Configuring an SFTP server based on CentOS 7
- Get your cloud ready
- Create the SFTP server VM
- Configure the SFTP server
- Create an SFTP user
- Create and configure the SFTP client VM
- Back up configuration files to the SFTP server
- Check whether the backup is working
- Set up a backup schedule
- Restore settings from a backup
- Check whether the settings are restored correctly
- How to delete the resources you created
In this tutorial, you will create two Compute Cloud VMs running an SFTP
To deploy the infrastructure:
- Get your cloud ready.
- Create the SFTP server VM.
- Configure the SFTP server.
- Create an SFTP user.
- Create and configure the SFTP client VM.
- Back up configuration files to the SFTP server.
- Test the backup.
- Set up a backup schedule.
- Restore settings from the backup.
- Check whether the settings are restored correctly.
If you no longer need the resources you created, delete them.
Get your cloud ready
Sign up for Yandex Cloud and create a billing account:
- Go to the management console
and log in to Yandex Cloud or create an account if you do not have one yet. - On the Yandex Cloud Billing
page, make sure you have a billing account linked and it has theACTIVE
orTRIAL_ACTIVE
status. If you do not have a billing account, create one.
If you have an active billing account, you can go to the cloud page
Learn more about clouds and folders.
Required paid resources
The infrastructure support cost includes:
- Fee for two continuously running VMs (see Yandex Compute Cloud pricing):
- SFTP client VM.
- SFTP server VM.
- Fee for a dynamic or static public IP address (see Yandex Virtual Private Cloud pricing).
Create the SFTP server VM
To create a VM:
-
In the management console
, select the folder to create your VM in. -
In the list of services, select Compute Cloud.
-
In the left-hand panel, select
Virtual machines. -
Click Create virtual machine.
-
Under Boot disk image select a public CentOS 7 image.
-
Under Location, select an availability zone the VM will reside in.
-
Under Computing resources, navigate to the Custom tab and specify these parameters:
- Platform:
Intel Ice Lake
- vCPU:
2
- Guaranteed vCPU performance:
20%
- RAM:
2 GB
- Platform:
-
Under Network settings:
-
In the Subnet field, specify the subnet ID in the VM availability zone. Alternatively, you can select a cloud network from the list.
-
Each network must have at least one subnet. If your network has no subnets, create one by selecting Create subnet.
-
If there are no networks in the list, click Create network to create one:
- In the window that opens, enter the network name and select the folder to host the network.
- Optionally, enable the Create subnets setting to automatically create subnets in all availability zones.
- Click Create network.
-
-
In the Public IP address field, select
Auto
to assign the VM a random external IP address from the Yandex Cloud pool. To ensure the external IP address does not change when you stop the VM, convert it to static.
-
-
Under Access, select SSH key and specify the VM access credentials:
- In the Login field, specify the VM user name, e.g.,
yc-user
. -
In the SSH key field, select the SSH key saved in your organization user profile.
If there are no saved SSH keys in your profile, or you want to add a new key:
- Click Add key.
- Enter a name for the SSH key.
- Upload or paste the contents of the public key file. You need to create a key pair for the SSH connection to a VM yourself.
- Click Add.
The SSH key will be added to your organization user profile.
If users cannot add SSH keys to their profiles in the organization, the added public SSH key will only be saved to the user profile of the VM being created.
Alert
Once your VM is created, the system will assign it an IP address and a host name (FQDN). If you selected No address in the Public IP address field, you will not be able to access the VM from the internet.
- In the Login field, specify the VM user name, e.g.,
-
Under General information, specify the VM name:
sftp-server
. -
Click Create VM.
It may take a few minutes to create a VM.
Configure the SFTP server
SFTP server is part of the standard SSH program that comes with CentOS 7. To configure the SFTP server, edit the /etc/ssh/sshd_config
configuration file:
-
Open the configuration file in
vi
. This editor comes with CentOS and does not require installation. If you are not familiar with it, you can learn more in the official documentation .sudo vi /etc/ssh/sshd_config
-
Add the following lines at the end of the file:
Match User fuser ForceCommand internal-sftp PasswordAuthentication no ChrootDirectory /var/sftp PermitTunnel no AllowAgentForwarding no AllowTcpForwarding no X11Forwarding no
Where:
Match User fuser
: The server will apply all following settings only for thefuser
user.ForceCommand internal-sftp
: The server provides SFTP access only and disables access to the shell.PasswordAuthentication no
: The server disables login and password-based access.ChrootDirectory /var/sftp
: The user only has access to the/var/sftp
directory.PermitTunnel no
,AllowAgentForwarding no
,AllowTcpForwarding no
, andX11Forwarding no
: The server disables tunneling, port forwarding, and graphical application forwarding over SSH.
-
Save the file.
-
Display the configuration file without comments and empty lines:
sudo cat /etc/ssh/sshd_config | grep -v -e '^#' -e '^$'
-
Make sure the output matches the following:
HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key SyslogFacility AUTHPRIV AuthorizedKeysFile .ssh/authorized_keys PasswordAuthentication no ChallengeResponseAuthentication no GSSAPIAuthentication yes GSSAPICleanupCredentials no UsePAM yes X11Forwarding yes AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE AcceptEnv XMODIFIERS Subsystem sftp /usr/libexec/openssh/sftp-server Match User fuser ForceCommand internal-sftp PasswordAuthentication no ChrootDirectory /var/sftp PermitTunnel no AllowAgentForwarding no AllowTcpForwarding no X11Forwarding no
-
Restart the SFTP server for the settings to take effect:
sudo systemctl restart sshd
Once restarted, log in to the SFTP server VM over SSH again.
-
Create a group for SFTP users:
sudo groupadd ftpusers
-
Create directories to save files to:
sudo mkdir -p /var/sftp/backups
sftp
: Root directory of the SFTP server.backups
: Directory to store backups on the SFTP server.
-
Grant the
ftpusers
group permissions to read and write files in the backups directory:sudo chown root:ftpusers /var/sftp/backups sudo chmod 770 /var/sftp/backups
-
Check whether the permissions are correct:
ls -la /var | grep sftp ls -la /var/sftp
Result:
drwxr-xr-x. 4 root root 37 Aug 7 11:35 sftp drwxrwx---. 2 root ftpusers 80 Aug 7 08:41 backups
Create an SFTP user
On the SFTP server VM:
-
Create an SFTP user, e.g.,
fuser
:sudo useradd fuser
-
Create a password for the SFTP user:
sudo passwd fuser
-
Create SSH keys for the
fuser
account. Run thessh-keygen
command underfuser
:sudo runuser -l fuser -c 'ssh-keygen'
For the key generation process, see below. Leave the
passphrase
field blank.Generating public/private rsa key pair. Enter file in which to save the key (/home/fuser/.ssh/id_rsa): Created directory '/home/fuser/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/fuser/.ssh/id_ed25519. Your public key has been saved in /home/fuser/.ssh/id_ed25519.pub. The key fingerprint is: SHA256:sXiE7EfPl8mo9mZCG+ta7fBxwdwdhbjNux63P8EIYNs fuser@ftp-server.ru-central1.internal The key's randomart image is: +--[ED25519 256]--+ | . ..| | . . o . . .| | o = + + . | | . + * E.+o..| | o S + X +..| | ooo . o.o | | .=+o . ..o| | o+=oo .+.| | .o.++ ...+| +----[SHA256]-----+
-
Create a file to store the SFTP client’s public SSH keys. Set the required permissions:
sudo touch /home/fuser/.ssh/authorized_keys sudo chmod 600 /home/fuser/.ssh/authorized_keys sudo chown fuser:fuser /home/fuser/.ssh/authorized_keys
-
Make sure the permissions are correct:
ls -la /home/fuser/.ssh/
Result:
-rw-------. 1 fuser fuser 421 Aug 7 08:31 authorized_keys -rw-------. 1 fuser fuser 419 Aug 7 08:29 id_ed25519 -rw-r--r--. 1 fuser fuser 107 Aug 7 08:29 id_ed25519.pub
-
Add the SFTP user to the SFTP group:
sudo usermod -G ftpusers fuser
Create and configure the SFTP client VM
The steps for creating an SFTP client VM are the same for the SFTP server one.
-
Complete steps 1-11 of the Create the SFTP server VM section; this time, however, give your VM a different name:
sftp-client
. -
Create an SSH key pair on the SFTP client. Do it the way you did it for
fuser
in the previous section:ssh-keygen
-
Display the public key on the SFTP client screen:
cat ~/.ssh/id_rsa.pub
-
Open the
/home/fuser/.ssh/authorized_keys
file:sudo vi /home/fuser/.ssh/authorized_keys
-
Add the SSH key received on the SFTP client to the end of the file.
-
Save the file.
-
Make sure the SFTP client VM is accessible from the SFTP server and vice versa:
-
Find the SFTP client IP address in the Yandex Cloud console under VM settings.
Warning
The internal addresses of the SFTP client and SFTP server must either belong to the same subnet or be connected by the routing protocols.
-
Enter the following command in the SFTP server terminal and provide the appropriate value:
ping -c 3 <SFTP_client_IP_address>
-
Make sure the packets are sent and received successfully:
ping -c 3 84.201.170.171
Result:
PING 84.201.170.171 (84.201.170.171) 56(84) bytes of data. 64 bytes from 84.201.170.171: icmp_seq=1 ttl=55 time=8.59 ms 64 bytes from 84.201.170.171: icmp_seq=2 ttl=55 time=6.32 ms 64 bytes from 84.201.170.171: icmp_seq=3 ttl=55 time=5.95 ms --- 84.201.170.171 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2003ms rtt min/avg/max/mdev = 5.955/6.959/8.595/1.168 ms
-
On the SFTP client, check whether the SFTP server is accessible by pinging its IP address.
Back up configuration files to the SFTP server
This section describes how to back up configuration files (.conf
) in the /etc
folder.
The backup process is as follows:
- Archive all configuration files you need.
- Send the archive to the SFTP server.
- Delete the archive on the SFTP client.
To set up the backup process:
-
Set environment variables for the script. To do this, open the
~/.bash_profile
file:vi ~/.bash_profile
-
Add the following lines at the end of the file and provide the appropriate values:
export SFTP_SERVER=<SFTP_server_IP_address> export SFTP_USER='fuser'
-
Apply the settings:
source ~/.bash_profile
-
Make sure these variables are there:
env | grep SFTP
Result:
SFTP_USER=fuser SFTP_SERVER=10.128.0.5
-
Compress all configuration files into a single archive:
sudo find /etc -type f -name *.conf -print0 | sudo tar -czf backup.tar.gz --null -T -
Where:
sudo find /etc -type f -name *.conf -print0
: Searching for all.conf
files from/etc
.sudo tar -czf backup.tar.gz --null -T -
: Moving configuration files to thebackup.tar.gz
archive.
-
Send the archive to the SFTP server:
curl \ --upload-file backup.tar.gz sftp://$SFTP_SERVER/backups/backup_$(hostname)_$(date "+%Y%m%d_%H%M%S").tar.gz \ --insecure \ --user $SFTP_USER:
Where:
-
-T
: Uploads thebackup.tar.gz
file to the remote server. -
$SFTP_SERVER
: Variable that automatically takes the SFTP server IP address value. -
backup_$(hostname)_$(date "+%Y%m%d_%H%M%S").tar.gz
: Appends the computer name, date, and time when the archive was created, to the archive name. This will help you navigate the list of backups on the server.For example, the archive name on the server may look like this:
backup_ftp-server.ru-central1.internal_20190803_180228.tar.gz
. -
--insecure
: Disables SSL certificate verification by the SFTP server. In this case, the SSH traffic will still be encrypted. -
$SFTP_USER
: Variable that automatically takes the SFTP user value. -
:
: Empty password. No password will be requested.
-
-
Delete the archive on the SFTP client:
sudo rm -f backup.tar.gz
You can perform all actions for creating a backup with a single command in the SFTP client terminal:
sudo find /etc -type f -name *.conf -print0 | sudo tar -czf backup.tar.gz --null -T -&& curl --upload-file backup.tar.gz sftp://$SFTP_SERVER/backups/backup_$(hostname)_$(date "+%Y%m%d_%H%M%S").tar.gz --insecure --user $SFTP_USER: && sudo rm -f backup.tar.gz
Check whether the backup is working
To make sure the backup works correctly, run the backup and find the created copy on the server:
-
Log in to the SFTP client VM over SSH and run the backup command:
sudo find /etc -type f -name *.conf -print0 | sudo tar -czf backup.tar.gz --null -T -&& curl --upload-file backup.tar.gz sftp://$SFTP_SERVER/backups/backup_$(hostname)_$(date "+%Y%m%d_%H%M%S").tar.gz --insecure --user $SFTP_USER: && sudo rm -f backup.tar.gz
-
Log in to the SFTP server VM over SSH and make sure there is a file in the SFTP user's home directory with a name like
backup_ftp-server.ru-central1.internal_20190803_180228.tar.gz
. To do this, run the following command on the SFTP server:sudo ls /var/sftp/backups
Set up a backup schedule
To create regular backups of your settings, use crontab
.
-
Log in to the SFTP client VM over SSH and open the
crontab
file for editing:crontab -e
-
Add the following lines to run backups daily at 11:00 pm UTC:
SFTP_SERVER=<SFTP_server_IP_address> SFTP_USER='fuser' 0 23 * * * sudo find /etc -type f -name *.conf -print0 | sudo tar -czf backup.tar.gz --null -T -&& curl --upload-file backup.tar.gz sftp://$SFTP_SERVER/backups/backup_$(hostname)_$(date "+\%Y\%m\%d_\%H\%M\%S").tar.gz --insecure --user $SFTP_USER: && sudo rm -f backup.tar.gz
- The VM time is UTC by default. Keep the time zone difference in mind when setting up your schedule.
- In the command you add to
crontab
, escape all%
characters with\
.
Restore settings from a backup
The steps to restore settings are as follows:
- Download the backup from the SFTP server to the SFTP client.
- Unpack the archive.
- Copy the configuration files from the archive to the system.
- Delete the archive.
To restore the settings from the backup:
-
On the SFTP server, in the
/var/sftp/backups
directory, select the backup with the configuration files you want to restore. For example, let’s assume you selectbackup_ftp-server.ru-central1.internal_20190803_180228.tar.gz
. -
Set an environment variable for the backup file name:
SFTP_BACKUP='backup_ftp-server.ru-central1.internal_20190803_180228.tar.gz'
-
Download the backup from the SFTP server:
sftp $SFTP_USER@$SFTP_SERVER:/backups/$SFTP_BACKUP .
-
Unpack the archive:
tar -xzf $SFTP_BACKUP
-
Copy the configuration files from the archive to the system. Use
yes
when running this command to skip confirmation when overwriting files:yes | sudo cp -rfp etc /
-
Delete the archive and unpacked files:
rm -f $SFTP_BACKUP rm -rfd etc
You can restore settings from a backup with a single command in the SFTP client terminal:
sftp $SFTP_USER@$SFTP_SERVER:/backups/$SFTP_BACKUP . && tar -xzf $SFTP_BACKUP && yes | sudo cp -rfp etc / && rm -rfd etc && rm -f $SFTP_BACKUP
Check whether the settings are restored correctly
On the SFTP client VM:
-
To make sure the configuration files from the archive successfully get into the file system, add a verification section to the command above:
sftp $SFTP_USER@$SFTP_SERVER:/backups/$SFTP_BACKUP . && tar -xzf $SFTP_BACKUP && echo "## this is from backup" >> etc/yum.conf && yes | sudo cp -rfp etc / && rm -rfd etc && rm -f $SFTP_BACKUP
The
echo "## this is from backup" >> etc/yum.conf
command writes the ## this is from backup test phrase at the end of theetc/yum.conf
file unpacked from the archive. -
After restoring the backup, run the following command:
cat /etc/yum.conf | grep backup
-
Make sure you can see the test phrase on the screen:
## this is from backup
How to delete the resources you created
If you no longer need the SFTP server and SFTP client:
- Delete the VMs for the SFTP client and SFTP server (in our example,
sftp-server
andsftp-client
). - Delete the static IP address if you reserved one.