Skip to content

Instantly share code, notes, and snippets.

/SFTP-SERVER-HOWTO.md

Created March 3, 2016 00:37
Show Gist options
  • Save anonymous/3a0f18c35df9f759a8b5 to your computer and use it in GitHub Desktop.
Save anonymous/3a0f18c35df9f759a8b5 to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. @invalid-email-address Anonymous created this gist Mar 3, 2016.
    93 changes: 93 additions & 0 deletions SFTP-SERVER-HOWTO.md
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,93 @@
    # Simple, secure file server (SFTP)

    **[SFTP - Wikipedia](https://en.wikipedia.org/wiki/SSH_File_Transfer_Protocol) **


    ##Requirements

    * Server machine with dedicated 10+GB drive, 512MB RAM
    * Wired server <-> internet connection during Debian installation
    * Client machine (Linux,Windows,Mac,Mobile...)
    * 500+MB USB drive or blank CD/DVD

    ## Server/Debian installation

    * Download [Debian](http://cdimage.debian.org/cdimage/unofficial/non-free/cd-including-firmware/current/multi-arch/iso-cd/).
    * Write the downloaded ISO to USB drive.
    * Windows: [Win32diskimager](http://sourceforge.net/projects/win32diskimager/files/latest/download)
    * Linux `sudo dd if=/path/debian.iso of=/dev/sdX` (with `sdX` the name of your USB drive as listed by `lsblk`)
    * Reboot to USB drive.
    * Select `More options` > `Advanced graphical install`
    * Follow the installation procedure.
    * Use a strong password/phrase for your user accounts.
    * `Allow administrator (root) logins`: Yes
    * `Create an ordinary user account` Yes
    * `Guided partitioning > Separate /home/ partition`.
    * Software: only check `Standard system utilities` and `SSH Server`.
    * Finish install, remove USB drive/boot from disk.
    * At login prompt, `login:` root, `password:` your root password.
    * Check internet connectivity `ping -c3 debian.org`
    * Check and remember your LAN IP address: `ip addr` (remember it)
    * Update software `aptitude update; aptitude -y upgrade; aptitude -y dist-upgrade` * Add your user `adduser yourusername sudo` to administrators * install firewall management `aptitude install ufw; ufw enable`.
    * Open the firewall port `ufw allow 823/tcp`.

    ## SSH/SFTP config

    * Edit SSH configuration: `nano /etc/ssh/sshd_config`, change these values:

    ```
    Port 823
    PermitRootLogin no
    PasswordAuthentication yes (remove #)
    X11Forwarding no
    ```

    * Add this at the end of the file:

    ```
    Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
    MACs [email protected],[email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,[email protected]
    ```

    * Press `Ctrl+X` then `Y` to quit the editor and save.
    * Run `service ssh restart`


    ## Key authorization/connecting

    **On your client machine**

    **Linux (graphical):**

    * Install the [seahorse](https://packages.debian.org/sid/seahorse) package from your package manager, or `sudo aptitude install seahorse`. Run `Passwords and Keys` from your `Applications > Accesories` menu. Click `File > New ... > Secure shell key` and follow instructions.
    * Open `sftp://[email protected]:823/home/yourusername` in your file manager address bar, or `File -> Connect to server...` and fill the required fields.
    * You can now store files there (`/home/yourusername/` directory on your server). You can bookmark the location by dragging it to the file manager sidebar.
    * For improved security run `ssh -p 823 -i ~/.ssh/id_sftp [email protected]`, then `sudo nano /etc/ssh/sshd_config` and change `PasswordAutentication` to `no`. Run `sudo service ssh reload`; then `exit`.

    **Linux (command line):**

    ```
    ssh-keygen -f ~/.ssh/id-sftp #generate keypair
    ssh-copy-id -i ~/.ssh/id_sftp.pub -p 823 [email protected] #authorize your key on the server
    ssh -p 823 -i ~/.ssh/id_sftp [email protected] #test SSH connection
    sudo nano /etc/ssh/sshd_config #change PasswordAutentication to no
    sudo service ssh reload #reload ssh server
    exit #close the SSH connection
    sudo apt-get install sshfs #install SFTP filesystem mounting tool
    mkdir sftp; sshfs -p 823 [email protected] sftp/ #create sftp/ directory and mount the SFTP filesystem on it
    ```

    **Windows:**

    * Download/install [WinSCP](http://winscp.net/download).
    * Run WinSCP `Tools > Run PuttyGen`. Click `Generate` and follow instructions. `Save private key`to a file.
    * TODO authorization
    * Run WinSCP, enter Username, Host name (IP address), Port number: `823`, `Advanced>Authentication>Private key file`, select your private key file. `OK`, `Save`, `Connect`.


    ## Notes

    * If your network is behind a NAT/Internet provider box you will need to setup redirections from port 823/TCP on the router to port 823/TCP on your server.
    * You can setup a free (sub)domain name pointing to your server at https://https://freedns.afraid.org/domain/registry/
    * Check the server's public IP: `curl ifconfig.me` from the server.
    * Thanks https://github.com/GigabyteProductions/duraconf/commits/master/configs/sshd/sshd-pfs_config