.
  2. Send the archive to the SFTP server.
  3. Delete the archive on the SFTP client.

To set up the backup process:

  1. Log in to the SFTP client VM via SSH the same way you did for the SFTP server.

  2. Set environment variables for the script to work properly. To do this, open the file ~/.bash_profile

    $ vi ~/.bash_profile
    
  3. Add the following lines at the end of the file by substituting the appropriate values:

    $ export SFTP_SERVER=<SFTP client IP address>
    $ export SFTP_USER='fuser'
    
  4. Apply the settings:

    $ source ~/.bash_profile
    
  5. Check that you have these variables:

    $ env | grep SFTP
    

    The screen should display:

    SFTP_USER=fuser
    SFTP_SERVER=10.128.0.5
    
  6. Compress all configuration files into a single archive:

    $ sudo find /etc -type f -name *.conf -print0 | sudo tar -czf backup.tar.gz --null -T -
    
    • sudo find /etc -type f -name *.conf -print0: Search for all .conf files from the /etc directory.
    • sudo tar -czf backup.tar.gz --null -T -: Move the configuration files to the backup.tar.gz archive.
  7. Send the resulting archive to the SFTP server:

    $ url -T backup.tar.gz sftp://$SFTP_SERVER/backups/backup_$(hostname)_$(date "+%Y%m%d_%H%M%S").tar.gz --insecure --user $SFTP_USER:
    
    • -T: Upload the backup.tar.gz file to a remote server.

    • $SFTP_SERVER: A variable that automatically takes the value of the SFTP server IP address.

    • backup_$(hostname)_$(date "+%Y%m%d_%H%M%S").tar.gz: Add the name of the computer to the archive name and the date and time when the archive was created. This will help you navigate the list of backups on the server.

      For example, the name of the archive on the server might look like this: backup_ftp-server.ru-central1.internal_20190803_180228.tar.gz.

    • --insecure: Disable SSL certificate verification by the SFTP server. In this case, traffic passing through an SSH session is still encrypted.

    • $SFTP_USER: A variable that automatically takes the SFTP user value.

  8. Delete the archive on the SFTP client:

    $ sudo rm -f backup.tar.gz
    

All actions for creating a backup can be performed with a single command:

$ sudo find /etc -type f -name *.conf -print0 | sudo tar -czf backup.tar.gz --null -T -&& curl -T backup.tar.gz sftp://$SFTP_SERVER/backups/backup_$(hostname)_$(date "+%Y%m%d_%H%M%S").tar.gz --insecure --user $SFTP_USER: && sudo rm -f backup.tar.gz

Set up a schedule for backups

To create regular backups of your settings, you can use a built-in program called crontab.

  1. Open the crontab file to edit it:

    $ crontab -e
    
  2. Add the following line to run backups daily at 23:00:

    0 23 * * * sudo find /etc -type f -name *.conf -print0 | sudo tar -czf backup.tar.gz --null -T -&& curl -T backup.tar.gz sftp://$SFTP_SERVER/backups/backup_$(hostname)_$(date "+%Y%m%d_%H%M%S").tar.gz --insecure --user $SFTP_USER: && sudo rm -f backup.tar.gz
    

Make sure the backup works

To make sure that a backup is created properly, run the backup and find the copy on the server:

  1. Run the backup command on the SFTP client:

    $ sudo find /etc -type f -name *.conf -print0 | sudo tar -czf backup.tar.gz --null -T -&& curl -T backup.tar.gz sftp://$SFTP_SERVER/backups/backup_$(hostname)_$(date "+%Y%m%d_%H%M%S").tar.gz --insecure --user $SFTP_USER: && sudo rm -f backup.tar.gz
    
  2. Log in to the SFTP server and make sure that a file that looks like backup_ftp-server.ru-central1.internal_20190803_180228.tar.gz appeared in the SFTP user's home directory. To do this, run the following command on the SFTP server:

    $ sudo ls /var/sftp/backups
    

Restore settings from a backup

The settings are restored as follows:

  1. Download the backup from the SFTP server to the SFTP client.
  2. Unpack the archive.
  3. Copy the configuration files from the archive to the system.
  4. Delete the archive.

To restore the settings from the backup:

  1. On the SFTP server, in the /var/sftp/backups directory, select the backup that you want to restore the configuration files from. For example, backup_ftp-server.ru-central1.internal_20190803_180228.tar.gz.

  2. On the SFTP client, make an environment variable to name a backup file:

    SFTP_BACKUP='backup_ftp-server.ru-central1.internal_20190803_180228.tar.gz'
    
  3. Download the backup from the SFTP server to the SFTP client:

    $ sftp $SFTP_USER@$SFTP_SERVER:/backups/$SFTP_BACKUP .
    
  4. Unpack the archive:

    $ tar -xzf $SFTP_BACKUP
    
  5. Copy the configuration files from the archive to the system (yes — avoid entering confirmation when overwriting files):

    $ yes | cp -rfp etc / 
    
  6. Delete the archive and unpacked content:

    $ rm -f $SFTP_BACKUP
    $ rm -rfd etc
    

All actions for restoring settings from a backup can be performed with a single command:

$ sftp $SFTP_USER@$SFTP_SERVER:/backups/$SFTP_BACKUP . && tar -xzf $SFTP_BACKUP && yes | cp -rfp etc / && rm -rfd etc && rm -f $SFTP_BACKUP

Check whether the settings are restored correctly

To make sure that the configuration files from the archive successfully get into the file system, add a verification block to the command above:

$ sftp $SFTP_USER@$SFTP_SERVER:/backups/$SFTP_BACKUP . && tar -xzf $SFTP_BACKUP && echo "## this is from backup" >> etc/yum.conf && yes | cp -rfp etc / && rm -rfd etc && rm -f $SFTP_BACKUP

The echo "## this is from backup" >> etc/yum.conf command writes the test phrase "## this is from backup" at the end of theetc/yum.conf file unpacked from the archive.

After restoring the backup, run the following command:

$ cat /etc/yum.conf | grep backup

Make sure that the test phrase is displayed on the screen:

## this is from backup

Delete the created cloud resources

If you no longer need the SFTP server and client: