Configuring an SFTP server based on CentOS 7
- Prepare your cloud
- Create a VM for the SFTP server
- Configure the SFTP server
- Create an SFTP user
- Create and configure a VM for the SFTP client
- Make a backup of configuration files on the SFTP server
- Check whether the backup is working properly
- Set up a schedule for backups
- Restore settings from a backup
- Check whether the settings are restored correctly
- How to delete the resources you created
In this tutorial, you will create VMs for the SFTP
To deploy an infrastructure:
- Prepare your cloud.
- Create a VM for the SFTP server.
- Configure the SFTP server.
- Create an SFTP user.
- Create and configure a VM for the SFTP client.
- Back up configuration files to the SFTP server.
- Test the backup.
- Set up a backup schedule.
- Restore settings from a backup.
- Check whether the settings are restored correctly.
If you no longer need the resources you created, delete them.
Prepare your cloud
Sign up for Yandex Cloud and create a billing account:
- Go to the management console
and log in to Yandex Cloud or create an account if you do not have one yet. - On the Yandex Cloud Billing
page, make sure you have a billing account linked and it has theACTIVE
orTRIAL_ACTIVE
status. If you do not have a billing account, create one.
If you have an active billing account, you can go to the cloud page
Learn more about clouds and folders.
Required paid resources
The infrastructure support costs include:
- Fee for two continuously running VMs (see Yandex Compute Cloud pricing):
- VM for the SFTP client.
- VM for the SFTP server.
- Fee for using a dynamic or static external IP address (see Yandex Virtual Private Cloud pricing).
Create a VM for the SFTP server
To create a VM:
-
In the management console
, select the folder to create your VM. -
In the list of services, select Compute Cloud.
-
In the left-hand panel, select
Virtual machines. -
Click Create virtual machine.
-
Under Boot disk image select a public CentOS 7 image.
-
Under Location, select an availability zone to place your VM in.
-
Under Computing resources, navigate to the Custom tab and specify the parameters as follows:
- Platform:
Intel Ice Lake
. - vCPU:
2
. - Guaranteed vCPU performance:
20%
. - RAM:
2 GB
- Platform:
-
Under Network settings:
-
In the Subnet field, enter the ID of a subnet in the new VM’s availability zone. Alternatively, you can select a cloud network from the list.
-
Each network must have at least one subnet. If there is no subnet, create one by selecting Create subnet.
-
If you do not have a network, click Create network to create one:
- In the window that opens, enter the network name and select the folder to host the network.
- (Optional) Select the Create subnets option to automatically create subnets in all availability zones.
- Click Create network.
-
-
In the Public IP field, select
Auto
to assign the VM a random external IP address from the Yandex Cloud pool. To ensure the external IP address does not change after the VM is stopped, convert it to static.
-
-
Under Access, specify the information required to access the VM:
- In the Login field, enter a name for the user you want to create on the VM, e.g.,
yc-user
. -
In the SSH key field, select the SSH key saved in your organization user profile.
If there are no saved SSH keys in your profile, or you want to add a new key:
- Click Add key.
- Enter a name for the SSH key.
- Upload or paste the contents of the public key file. You need to create a key pair for the SSH connection to a VM yourself.
- Click Add.
The SSH key will be added to your organization user profile.
If users cannot add SSH keys to their profiles in the organization, the added public SSH key will only be saved to the user profile of the VM being created.
Alert
Once created, the VM will get an IP address and a host name (FQDN) for connections. If you selected the No address option in the Public IP field, you will not be able to access the VM from the internet.
- In the Login field, enter a name for the user you want to create on the VM, e.g.,
-
Under General information, specify the VM name:
sftp-server
. -
Click Create VM.
It may take a few minutes to create a VM.
Configure the SFTP server
SFTP server functionality is included in the standard SSH program that comes with the CentOS 7 distribution. To configure the SFTP server, edit the /etc/ssh/sshd_config
configuration file:
-
Open the configuration file with the vi editor. The editor comes with the distribution and does not require installation. If you are not familiar with this editor, you can learn more in the official documentation
.sudo vi /etc/ssh/sshd_config
-
Add the following lines at the end of the file:
Match User fuser ForceCommand internal-sftp PasswordAuthentication no ChrootDirectory /var/sftp PermitTunnel no AllowAgentForwarding no AllowTcpForwarding no X11Forwarding no
Where:
Match User fuser
: Means that all subsequent rows will be applied only when connecting thefuser
user.ForceCommand internal-sftp
: Only connects the user in SFTP mode and disables access to the shell.PasswordAuthentication no
: Disables login and password-based access.ChrootDirectory /var/sftp
: Only allows user access to the/var/sftp
directory.PermitTunnel no
,AllowAgentForwarding no
,AllowTcpForwarding no
, andX11Forwarding no
: Disable tunneling and port and graphical app forwarding via an SSH session.
-
Save the file.
-
Output the configuration file without commented or empty lines:
sudo cat /etc/ssh/sshd_config | grep -v -e '^#' -e '^$'
-
Make sure the output of the previous command matches the following lines:
HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key SyslogFacility AUTHPRIV AuthorizedKeysFile .ssh/authorized_keys PasswordAuthentication no ChallengeResponseAuthentication no GSSAPIAuthentication yes GSSAPICleanupCredentials no UsePAM yes X11Forwarding yes AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE AcceptEnv XMODIFIERS Subsystem sftp /usr/libexec/openssh/sftp-server Match User fuser ForceCommand internal-sftp PasswordAuthentication no ChrootDirectory /var/sftp PermitTunnel no AllowAgentForwarding no AllowTcpForwarding no X11Forwarding no
-
Restart the SFTP server for the settings to take effect:
sudo systemctl restart sshd
Once restarted, log in to the SFTP server VM via SSH again.
-
Create a group for SFTP users:
sudo groupadd ftpusers
-
Create directories to save files to:
sudo mkdir -p /var/sftp/backups
sftp
: Root directory of the SFTP server.backups
: Directory to store backups on the SFTP server.
-
Set folder permissions so that all users in the
ftpusers
group can write and read files on the SFTP server:sudo chown root:ftpusers /var/sftp/backups sudo chmod 770 /var/sftp/backups
-
Check whether the set permissions are correct:
ls -la /var | grep sftp ls -la /var/sftp
Result:
drwxr-xr-x. 4 root root 37 Aug 7 11:35 sftp drwxrwx---. 2 root ftpusers 80 Aug 7 08:41 backups
Create an SFTP user
On the SFTP server VM:
-
Create an SFTP user, such as
fuser
:sudo useradd fuser
-
Create a password for the SFTP user:
sudo passwd fuser
-
Create SSH keys for the
fuser
user. For this, run thessh-keygen
command underfuser
:sudo runuser -l fuser -c 'ssh-keygen'
For the key generation process, see below. Leave the
passphrase
field blank.Generating public/private rsa key pair. Enter file in which to save the key (/home/fuser/.ssh/id_rsa): Created directory '/home/fuser/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/fuser/.ssh/id_ed25519. Your public key has been saved in /home/fuser/.ssh/id_ed25519.pub. The key fingerprint is: SHA256:sXiE7EfPl8mo9mZCG+ta7fBxwdwdhbjNux63P8EIYNs fuser@ftp-server.ru-central1.internal The key's randomart image is: +--[ED25519 256]--+ | . ..| | . . o . . .| | o = + + . | | . + * E.+o..| | o S + X +..| | ooo . o.o | | .=+o . ..o| | o+=oo .+.| | .o.++ ...+| +----[SHA256]-----+
-
Create a file to save the SFTP client's public SSH keys to. Set the required permissions:
sudo touch /home/fuser/.ssh/authorized_keys sudo chmod 600 /home/fuser/.ssh/authorized_keys sudo chown fuser:fuser /home/fuser/.ssh/authorized_keys
-
Make sure the permissions are set correctly:
ls -la /home/fuser/.ssh/
Result:
-rw-------. 1 fuser fuser 421 Aug 7 08:31 authorized_keys -rw-------. 1 fuser fuser 419 Aug 7 08:29 id_ed25519 -rw-r--r--. 1 fuser fuser 107 Aug 7 08:29 id_ed25519.pub
-
Add the SFTP user to the SFTP group:
sudo usermod -G ftpusers fuser
Create and configure a VM for the SFTP client
The process for creating a VM for the SFTP client is exactly the same as the one for the SFTP server.
-
Complete steps 1-11 of the Create a VM for the SFTP server section; this time, however, name your VM as
sftp-client
. -
Create an SSH key pair on the SFTP client. This is done in a similar way to what you did for the
fuser
user in the previous section:ssh-keygen
-
Output the public key on the SFTP client screen:
cat ~/.ssh/id_rsa.pub
-
Open the
/home/fuser/.ssh/authorized_keys
file:sudo vi /home/fuser/.ssh/authorized_keys
-
Copy the SSH key received on the SFTP client to the end of the file.
-
Save the file.
-
Make sure the SFTP client VM is accessible from the SFTP server and vice versa:
-
Find the public or internal IP address of the SFTP client in the Yandex Cloud console under VM settings.
Warning
The internal addresses of the SFTP client and server must be located in the same subnet or be linked via routing settings.
-
Enter the following command in the SFTP server terminal and provide the appropriate value:
ping -c 3 <SFTP_client_IP_address>
-
Make sure the packages are sent and received successfully:
ping -c 3 84.201.170.171
Result:
PING 84.201.170.171 (84.201.170.171) 56(84) bytes of data. 64 bytes from 84.201.170.171: icmp_seq=1 ttl=55 time=8.59 ms 64 bytes from 84.201.170.171: icmp_seq=2 ttl=55 time=6.32 ms 64 bytes from 84.201.170.171: icmp_seq=3 ttl=55 time=5.95 ms --- 84.201.170.171 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2003ms rtt min/avg/max/mdev = 5.955/6.959/8.595/1.168 ms
-
Repeat the check on the SFTP client by specifying the SFTP server IP in the command.
Make a backup of configuration files on the SFTP server
This guide describes how to back up configuration (.conf
) files from the /etc
folder.
The backup process is as follows:
- Archive all configuration files you need.
- Send the archive to the SFTP server.
- Delete the archive on the SFTP client.
To set up the backup process:
-
Set environment variables for the script to work properly. To do this, open the
~/.bash_profile
file:vi ~/.bash_profile
-
Add the following lines at the end of the file and provide the appropriate values:
export SFTP_SERVER=<SFTP_server_IP_address> export SFTP_USER='fuser'
-
Apply the settings:
source ~/.bash_profile
-
Make sure the variables are there:
env | grep SFTP
Result:
SFTP_USER=fuser SFTP_SERVER=10.128.0.5
-
Compress all configuration files into a single archive:
sudo find /etc -type f -name *.conf -print0 | sudo tar -czf backup.tar.gz --null -T -
Where:
sudo find /etc -type f -name *.conf -print0
: Searching for all.conf
files from/etc
.sudo tar -czf backup.tar.gz --null -T -
: Moving the configuration files to thebackup.tar.gz
archive.
-
Send the resulting archive to the SFTP server:
curl \ --upload-file backup.tar.gz sftp://$SFTP_SERVER/backups/backup_$(hostname)_$(date "+%Y%m%d_%H%M%S").tar.gz \ --insecure \ --user $SFTP_USER:
Where:
-
-T
: Uploads thebackup.tar.gz
file to the remote server. -
$SFTP_SERVER
: Variable that automatically takes the value of the SFTP server IP address. -
backup_$(hostname)_$(date "+%Y%m%d_%H%M%S").tar.gz
: Adds the name of the computer to the archive name and the date and time when the archive was created. This will help you navigate the list of backups on the server.For example, the name of the archive on the server might look like this:
backup_ftp-server.ru-central1.internal_20190803_180228.tar.gz
. -
--insecure
: Disables SSL certificate verification by the SFTP server. In this case, the traffic within the SSH session is still encrypted. -
$SFTP_USER
: Variable that automatically takes the SFTP user value. -
:
: Empty password. No password is requested.
-
-
Delete the archive on the SFTP client:
sudo rm -f backup.tar.gz
You can perform all actions for creating a backup with a single command in the SFTP client terminal:
sudo find /etc -type f -name *.conf -print0 | sudo tar -czf backup.tar.gz --null -T -&& curl --upload-file backup.tar.gz sftp://$SFTP_SERVER/backups/backup_$(hostname)_$(date "+%Y%m%d_%H%M%S").tar.gz --insecure --user $SFTP_USER: && sudo rm -f backup.tar.gz
Check whether the backup is working properly
To make sure the backup is being created properly, run the backup, and find the copy on the server:
-
Log in to the SFTP client VM via SSH and run the backup command:
sudo find /etc -type f -name *.conf -print0 | sudo tar -czf backup.tar.gz --null -T -&& curl --upload-file backup.tar.gz sftp://$SFTP_SERVER/backups/backup_$(hostname)_$(date "+%Y%m%d_%H%M%S").tar.gz --insecure --user $SFTP_USER: && sudo rm -f backup.tar.gz
-
Log in to the SFTP server VM via SSH and make sure there is a file named like
backup_ftp-server.ru-central1.internal_20190803_180228.tar.gz
in the SFTP user's home directory. To do this, run the following command on the SFTP server:sudo ls /var/sftp/backups
Set up a schedule for backups
To create regular backups of your settings, you can use crontab
, a built-in utility.
-
Log in to the SFTP client VM via SSH and open the
crontab
file for editing:crontab -e
-
Add the following lines to run backups daily at 11:00 pm UTC:
SFTP_SERVER=<SFTP_server_IP_address> SFTP_USER='fuser' 0 23 * * * sudo find /etc -type f -name *.conf -print0 | sudo tar -czf backup.tar.gz --null -T -&& curl --upload-file backup.tar.gz sftp://$SFTP_SERVER/backups/backup_$(hostname)_$(date "+\%Y\%m\%d_\%H\%M\%S").tar.gz --insecure --user $SFTP_USER: && sudo rm -f backup.tar.gz
- The VM's time is UTC by default. Keep the time zone difference in mind when setting up the schedule.
- In the command you type in crontab, all
%
characters should be escaped with\
.
Restore settings from a backup
To restore settings, do the following:
- Download the backup from the SFTP server to the SFTP client.
- Unpack the archive.
- Copy the configuration files from the archive to the system.
- Delete the archive.
To restore the settings from the backup:
-
On the SFTP server, in the
/var/sftp/backups
directory, select the backup from which you want to restore the configuration files. For example, let’s assume you selectbackup_ftp-server.ru-central1.internal_20190803_180228.tar.gz
. -
Set an environment variable for the backup file name:
SFTP_BACKUP='backup_ftp-server.ru-central1.internal_20190803_180228.tar.gz'
-
Download the backup from the SFTP server:
sftp $SFTP_USER@$SFTP_SERVER:/backups/$SFTP_BACKUP .
-
Unpack the archive:
tar -xzf $SFTP_BACKUP
-
Copy the configuration files from the archive to the system. Use
yes
when running the command to skip confirmation when overwriting files:yes | sudo cp -rfp etc /
-
Delete the archive and unpacked content:
rm -f $SFTP_BACKUP rm -rfd etc
You can perform all actions required to restore settings from a backup with a single command in the SFTP client terminal:
sftp $SFTP_USER@$SFTP_SERVER:/backups/$SFTP_BACKUP . && tar -xzf $SFTP_BACKUP && yes | sudo cp -rfp etc / && rm -rfd etc && rm -f $SFTP_BACKUP
Check whether the settings are restored correctly
On the SFTP client VM:
-
To make sure the configuration files from the archive successfully get into the file system, add a verification section to the command above:
sftp $SFTP_USER@$SFTP_SERVER:/backups/$SFTP_BACKUP . && tar -xzf $SFTP_BACKUP && echo "## this is from backup" >> etc/yum.conf && yes | sudo cp -rfp etc / && rm -rfd etc && rm -f $SFTP_BACKUP
The
echo "## this is from backup" >> etc/yum.conf
command writes the ## this is from backup test phrase at the end of theetc/yum.conf
file unpacked from the archive. -
After restoring the backup, run the following command:
cat /etc/yum.conf | grep backup
-
Make sure the test phrase is displayed on the screen:
## this is from backup
How to delete the resources you created
If you no longer need the SFTP server and client:
- Delete the VMs for the SFTP client and server (in our example,
sftp-server
andsftp-client
). - Delete the static IP address if you reserved one.