Prerequisites
-
A Linux server (e.g., Ubuntu) with SSH installed.
-
Root access to your server.
Steps
-
Create the Developer User
sudo adduser developer
Follow the prompts to create a strong password and provide additional user information (if desired).
-
Create the Directory and Set Permissions
sudo mkdir -p /var/www/lsm
sudo chown root:root /var/www/lsm
sudo chmod 755 /var/www/lsm
-
/var/www/lsm is the directory where your SFTP user will be restricted. You can customize this path.
-
Configure SSH for the SFTP User
sudo nano /etc/ssh/sshd_config
Add the following lines at the end of the file:
Match User developer
ChrootDirectory /var/www/lsm
ForceCommand internal-sftp
AllowTcpForwarding no
X11Forwarding no
-
Match User developer tells SSH to apply these settings only to the developer user.
-
ChrootDirectory /var/www/lsm restricts the user to this directory.
-
ForceCommand internal-sftp ensures the user can only use SFTP, not a full SSH shell.
-
The last two lines disable additional features like port forwarding and X11 forwarding for added security.
-
Set Ownership for the Chroot Directory
sudo mkdir -p /var/www/lsm/developer
sudo chown developer:developer /var/www/lsm/developer
sudo chmod 755 /var/www/lsm/developer
This ensures that the 'developer' has appropriate read and write access to their own directory.
-
Restart SSH Service
sudo systemctl restart sshd
-
Verify the Configuration
Use an SFTP client like FileZilla or the command line:
sftp developer@13.75.129.233
You should only be able to access the /var/www/lsm directory and its contents.
Important Considerations
-
Permissions: Carefully review the permissions of the chroot directory and its subdirectories. Ensure they are secure to prevent unauthorized access.
-
Firewall: If you have a firewall enabled, open port 22 (or your custom SSH port) to allow SFTP connections.
-
Alternative Configurations: You can further customize the SSH configuration file with additional options based on your specific security requirements.