Skip to content

Setting up remote SSH SFTP

Follow the step below to create an openSSH server on Linux and allow a remote user to access your machine for sharing files.

[1] Install SSH server

We could install the client and server together, but Ubuntu already comes with the client preinstalled, so we only need to add the server.

In terminal, run sudo apt install openssh-server

The server broadcasts on port 22. Make sure the firewall isn't blocking the port. - run sudo ufw status so see if the firewall in active or inactive. - if the firewall is active, you can allow the port 22 by running sudo ufw allow 22

Determine SSH status - in terminal, run sudo systemctl status ssh to see if the ssh service is active.

Enable / disable SSH

If you want to start or stop the SSH service on your machine, run the following commands: - sudo systemctl stop ssh - sudo systemctl start ssh

If you want to enable or disable SSH on your machine, run the following commands: - sudo systemctl disable ssh - sudo systemctl enable ssh

[2] Setup port forwarding

To connect to a machine over the internet, port forwarding needs to be setup on your router to forward requests on port 22 to the machine that you want to connect to. - log into the router portal in the web browser - go to advanced > port forwarding - give it a name - enter 22 for both TCP & UDP ports - enter the local network IP for the computer you want to use remotely - save changes

Determine IP addresses

  • In terminal, run ip route get 1.2.3.4 | awk '{print $7}'. This will return the local network IP address.

  • In terminal, run curl https://ipinfo.me to determine the public IP address.

Connecting to SSH/SFTP

To connect the the remote machine over LAN, run the following with the local network IP address: - ssh <username>@<local_network_IP> - sftp <username>@<local_network_IP>

To connect to the remote machine over the internet, you need to setup port forwarding to the local network address. Once setup, run the command to connect: - ssh <username>@<public_IP> - sftp <username>@<public_IP>

[3] Create a jailed user

In order to prevent someone who is connecting remotely through ssh to have access to other areas of the machine, you needs to create a jail that only allows the user access to the directory they are in.

  • create the user, run sudo adduser <username>
  • create a group, run sudo addgroup <group_name>
  • create the jail folder, run sudo mkdir /jail
  • create the home folder inside the jail, sudo mkdir /jail/home
  • add the new user to the new group, sudo usermod -a -G <group_name> <username>
  • set the ownership of the home directory, sudo chown <username>:<group_name> /jail/home
  • ensure that the jail folder is owned by root, sudo chmod 755
  • run ls -l in the parent directory that contains /jail/ to confirm ownership

See this link for reference.

[4] Edit sshd_config file

  • navigate to /etc/ssh/ and start by creating a backup of sshd_config in case something goes wrong, run sudo cp sshd_config sshd_config.bkup
  • run sudo vim sshd_config to edit the file
  • at the very bottom, comment out the line Subsystem sftp /usr/lib/openssh/sftp-server
  • add this line below it, Subsystem sftp internal-sftp
  • add the following code block:
match group <group_name>
  ChrootDirectory /jail
  ForceCommand internal-sftp
  AllowTcpForwarding no
  x11Forwarding no
  • restart the sshd service, sudo service sshd restart

[5] Send files over SFTP

  • To send files using the commands line, navigate to the directory that contains the files(s) you want to send, then, connect to the sftp.
  • Once connected use the following command to upload files to the remote sftp:
  • put <file_name>