How to Setup an SFTP Server on Ubuntu 22.04 using OpenSSH

sftp splash

In this article you will learn how to enable and connect to the SFTP server in OpenSSH. With SFTP (Secure File Transfer Protocol) you can easily transfer files over the internet using SSH. We will be using Ubuntu 22.04 for our server, however any version of Linux should work.

This guide will use password authentication with IP firewall restriction. This will prevent anyone besides those who you want accessing the box via SSH or SFTP. If you want the highest level of security possible you will want to enable keys in OpenSSH before following this guide. Learn how to enable keys with our How to Setup OpenSSH with Keys on Ubuntu 22.04 tutorial.

SFTP vs FTP

It is important to mention that SFTP is not the same as FTP. One of the main differences is while they both transfer files, only SFTP encrypts the data during transit. Another difference is FTP is unable to benefit from public key files for authentication. Using public keys with SFTP increases security by encrypting the transfer data stream. If your aim is security then it is highly recommended you use SFTP versus FTP. Now that I have described the differences lets move on to configuring and connecting to an SFTP server in OpenSSH.

Update and Upgrade Ubuntu

update and upgrade ubuntu

The first thing you need to do is update and upgrade your Ubuntu installation. Open a terminal and type the following command. Afterwards press “Y” to confirm.

sudo apt update && sudo apt upgrade

Install OpenSSH

install open-ssh

After your system has finished updating you will need to install the OpenSSH server software. OpenSSH provides encrypted file transfer for file transfers and remote logins. Install the software using the apt command.

sudo apt install openssh-server

View SSH Status

view ssh status

Next you need to verify that OpenSSH is installed on your system and actively running. Use the below command and confirm that you see “active (running)” on the third line.

sudo systemctl status ssh

If SSH does not show as active and running it may be disabled. Run the following command to enable and start the OpenSSH server.

sudo systemctl enable ssh && sudo systemctl start ssh

Create New User

create a new user

Now you will need to create a new user for logging into the SFTP server. Run the adduser command then type a password. You can skip the other fields if you wish. Finally press “Y” to confirm.

sudo adduser sftpuser

Create New Group

create a new group

Afterwards we will create a new group for our sftpuser. We will configure SSH to give SFTP access to any user in this group. Run the addgroup command to proceed.

sudo addgroup sftpusers

Add User to Group

add user to group

Next we need to add the user to the new group. Run the usermod command to add the sftpuser to the sftpusers group.

sudo usermod -a -G sftpusers sftpuser

Change User’s Home Permissions

change users home permissions

Then we will set new permissions on the sftpuser’s home directory. This will allow the SFTP server to access these files. First execute the chown command followed by the chmod command. The sftpuser’s home will be the folder you access when you connect to the SFTP server.

sudo chown root: /home/sftpuser
sudo chmod 777 /home/sftpuser

Edit the SSH Config File

Next we need to edit the sshd_config file and edit a few lines. Open the configuration file using the nano text editor as shown below.

sudo nano /etc/ssh/sshd_config

Locate the Subsytem Line

locate subsystem line

After you open the file scroll down and look for the Subsystem line. Once you locate the line comment it out using the “#” symbol as shown below.

#Subsystem      sftp    /usr/lib/openssh/sftp-server

Add New Lines

Now that you have commented out the Subsystem line you need to add a few additional lines. Paste the following underneath the line you commented out. Your sshd_config file should match the screenshot above. After the lines have been added save and close the file using “Ctrl+X”.

Subsystem sftp internal-sftp

Match Group sftpgroup
     ChrootDirectory %h
     X11Forwarding no
     AllowTCPForwarding no

Restart SSH

restart ssh

To apply our changes we will restart ssh. Use the following service command.

sudo service ssh restart

Configure the Firewall

The next step is to configure the firewall using UFW to control access to our SFTP server. Start by denying all incoming traffic, and allowing all outgoing.

sudo ufw default deny incoming
sudo ufw default allow outgoing

Allow SSH (All IP’s)

allow ssh

You have two options when allowing SSH through the firewall. You can either allow any IP to access port 22 (not recommended). Or you can only allow specific IP(s) through the firewall. I recommend the section option as it offers higher security. If you want to allow any IP run the following command.

sudo ufw allow ssh

Allow SSH (Specific IP’s)

allow specfic ip

If you want to only allow specific IP’s to access the server run the following command for each IP you want to have access. You need to replace “IP-ADDRESS” with your own IP. This is highly recommended as it offers the highest level of security.

sudo ufw allow from IP-ADDRESS to any port ssh

Enable UFW

enable ufw

After you have allow the IP’s (or everyone) who you want to have access you will need to enable UFW. Run the following command.

sudo ufw enable

Check Firewall Status

check firerwall status

The last step is to check the firewall status and verify your configuration. Check it using the ufw status command. If you allowed access to only specific IP’s you will see them in the “From” column.

sudo ufw status

Connecting to the SFTP Server

Finally we can test our connection to the SFTP server. The first thing you will need is a FTP client. I recommend downloading FileZilla. This is the software we will use in this tutorial. You can install it using the following apt command.

sudo apt install filezilla

Edit Site List

edit filezilla site list

Open Filezilla and click on the site manager button in the upper left hand corner.

Add a New Site

add filezilla site

Type Connection Information

add filezilla connection information

Confirm Host Key Prompt

confirm filezilla hostkey

Verify Connection

verify filezilla connection

Questions?

If you have any questions or comments feel free to leave them below.

Related Resources

View our 5 Reasons to Switch from Windows 10 to Linux.

Learn How to Install Ubuntu Server 22.04 [Step by Step].

Check out How to Setup OpenSSH with Keys on Ubuntu 22.04.

View our How to Mount an SMB (Samba) Share in Linux with cifs-utils tutorial.

Learn How to Use the Alias Command in Linux.

View all of our available online tools and converters at Formatswap.com.

How to Configure a Firewall in Linux using UFW

ufw linux firewall splash image

This tutorial will teach you how to install and configure UFW (Uncomplicated Firewall) in Linux. Firewalls are vital to keep your applications and systems secure. UFW provides a command line frontend interface for iptables using a few simple commands. It is designed to be easy to use and uncomplicated to configure. Using only Netfilter in iptables for firewalls can be a daunting task. UFW is a simple solution to using a firewall in Linux. In this tutorial we will be using Ubuntu 22.04 but any Ubuntu or Debian based Linux distribution will work.

Check if UFW is Installed

ufw status
sudo ufw status

The first thing you need to do is check if UFW is already installed. It is installed by default on most Linux distributions. You can check if UFW is currently installed by opening a terminal shell and running the “ufw status” command. If UFW is already installed you will see a similar output to what is above. It will say “Status: inactive”. If you get an error you will have to install UFW.

Install UFW

install ufw
sudo apt install ufw

To install UFW run the command “sudo apt install ufw”. Then click yes on the confirmation dialog.

Deny Outgoing and Incoming Connections

ufw allow outgoing
sudo ufw default allow outgoing

The first thing you want to do when configuring the firewall is to deny all incoming and outgoing connections. To deny outgoing connections run the command “sudo ufw default deny outgoing”.

ufw allow deny incoming
sudo ufw default deny incoming

Then repeat the same step using “sudo ufw default deny incoming” to deny the incoming connections.

Configure Firewall Rules

Allow a Program

allow ftp ufw
sudo ufw allow ftp

You can allow individual programs through the firewall using their names. Above I allow ftp using the command “sudo ufw allow ftp”.

Allow a Specific Port

allow port 21 ufw
sudo ufw allow 21

To allow a specific port use the command “sudo ufw allow 21”. In the above example I am allowing the FTP port 21.

Deny a Specific Port

deny port 22 ufw
sudo ufw deny 22

You can also allow specific programs and ports. In the above example I deny port 22 using “sudo ufw deny 22”.

Allow a TCP Port

allow tcp port 443 ufw
sudo ufw allow 443/tcp

You can also allow or deny specific ports to be tcp or udp only. In the above example I allow only tcp traffic on port 443.

Allow a UDP Port

allow udp port 111 ufw
sudo ufw allow 111/udp

You can also allow any deny udp ports as shown above. By default it will allow or deny on both tcp and udp unless you specify one of the two.

Allow and Deny Access to IP Addresses

Sometimes you may want to only allow certain IP addresses access to your system. In this case you can setup a rule to control access on a per IP basis.

Allow an IP

allow an ip address

Using the above rule you are able to allow only specific IP addresses to access your system. This is the securest way to setup a FTP or SSH server that needs remote access.

Deny an IP

deny an ip address

This rule is useful in situations where you are allowing all IP addresses through the firewall, but just want to block certain ones.

Enable or Disable UFW Firewall Rules

Enable UFW

enable ufw
sudo ufw enable

Now you will need to enable the firewall to apply the rule set you created. To enable the UFW firewall type “sudo ufw enable”.

Disable UFW

disable ufw
sudo ufw disable

If you need to disable the firewall you can run the command “sudo ufw disable”. This will keep the firewall disabled until you enable it again.

View the Firewalls Status

ufw view status
sudo ufw status

To view the status of the firewall type “sudo ufw status”. This will show you all of the ports and or programs that you are allowing or denying through the firewall. It will also show you whether UFW is active or inactive.

Advanced UFW Rules

ufw edit rules files
cd /etc/ufw/

Most rules can be applied using the command line but sometimes you want more control over the rules. In this case you can directly edit the rules using the “before.rules” and “after.rules” files located in the “/etc/ufw/” directory. The before rules are applied before UFW is launched while the after rules apply after UFW is running.

ufw edit config file
nano /etc/default/ufw

You can also edit the UFW configuration file located at “/etc/default/ufw” for more advanced configurations.

Enable Logging

ufw enable logging
sudo ufw logging on

You can enable logging in UFW by running the command “sudo ufw logging on”. This will enable the logs in the lowest mode by default. If you want to specify the log level use the command “sudo ufw logging low|medium|high“.

view of ufw log
nano /var/log/ufw.log

The UFW log file will be located at “/var/log/ufw.log” by default. I have set my logging level to low. Above is an example of what your log file may look like.

Additional Questions?

If you have any additional questions or thoughts feel free to comment them below.

Related Resources

View our How to install Kali Linux 2022.3 [step by step] tutorial.

Learn How to Use the Alias Command in Linux.

Check out our How to Add a Network Location in Windows 10 tutorial.

View our How to Setup a FTP Server with FileZilla in Windows tutorial.

Learn more cool things in Windows with our Windows Tutorials.

View all of our available online utilities and converters at Formatswap.com.