Contact UsGet started

Configuring an SFTP server based on CentOS 7

Written by
Updated at May 7, 2025

In this tutorial, you will create two Compute Cloud VMs running an SFTP server and SFTP client; you will connect to them over SSH, create an SFTP user, and set up data backups.

To deploy the infrastructure:

  1. Get your cloud ready.
  2. Create the SFTP server VM.
  3. Configure the SFTP server.
  4. Create an SFTP user.
  5. Create and configure the SFTP client VM.
  6. Back up configuration files to the SFTP server.
  7. Test the backup.
  8. Set up a backup schedule.
  9. Restore settings from the backup.
  10. Check whether the settings are restored correctly.

If you no longer need the resources you created, delete them.

Get your cloud ready

Sign up in Yandex Cloud and create a billing account:

  1. Navigate to the management console and log in to Yandex Cloud or register a new account.
  2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one and link a cloud to it.

If you have an active billing account, you can navigate to the cloud page to create or select a folder for your infrastructure to operate in.

Learn more about clouds and folders.

The infrastructure support cost includes:

Create the SFTP server VM

To create a VM:

  1. In the management console, select the folder to create your VM in.

  2. In the list of services, select Compute Cloud.

  3. In the left-hand panel, select Virtual machines.

  4. Click Create virtual machine.

  5. Under Boot disk image select a public CentOS 7 image.

  6. Under Location, select an availability zone the VM will reside in.

  7. Under Computing resources, navigate to the Custom tab and specify these parameters:

    • Platform: Intel Ice Lake
    • vCPU: 2
    • Guaranteed vCPU performance: 20%
    • RAM: 2 GB

  8. Under Network settings:

    • In the Subnet field, specify the subnet ID in the VM availability zone. Alternatively, you can select a cloud network from the list.

      • Each network must have at least one subnet. If your network has no subnets, create one by selecting Create subnet.

      • If there are no networks in the list, click Create network to create one:

        • In the window that opens, enter the network name and select the folder to host the network.
        • Optionally, enable the Create subnets setting to automatically create subnets in all availability zones.
        • Click Create network.

    • In the Public IP address field, select Auto to assign the VM a random external IP address from the Yandex Cloud pool. To ensure the external IP address does not change when you stop the VM, convert it to static.

  9. Under Access, select SSH key and specify the VM access credentials:

    • In the Login field, specify the VM user name, e.g., yc-user.

    • In the SSH key field, select the SSH key saved in your organization user profile.

      If there are no saved SSH keys in your profile, or you want to add a new key:

      • Click Add key.
      • Enter a name for the SSH key.
      • Upload or paste the contents of the public key file. You need to create a key pair for the SSH connection to a VM yourself.
      • Click Add.

      The SSH key will be added to your organization user profile.

      If users cannot add SSH keys to their profiles in the organization, the added public SSH key will only be saved to the user profile of the VM being created.

    Alert

    Once your VM is created, the system will assign it an IP address and a host name (FQDN). If you selected No address in the Public IP address field, you will not be able to access the VM from the internet.

  10. Under General information, specify the VM name: sftp-server.

  11. Click Create VM.

It may take a few minutes to create a VM.

Configure the SFTP server

SFTP server is part of the standard SSH program that comes with CentOS 7. To configure the SFTP server, edit the /etc/ssh/sshd_config configuration file:

  1. Log in to the SFTP server VM over SSH.

  2. Open the configuration file in vi. This editor comes with CentOS and does not require installation. If you are not familiar with it, you can learn more in the official documentation.

    sudo vi /etc/ssh/sshd_config

  3. Add the following lines at the end of the file:

    Match User fuser
ForceCommand internal-sftp
PasswordAuthentication no
ChrootDirectory /var/sftp
PermitTunnel no
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no

    Where:

    • Match User fuser: The server will apply all following settings only for the fuser user.
    • ForceCommand internal-sftp: The server provides SFTP access only and disables access to the shell.
    • PasswordAuthentication no: The server disables login and password-based access.
    • ChrootDirectory /var/sftp: The user only has access to the /var/sftp directory.
    • PermitTunnel no, AllowAgentForwarding no, AllowTcpForwarding no, and X11Forwarding no: The server disables tunneling, port forwarding, and graphical application forwarding over SSH.

  4. Save the file.

  5. Display the configuration file without comments and empty lines:

    sudo cat /etc/ssh/sshd_config | grep -v -e '^#' -e '^$'

  6. Make sure the output matches the following:

    HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
SyslogFacility AUTHPRIV
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
UsePAM yes
X11Forwarding yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
Subsystem sftp  /usr/libexec/openssh/sftp-server
Match User fuser
ForceCommand internal-sftp
PasswordAuthentication no
ChrootDirectory /var/sftp
PermitTunnel no
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no

  7. Restart the SFTP server for the settings to take effect:

    sudo systemctl restart sshd

    Once restarted, log in to the SFTP server VM over SSH again.

  8. Create a group for SFTP users:

    sudo groupadd ftpusers

  9. Create directories to save files to:

    sudo mkdir -p /var/sftp/backups
    • sftp: Root directory of the SFTP server.
    • backups: Directory to store backups on the SFTP server.

  10. Grant the ftpusers group permissions to read and write files in the backups directory:

    sudo chown root:ftpusers /var/sftp/backups
sudo chmod 770 /var/sftp/backups

  11. Check whether the permissions are correct:

    ls -la /var | grep sftp
ls -la /var/sftp

    Result:

    drwxr-xr-x.  4 root root   37 Aug  7 11:35 sftp
drwxrwx---. 2 root ftpusers 80 Aug  7 08:41 backups

Create an SFTP user

On the SFTP server VM:

  1. Create an SFTP user, e.g., fuser:

    sudo useradd fuser

  2. Create a password for the SFTP user:

    sudo passwd fuser

  3. Create SSH keys for the fuser account. Run the ssh-keygen command under fuser:

    sudo runuser -l  fuser -c 'ssh-keygen'

    For the key generation process, see below. Leave the passphrase field blank.

    Generating public/private rsa key pair.
Enter file in which to save the key (/home/fuser/.ssh/id_rsa): 
Created directory '/home/fuser/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/fuser/.ssh/id_ed25519.
Your public key has been saved in /home/fuser/.ssh/id_ed25519.pub.
The key fingerprint is:
SHA256:sXiE7EfPl8mo9mZCG+ta7fBxwdwdhbjNux63P8EIYNs fuser@ftp-server.ru-central1.internal
The key's randomart image is:
+--[ED25519 256]--+
|             . ..|
|     . . o  . . .|
|      o = +  + . |
|     . + * E.+o..|
|      o S + X +..|
|       ooo . o.o |
|       .=+o . ..o|
|       o+=oo  .+.|
|      .o.++  ...+|
+----[SHA256]-----+

  4. Create a file to store the SFTP client’s public SSH keys. Set the required permissions:

    sudo touch /home/fuser/.ssh/authorized_keys
sudo chmod 600 /home/fuser/.ssh/authorized_keys
sudo chown fuser:fuser /home/fuser/.ssh/authorized_keys

  5. Make sure the permissions are correct:

    ls -la /home/fuser/.ssh/

    Result:

    -rw-------. 1 fuser fuser  421 Aug  7 08:31 authorized_keys
-rw-------. 1 fuser fuser  419 Aug  7 08:29 id_ed25519
-rw-r--r--. 1 fuser fuser  107 Aug  7 08:29 id_ed25519.pub

  6. Add the SFTP user to the SFTP group:

    sudo usermod -G ftpusers fuser

Create and configure the SFTP client VM

The steps for creating an SFTP client VM are the same for the SFTP server one.

  1. Complete steps 1-11 of the Create the SFTP server VM section; this time, however, give your VM a different name: sftp-client.

  2. Log in to the SFTP client VM over SSH.

  3. Create an SSH key pair on the SFTP client. Do it the way you did it for fuser in the previous section:

    ssh-keygen

  4. Display the public key on the SFTP client screen:

    cat ~/.ssh/id_rsa.pub

  5. Log in to the SFTP server VM over SSH.

  6. Open the /home/fuser/.ssh/authorized_keys file:

    sudo vi /home/fuser/.ssh/authorized_keys

  7. Add the SSH key received on the SFTP client to the end of the file.

  8. Save the file.

  9. Make sure the SFTP client VM is accessible from the SFTP server and vice versa:

    1. Log in to the SFTP server VM over SSH.

    2. Find the SFTP client IP address in the Yandex Cloud console under VM settings.

      Warning

      The internal addresses of the SFTP client and SFTP server must either belong to the same subnet or be connected by the routing protocols.

    3. Enter the following command in the SFTP server terminal and provide the appropriate value:

      ping -c 3 <SFTP_client_IP_address>

    4. Make sure the packets are sent and received successfully:

      ping -c 3 84.201.170.171

      Result:

      PING 84.201.170.171 (84.201.170.171) 56(84) bytes of data.
64 bytes from 84.201.170.171: icmp_seq=1 ttl=55 time=8.59 ms
64 bytes from 84.201.170.171: icmp_seq=2 ttl=55 time=6.32 ms
64 bytes from 84.201.170.171: icmp_seq=3 ttl=55 time=5.95 ms

--- 84.201.170.171 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 5.955/6.959/8.595/1.168 ms

    5. On the SFTP client, check whether the SFTP server is accessible by pinging its IP address.

Back up configuration files to the SFTP server

This section describes how to back up configuration files (.conf) in the /etc folder.

The backup process is as follows:

  1. Archive all configuration files you need.
  2. Send the archive to the SFTP server.
  3. Delete the archive on the SFTP client.

To set up the backup process:

  1. Log in to the SFTP client VM over SSH.

  2. Set environment variables for the script. To do this, open the ~/.bash_profile file:

    vi ~/.bash_profile

  3. Add the following lines at the end of the file and provide the appropriate values:

    export SFTP_SERVER=<SFTP_server_IP_address>
export SFTP_USER='fuser'

  4. Apply the settings:

    source ~/.bash_profile

  5. Make sure these variables are there:

    env | grep SFTP

    Result:

    SFTP_USER=fuser
SFTP_SERVER=10.128.0.5

  6. Compress all configuration files into a single archive:

    sudo find /etc -type f -name *.conf -print0 | sudo tar -czf backup.tar.gz --null -T -

    Where:

    • sudo find /etc -type f -name *.conf -print0: Searching for all .conf files from /etc.
    • sudo tar -czf backup.tar.gz --null -T -: Moving configuration files to the backup.tar.gz archive.

  7. Send the archive to the SFTP server:

    curl \
  --upload-file backup.tar.gz sftp://$SFTP_SERVER/backups/backup_$(hostname)_$(date "+%Y%m%d_%H%M%S").tar.gz \
  --insecure \
  --user $SFTP_USER:

    Where:

    • -T: Uploads the backup.tar.gz file to the remote server.

    • $SFTP_SERVER: Variable that automatically takes the SFTP server IP address value.

    • backup_$(hostname)_$(date "+%Y%m%d_%H%M%S").tar.gz: Appends the computer name, date, and time when the archive was created, to the archive name. This will help you navigate the list of backups on the server.

      For example, the archive name on the server may look like this: backup_ftp-server.ru-central1.internal_20190803_180228.tar.gz.

    • --insecure: Disables SSL certificate verification by the SFTP server. In this case, the SSH traffic will still be encrypted.

    • $SFTP_USER: Variable that automatically takes the SFTP user value.

    • :: Empty password. No password will be requested.

  8. Delete the archive on the SFTP client:

    sudo rm -f backup.tar.gz

You can perform all actions for creating a backup with a single command in the SFTP client terminal:

sudo find /etc -type f -name *.conf -print0 | sudo tar -czf backup.tar.gz --null -T -&& curl --upload-file backup.tar.gz sftp://$SFTP_SERVER/backups/backup_$(hostname)_$(date "+%Y%m%d_%H%M%S").tar.gz --insecure --user $SFTP_USER: && sudo rm -f backup.tar.gz

Check whether the backup is working

To make sure the backup works correctly, run the backup and find the created copy on the server:

  1. Log in to the SFTP client VM over SSH and run the backup command:

    sudo find /etc -type f -name *.conf -print0 | sudo tar -czf backup.tar.gz --null -T -&& curl --upload-file backup.tar.gz sftp://$SFTP_SERVER/backups/backup_$(hostname)_$(date "+%Y%m%d_%H%M%S").tar.gz --insecure --user $SFTP_USER: && sudo rm -f backup.tar.gz

  2. Log in to the SFTP server VM over SSH and make sure there is a file in the SFTP user's home directory with a name like backup_ftp-server.ru-central1.internal_20190803_180228.tar.gz. To do this, run the following command on the SFTP server:

    sudo ls /var/sftp/backups

Set up a backup schedule

To create regular backups of your settings, use crontab.

  1. Log in to the SFTP client VM over SSH and open the crontab file for editing:

    crontab -e

  2. Add the following lines to run backups daily at 11:00 pm UTC:

    SFTP_SERVER=<SFTP_server_IP_address>
SFTP_USER='fuser'

0 23 * * * sudo find /etc -type f -name *.conf -print0 | sudo tar -czf backup.tar.gz --null -T -&& curl --upload-file backup.tar.gz sftp://$SFTP_SERVER/backups/backup_$(hostname)_$(date "+\%Y\%m\%d_\%H\%M\%S").tar.gz --insecure --user $SFTP_USER: && sudo rm -f backup.tar.gz
    • The VM time is UTC by default. Keep the time zone difference in mind when setting up your schedule.
    • In the command you add to crontab, escape all % characters with \.

Restore settings from a backup

The steps to restore settings are as follows:

  1. Download the backup from the SFTP server to the SFTP client.
  2. Unpack the archive.
  3. Copy the configuration files from the archive to the system.
  4. Delete the archive.

To restore the settings from the backup:

  1. On the SFTP server, in the /var/sftp/backups directory, select the backup with the configuration files you want to restore. For example, let’s assume you select backup_ftp-server.ru-central1.internal_20190803_180228.tar.gz.

  2. Log in to the SFTP client VM over SSH.

  3. Set an environment variable for the backup file name:

    SFTP_BACKUP='backup_ftp-server.ru-central1.internal_20190803_180228.tar.gz'

  4. Download the backup from the SFTP server:

    sftp $SFTP_USER@$SFTP_SERVER:/backups/$SFTP_BACKUP .

  5. Unpack the archive:

    tar -xzf $SFTP_BACKUP

  6. Copy the configuration files from the archive to the system. Use yes when running this command to skip confirmation when overwriting files:

    yes | sudo cp -rfp etc /

  7. Delete the archive and unpacked files:

    rm -f $SFTP_BACKUP
rm -rfd etc

You can restore settings from a backup with a single command in the SFTP client terminal:

sftp $SFTP_USER@$SFTP_SERVER:/backups/$SFTP_BACKUP . && tar -xzf $SFTP_BACKUP && yes | sudo cp -rfp etc / && rm -rfd etc && rm -f $SFTP_BACKUP

Check whether the settings are restored correctly

On the SFTP client VM:

  1. To make sure the configuration files from the archive successfully get into the file system, add a verification section to the command above:

    sftp $SFTP_USER@$SFTP_SERVER:/backups/$SFTP_BACKUP . && tar -xzf $SFTP_BACKUP && echo "## this is from backup" >> etc/yum.conf && yes | sudo cp -rfp etc / && rm -rfd etc && rm -f $SFTP_BACKUP

    The echo "## this is from backup" >> etc/yum.conf command writes the ## this is from backup test phrase at the end of the etc/yum.conf file unpacked from the archive.

  2. After restoring the backup, run the following command:

    cat /etc/yum.conf | grep backup

  3. Make sure you can see the test phrase on the screen:

    ## this is from backup

How to delete the resources you created

If you no longer need the SFTP server and SFTP client:

Previous
Terraform
Next
VM backups using Hystax Acura