Configuring an SFTP server based on CentOS 7
- Prepare your cloud
- Create a VM for the SFTP server
- Configure the SFTP server
- Create an SFTP user
- Create and configure a VM for the SFTP client
- Make a backup of configuration files on the SFTP server
- Check whether the backup is working properly
- Set up a schedule for backups
- Restore settings from a backup
- Check whether the settings are restored correctly
- How to delete the resources you created
In this tutorial, you will create VMs for the SFTP
To deploy an infrastructure:
- Prepare your cloud.
- Create a VM for the SFTP server.
- Configure the SFTP server.
- Create an SFTP user.
- Create and configure a VM for the SFTP client.
- Back up configuration files to the SFTP server.
- Test the backup.
- Set up a backup schedule.
- Restore settings from a backup.
- Check whether the settings are restored correctly.
If you no longer need the resources you created, delete them.
Prepare your cloud
Sign up for Yandex Cloud and create a billing account:
- Go to the management console
and log in to Yandex Cloud or create an account if you do not have one yet. - On the Yandex Cloud Billing
page, make sure you have a billing account linked and it has theACTIVE
orTRIAL_ACTIVE
status. If you do not have a billing account, create one.
If you have an active billing account, you can go to the cloud page
Learn more about clouds and folders.
Required paid resources
The infrastructure support costs include:
- Fee for two continuously running VMs (see Yandex Compute Cloud pricing):
- VM for the SFTP client.
- VM for the SFTP server.
- Fee for using a dynamic or static external IP address (see Yandex Virtual Private Cloud pricing).
Create a VM for the SFTP server
To create a VM:
-
On the folder page in the management console
, click Create resource and select Virtual machine instance. -
In the Name field, enter the VM name:
sftp-server
. -
Select an availability zone to put your virtual machine in.
-
Under Image/boot disk selection:
- Go to the Marketplace tab.
- Click Show all Marketplace products.
- In the list of public images, find CentOS 7 and select it.
-
In the Computing resources section, select the following configuration:
- Platform:
Intel Cascade Lake
- Guaranteed vCPU performance:
20%
- vCPU:
2
- RAM:
2 GB
- Platform:
-
In the Network settings section, select the network and subnet to connect the VM to. If you do not have a network or subnet yet, you can create them on the VM creation page.
-
In the Public IP field, leave the Auto value to assign a random external IP address from the Yandex Cloud pool. To ensure the external IP address does not change after the VM is stopped, convert it to static.
-
Specify the data required for accessing the VM:
- Enter the username in the Login field.
- In the SSH key field, paste the contents of the public key file. You need to create a key pair for the SSH connection yourself. See the section on how to connect to VMs via SSH.
Alert
Once created, the VM will get an IP address and a host name (FQDN) for connections. If you selected the No address option in the Public IP field, you will not be able to access the VM from the internet.
-
Click Create VM.
It may take a few minutes to create a VM.
Configure the SFTP server
SFTP server functionality is included in the standard SSH program that comes with the CentOS 7 distribution. To configure the SFTP server, edit the /etc/ssh/sshd_config
configuration file:
-
Open the configuration file with the vi editor. The editor comes with the distribution and does not require installation. If you are not familiar with this editor, you can learn more in the official documentation
.sudo vi /etc/ssh/sshd_config
-
Add the following lines at the end of the file:
Match User fuser ForceCommand internal-sftp PasswordAuthentication no ChrootDirectory /var/sftp PermitTunnel no AllowAgentForwarding no AllowTcpForwarding no X11Forwarding no
Where:
Match User fuser
: Indicates that all subsequent rows will be applied only when connecting thefuser
user.ForceCommand internal-sftp
: Only connects the user in SFTP mode and disables access to the shell.PasswordAuthentication no
: Disables login and password-based access.ChrootDirectory /var/sftp
: Only allows user access to the/var/sftp
directory.PermitTunnel no
,AllowAgentForwarding no
,AllowTcpForwarding no
, andX11Forwarding no
: Disable tunneling and port and graphical app forwarding via an SSH session.
-
Save the file.
-
Output the configuration file without commented or empty lines:
sudo cat /etc/ssh/sshd_config | grep -v -e '^#' -e '^$'
-
Make sure the output of the previous command matches the following lines:
HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key SyslogFacility AUTHPRIV AuthorizedKeysFile .ssh/authorized_keys PasswordAuthentication no ChallengeResponseAuthentication no GSSAPIAuthentication yes GSSAPICleanupCredentials no UsePAM yes X11Forwarding yes AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE AcceptEnv XMODIFIERS Subsystem sftp /usr/libexec/openssh/sftp-server Match User fuser ForceCommand internal-sftp PasswordAuthentication no ChrootDirectory /var/sftp PermitTunnel no AllowAgentForwarding no AllowTcpForwarding no X11Forwarding no
-
Restart the SFTP server for the settings to take effect:
sudo systemctl restart sshd
Once restarted, log in to the SFTP server VM via SSH again.
-
Create a group for SFTP users:
sudo groupadd ftpusers
-
Create directories to save files to:
sudo mkdir -p /var/sftp/backups
sftp
: Root directory of the SFTP server.backups
: Directory to store backups on the SFTP server.
-
Set folder permissions so that all users in the
ftpusers
group can write and read files on the SFTP server:sudo chown root:ftpusers /var/sftp/backups sudo chmod 770 /var/sftp/backups
-
Check whether the set permissions are correct:
ls -la /var | grep sftp ls -la /var/sftp
Result:
drwxr-xr-x. 4 root root 37 Aug 7 11:35 sftp drwxrwx---. 2 root ftpusers 80 Aug 7 08:41 backups
Create an SFTP user
On the SFTP server VM:
-
Create an SFTP user, like
fuser
:sudo useradd fuser
-
Create a password for the SFTP user:
sudo passwd fuser
-
Create SSH keys for the
fuser
user. Run thessh-keygen
command asfuser
:sudo runuser -l fuser -c 'ssh-keygen'
For the key generation process, see below. Leave the
passphrase
field blank.Generating public/private rsa key pair. Enter file in which to save the key (/home/fuser/.ssh/id_rsa): Created directory '/home/fuser/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/fuser/.ssh/id_ed25519. Your public key has been saved in /home/fuser/.ssh/id_ed25519.pub. The key fingerprint is: SHA256:sXiE7EfPl8mo9mZCG+ta7fBxwdwdhbjNux63P8EIYNs fuser@ftp-server.ru-central1.internal The key's randomart image is: +--[ED25519 256]--+ | . ..| | . . o . . .| | o = + + . | | . + * E.+o..| | o S + X +..| | ooo . o.o | | .=+o . ..o| | o+=oo .+.| | .o.++ ...+| +----[SHA256]-----+
-
Create a file to save the SFTP client's public SSH keys to. Set the required permissions:
sudo touch /home/fuser/.ssh/authorized_keys sudo chmod 600 /home/fuser/.ssh/authorized_keys sudo chown fuser:fuser /home/fuser/.ssh/authorized_keys
-
Make sure the permissions are set correctly:
ls -la /home/fuser/.ssh/
Result:
-rw-------. 1 fuser fuser 421 Aug 7 08:31 authorized_keys -rw-------. 1 fuser fuser 419 Aug 7 08:29 id_ed25519 -rw-r--r--. 1 fuser fuser 107 Aug 7 08:29 id_ed25519.pub
-
Add the SFTP user to the SFTP group:
sudo usermod -G ftpusers fuser
Create and configure a VM for the SFTP client
The process for creating a VM for the SFTP client is exactly the same as the one for the SFTP server.
-
Complete steps 1-9 of the Create a VM for the SFTP server section; this time, however, name your VM as
sftp-client
. -
Create an SSH key pair on the SFTP client. The process is similar to the one described for the
fuser
user in the previous section:ssh-keygen
-
Output the public key on the SFTP client screen:
cat ~/.ssh/id_rsa.pub
-
Open the
/home/fuser/.ssh/authorized_keys
file:sudo vi /home/fuser/.ssh/authorized_keys
-
Copy the SSH key received on the SFTP client to the end of the file.
-
Save the file.
-
Make sure the SFTP client VM is accessible from the SFTP server and vice versa:
-
Find the public or internal IP address of the SFTP client in the Yandex Cloud console under VM settings.
Warning
The internal addresses of the SFTP client and server must be located in the same subnet or be linked via routing settings.
-
Enter the following command in the SFTP server terminal and provide the appropriate value:
ping -c 3 <SFTP_client_IP_address>
-
Make sure the packages are sent and received successfully:
ping -c 3 84.201.170.171
Result:
PING 84.201.170.171 (84.201.170.171) 56(84) bytes of data. 64 bytes from 84.201.170.171: icmp_seq=1 ttl=55 time=8.59 ms 64 bytes from 84.201.170.171: icmp_seq=2 ttl=55 time=6.32 ms 64 bytes from 84.201.170.171: icmp_seq=3 ttl=55 time=5.95 ms --- 84.201.170.171 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2003ms rtt min/avg/max/mdev = 5.955/6.959/8.595/1.168 ms
-
Repeat the check on the SFTP client by specifying the SFTP server IP in the command.
Make a backup of configuration files on the SFTP server
This guide describes how to back up configuration (.conf
) files from the /etc
folder.
Backup process:
- Archive all the necessary configuration files.
- Send the archive to the SFTP server.
- Delete the archive on the SFTP client.
To set up the backup process:
-
Set environment variables for the script to work properly. To do this, open the
~/.bash_profile
file:vi ~/.bash_profile
-
Add the following lines at the end of the file and provide the appropriate values:
export SFTP_SERVER=<SFTP_server_IP_address> export SFTP_USER='fuser'
-
Apply the settings:
source ~/.bash_profile
-
Make sure the variables are there:
env | grep SFTP
Result:
SFTP_USER=fuser SFTP_SERVER=10.128.0.5
-
Compress all configuration files into a single archive:
sudo find /etc -type f -name *.conf -print0 | sudo tar -czf backup.tar.gz --null -T -
Where:
sudo find /etc -type f -name *.conf -print0
: Search for all.conf
files from the/etc
directory.sudo tar -czf backup.tar.gz --null -T -
: Move the configuration files to thebackup.tar.gz
archive.
-
Send the resulting archive to the SFTP server:
curl -T backup.tar.gz sftp://$SFTP_SERVER/backups/backup_$(hostname)_$(date "+%Y%m%d_%H%M%S").tar.gz --insecure --user $SFTP_USER:
Where:
-
-T
: Uploads thebackup.tar.gz
file to the remote server. -
$SFTP_SERVER
: Variable that automatically takes the value of the SFTP server IP address. -
backup_$(hostname)_$(date "+%Y%m%d_%H%M%S").tar.gz
: Adds the name of the computer to the archive name and the date and time when the archive was created. This will help you navigate the list of backups on the server.For example, the name of the archive on the server might look like this:
backup_ftp-server.ru-central1.internal_20190803_180228.tar.gz
. -
--insecure
: Disables SSL certificate verification by the SFTP server. In this case, the traffic within the SSH session is still encrypted. -
$SFTP_USER
: Variable that automatically takes the SFTP user value. -
:
: Empty password. No password is requested.
-
-
Delete the archive on the SFTP client:
sudo rm -f backup.tar.gz
You can perform all actions for creating a backup with a single command in the SFTP client terminal:
sudo find /etc -type f -name *.conf -print0 | sudo tar -czf backup.tar.gz --null -T -&& curl -T backup.tar.gz sftp://$SFTP_SERVER/backups/backup_$(hostname)_$(date "+%Y%m%d_%H%M%S").tar.gz --insecure --user $SFTP_USER: && sudo rm -f backup.tar.gz
Check whether the backup is working properly
To make sure the backup is being created properly, run the backup, and find the copy on the server:
-
Log in to the SFTP client VM via SSH and run the backup command:
sudo find /etc -type f -name *.conf -print0 | sudo tar -czf backup.tar.gz --null -T -&& curl -T backup.tar.gz sftp://$SFTP_SERVER/backups/backup_$(hostname)_$(date "+%Y%m%d_%H%M%S").tar.gz --insecure --user $SFTP_USER: && sudo rm -f backup.tar.gz
-
Log in to the SFTP server VM via SSH and make sure there is a file named like
backup_ftp-server.ru-central1.internal_20190803_180228.tar.gz
in the SFTP user's home directory. To do this, run the following command on the SFTP server:sudo ls /var/sftp/backups
Set up a schedule for backups
To create regular backups of your settings, you can use a built-in program called crontab
.
-
Log in to the SFTP client VM via SSH and open the
crontab
file for editing:crontab -e
-
Add the following lines to run backups daily at 11:00 pm UTC:
SFTP_SERVER=<SFTP_server_IP_address> SFTP_USER='fuser' 0 23 * * * sudo find /etc -type f -name *.conf -print0 | sudo tar -czf backup.tar.gz --null -T -&& curl -T backup.tar.gz sftp://$SFTP_SERVER/backups/backup_$(hostname)_$(date "+\%Y\%m\%d_\%H\%M\%S").tar.gz --insecure --user $SFTP_USER: && sudo rm -f backup.tar.gz
- The VM's time is UTC by default. Keep the time zone difference in mind when setting up the schedule.
- In the command you type in crontab, all
%
characters should be escaped with\
.
Restore settings from a backup
To restore settings, do the following:
- Download the backup from the SFTP server to the SFTP client.
- Unpack the archive.
- Copy the configuration files from the archive to the system.
- Delete the archive.
To restore the settings from the backup:
-
On the SFTP server, in the
/var/sftp/backups
directory, select the backup from which you want to restore the configuration files. For example, let's assume this backup isbackup_ftp-server.ru-central1.internal_20190803_180228.tar.gz
. -
Set an environment variable for the backup file name:
SFTP_BACKUP='backup_ftp-server.ru-central1.internal_20190803_180228.tar.gz'
-
Download the backup from the SFTP server:
sftp $SFTP_USER@$SFTP_SERVER:/backups/$SFTP_BACKUP .
-
Unpack the archive:
tar -xzf $SFTP_BACKUP
-
Copy the configuration files from the archive to the system. Use
yes
in the command to avoid entering confirmation when overwriting files:yes | sudo cp -rfp etc /
-
Delete the archive and unpacked content:
rm -f $SFTP_BACKUP rm -rfd etc
You can perform all actions required to restore settings from a backup with a single command in the SFTP client terminal:
sftp $SFTP_USER@$SFTP_SERVER:/backups/$SFTP_BACKUP . && tar -xzf $SFTP_BACKUP && yes | sudo cp -rfp etc / && rm -rfd etc && rm -f $SFTP_BACKUP
Check whether the settings are restored correctly
On the SFTP client VM:
-
To make sure the configuration files from the archive successfully get into the file system, add a verification section to the command above:
sftp $SFTP_USER@$SFTP_SERVER:/backups/$SFTP_BACKUP . && tar -xzf $SFTP_BACKUP && echo "## this is from backup" >> etc/yum.conf && yes | sudo cp -rfp etc / && rm -rfd etc && rm -f $SFTP_BACKUP
The
echo "## this is from backup" >> etc/yum.conf
command writes the "## this is from backup" test phrase at the end of theetc/yum.conf
file unpacked from the archive. -
After restoring the backup, run the following command:
cat /etc/yum.conf | grep backup
-
Make sure the test phrase is displayed on the screen:
## this is from backup
How to delete the resources you created
If you no longer need the SFTP server and client:
- Delete the VMs for the SFTP client and server (in our example, they are named
sftp-server
andsftp-client
). - Delete the static IP address if you reserved one.