VSFTP is transmitted in clear text, the user name password can be captured by the packet, for security purposes, use SFTP, lock the directory and do not allow SFTP users to log on to the server. Because SFTP uses the SSH protocol, it is necessary to ensure that the user can only use SFTP, cannot ssh to the machine to operate, and uses the key to log on, not 22 port.
1. Create an SFTP service user group to create the SFTP service root directory
Groupadd SFTP
#此目录及上级目录的所有者必须为root, permissions are not greater than 755, and the group of this directory is best set to SFTP
Mkdir/data/sftp
Chown-r root:sftp/data/sftp
Chmod-r 0755/data/sftp
2. Modifying the sshd configuration file
CP/ETC/SSH/SSHD_CONFIG,_BK} #备份配置文件
Sed-i ' [email protected] #Port [email protected] [email Protected] '/etc/ssh/sshd_config #保证原来22端口可以
Vi/etc/ssh/sshd_config
to comment out the line code in the/etc/ssh/sshd_config file:
Subsystem Sftp/usr/libexec/openssh/sftp-server
Add the following code:
Port 2222
Subsystem sftp internal-sftp-l info-f AUTH
Match Group sftp
chrootdirectory/data/sftp/%u
x11forwarding no
allowtcpforwarding no
Forcecommand Internal-sftp-l info-f AUTH
All users in the user group SFTP can use the SFTP service, after connecting with the SFTP service, you can access the directory as/data/sftp/username
for an example:
Test is a user of an sftp group that, after connecting to the server via SFTP, can only see the contents of the/data/sftp/test directory
Test2 is also a user of an SFTP group, and after it connects to the server through SFTP, it can only see/data/sftp/ Content under Test2 directory
3. Create an SFTP user
#此例将创建一个名称为test的sftp帐号
#创建test sftp Home Directory: The owner of the test directory must be root, and the group is best set to sftp with no more than 755 permissions
Mkdir/data/sftp/test
chmod 0755/data/sftp/test
Chown Root:sftp/data/sftp/test
Useradd-g sftp-s/sbin/nologin Test #添加用户, parameter-s/sbin/nologin prevents users from logging on through the command line
To create a test user key pair:
# MKDIR/HOME/TEST/.SSH
# ssh-keygen-t RSA
# Cp/root/.ssh/id_rsa.pub/home/test/.ssh/authorized_keys
# Chown-r Test.sftp/home/test
Create a upload directory in the test directory that can be written
Mkdir/data/sftp/test/upload
Chown-r Test:sftp/data/sftp/test/upload
Note: The owner of the SFTP service root must be root, the permissions cannot exceed 755 (the parent directory must also follow this rule), and SFTP's user directory owner must also be root, with maximum permissions not exceeding 755.
4. Test SFTP
Service sshd Restart
Test user key Login as:
Key mode login for SFTP configuration under Linux