総数:13 今日:1 昨日:0

もくじ

参考URL
How to Setup an SFTP Server on Ubuntu 22.04 using OpenSSH
How To Setup SFTP Server on Ubuntu 22.04 LTS
Linux サーバーに SFTP をインストールして使用する方法

IP固定化しておく

参考url
Ubuntu 22.04 LTS ServerのIPを固定する

192.168.3.9

Install OpenSSH 

~$ sudo apt update
~$ sudo apt install openssh-server

View SSH Status

verify that OpenSSH is installed on your system and actively running.
Use the below command and confirm that you see “active (running)” on the third line.

~$ sudo systemctl status ssh
● ssh.service - OpenBSD Secure Shell server
     Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
     Active: active (running) since Wed 2023-07-19 14:36:02 JST; 40min ago
       Docs: man:sshd(8)
             man:sshd_config(5)
    Process: 764 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
   Main PID: 798 (sshd)
      Tasks: 1 (limit: 18946)
     Memory: 3.8M
        CPU: 34ms
     CGroup: /system.slice/ssh.service
             └─798 "sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups"

 7月 19 14:36:00 OptiPlex-790 systemd[1]: Starting OpenBSD Secure Shell server...
 7月 19 14:36:02 OptiPlex-790 sshd[798]: Server listening on 0.0.0.0 port 22.
 7月 19 14:36:02 OptiPlex-790 sshd[798]: Server listening on :: port 22.
 7月 19 14:36:02 OptiPlex-790 systemd[1]: Started OpenBSD Secure Shell server.

Create New User

create a new user for logging into the SFTP server. 

$ sudo adduser sftpuser
ユーザー `sftpuser' を追加しています...
新しいグループ `sftpuser' (1001) を追加しています...
新しいユーザー `sftpuser' (1001) をグループ `sftpuser' に追加しています...
ホームディレクトリ `/home/sftpuser' を作成しています...
`/etc/skel' からファイルをコピーしています...
新しい パスワード: →例)sftpuser と入力した
正しくないパスワード: このパスワードには、一部に何らかの形でユーザー名が含まれています
新しい パスワードを再入力してください: →例)sftpuser と入力した
passwd: パスワードは正しく更新されました
sftpuser のユーザ情報を変更中
新しい値を入力してください。標準設定値を使うならリターンを押してください
	フルネーム []: 
	部屋番号 []: 
	職場電話番号 []: 
	自宅電話番号 []: 
	その他 []: 
以上で正しいですか? [Y/n] Y

Create New Group

create a new group for our sftpuser.
We will configure SSH to give SFTP access to any user in this group.

$ sudo addgroup sftpusers
グループ `sftpusers' (GID 1002) を追加しています...
完了。

Add User to Group

add the user to the new group.
Run the usermod command to add the sftpuser to the sftpusers group.

$ sudo usermod -a -G sftpusers sftpuser

Change User’s Home Permissions

set new permissions on the sftpuser’s home directory.
This will allow the SFTP server to access these files.
First execute the chown command followed by the chmod command.
The sftpuser’s home will be the folder you access when you connect to the SFTP server.

$ sudo chown root: /home/sftpuser
$ sudo chmod 777 /home/sftpuser

確認 

$ ls -la ..|grep -i --color -e "sftpuser"
drwxrwxrwx  2 root root 4096  7月 19 15:28 sftpuser

変更前は下記の状態

drwxr-x---  2 sftpuser sftpuser 4096  7月 19 15:28 sftpuser

Edit the SSH Config File

edit the sshd_config file and edit a few lines.
Open the configuration file using the gvim text editor as shown below.

$ sudo gvim -f /etc/ssh/sshd_config

comment out Subsystem statement

original line 115

Subsystem	sftp	/usr/lib/openssh/sftp-server

modified

#Subsystem	sftp	/usr/lib/openssh/sftp-server

Add New Lines at line 116 

Subsystem sftp internal-sftp

Match Group sftpusers
     ChrootDirectory %h
     X11Forwarding no
     AllowTCPForwarding no

Restart SSH 

$ sudo service ssh restart

Configure the Firewall

configure the firewall using UFW to control access to our SFTP server.
Start by denying all incoming traffic, and allowing all outgoing.

$ sudo ufw default deny incoming
$ sudo ufw default allow outgoing

Allow SSH

There are two options when allowing SSH through the firewall.
You can either allow any IP to access port 22 (not recommended).
Or you can only allow specific IP(s) through the firewall.
I recommend the second option as it offers higher security.

Allow SSH (All IP’s)

If you want to allow any IP, run the following command.

$ sudo ufw allow ssh

Allow SSH (Specific IP’s)

If you want to only allow specific IP’s to access the server,
run the following command for each IP you want to have access.
You need to replace “IP-ADDRESS” with your own IP.
This is highly recommended as it offers the highest level of security.

$ sudo ufw allow from IP-ADDRESS to any port ssh

Enable UFW

After you have allow the IP’s (or everyone) who you want to have access,
you will need to enable UFW. Run the following command.

$ sudo ufw enable

Check Firewall Status

To check the firewall status and verify your configuration.
Check it using the ufw status command.
If you allowed access to only specific IP’s you will see them in the “From” column.

$ sudo ufw status
状態: アクティブ

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere                  
22/tcp (v6)                ALLOW       Anywhere (v6)

Configuring vsftpd

The vsftpd server can be configured by editing the /etc/vsftpd.conf file.
Most of the settings are well documented inside the configuration file.

In the following sections, we will go over some important settings needed to configure a secure vsftpd installation.

設定ファイルをバックアップしておこう 

$ sudo cp -p /etc/vsftpd.conf /etc/vsftpd.conf.original
~$ ls -la /etc/vsftpd.conf*
-rw-r--r-- 1 root root 5850  2月  6  2018 /etc/vsftpd.conf
-rw-r--r-- 1 root root 5850  2月  6  2018 /etc/vsftpd.conf.original

Start by opening the vsftpd configuration file 

$ sudo gvim -f /etc/vsftpd.conf

FTP Access ローカルユーザーのみを許可する

ローカルユーザーのみを許可する。
We’ll allow access to the FTP server only the local users,
find the anonymous_enable and local_enable directives and
verify your configuration match to lines below:

anonymous_enable=NO
local_enable=YES

Enabling uploads アップロードと削除を許可する

Uncomment the write_enable setting to allow changes to the filesystem such as uploading and deleting files.

 write_enable=YES

Chroot Jail

To prevent the FTP users to access any files outside of their home directories uncomment the chroot setting.

chroot_local_user=YES

By default to prevent a security vulnerability, when chroot is enabled vsftpd will refuse to upload files if the directory that users are locked in is writable.

Use one of the methods below to allow uploads when chroot is enabled.

Method 1. この方法でやってみよう

The recommended method to allow upload is to keep chroot enabled, and configure FTP directories.
In this tutorial, we will create an ftp directory inside the user home which will serve as the chroot and a writable uploads directory for uploading files.

下記をファイルの末尾に追記する。

user_sub_token=$USER
local_root=/home/$USER/ftp

Method 2. この方法はしない

Another option is to add the following directive in the vsftpd configuration file.
Use this option if you must to grant writable access to your user to its home directory.

allow_writeable_chroot=YES

Passive FTP Connections

vsftpd can use any port for passive FTP connections.
We’ll specify the minimum and maximum range of ports and later open the range in our firewall.
Add the following lines to the configuration file:

pasv_min_port=30000
pasv_max_port=31000

Limiting User Login

To allow only certain users to log in to the FTP server add the following lines at the end of the file:

userlist_enable=YES
userlist_file=/etc/vsftpd.user_list
userlist_deny=NO

ユーザーを予め登録しておく /etc/vsftpd.user_list ファイル

When this option is enabled you need to explicitly specify
which users are able to log in
by adding the user names to the /etc/vsftpd.user_list file (one user per line).

$ sudo gvim -f /etc/vsftpd.user_list

下記の1行を記述する

ftp_user

この時点での設定ファイル/etc/vsftpd.confの内容 

# Example config file /etc/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
#
# Run standalone?  vsftpd can run either from an inetd or as a standalone
# daemon started from an initscript.
listen=NO
#
# This directive enables listening on IPv6 sockets. By default, listening
# on the IPv6 "any" address (::) will accept connections from both IPv6
# and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6
# sockets. If you want that (perhaps because you want to listen on specific
# addresses) then you must run two copies of vsftpd with two configuration
# files.
listen_ipv6=YES
#
# Allow anonymous FTP? (Disabled by default).
anonymous_enable=NO
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
#local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
#anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# If enabled, vsftpd will display directory listings with the time
# in  your  local  time  zone.  The default is to display GMT. The
# times returned by the MDTM FTP command are also affected by this
# option.
use_localtime=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# You may override where the log file goes if you like. The default is shown
# below.
#xferlog_file=/var/log/vsftpd.log
#
# If you want, you can have your log file in standard ftpd xferlog format.
# Note that the default log file location is /var/log/xferlog in this case.
#xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that on some FTP servers, ASCII support allows a denial of service
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
# predicted this attack and has always been safe, reporting the size of the
# raw file.
# ASCII mangling is a horrible feature of the protocol.
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
#ftpd_banner=Welcome to blah FTP service.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd.banned_emails
#
# You may restrict local users to their home directories.  See the FAQ for
# the possible risks in this before using chroot_local_user or
# chroot_list_enable below.
chroot_local_user=YES
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
# (Warning! chroot'ing can be very dangerous. If using chroot, make sure that
# the user does not have write access to the top level directory within the
# chroot)
#chroot_local_user=YES
#chroot_list_enable=YES
# (default follows)
#chroot_list_file=/etc/vsftpd.chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
#
# Customization
#
# Some of vsftpd's settings don't fit the filesystem layout by
# default.
#
# This option should be the name of a directory which is empty.  Also, the
# directory should not be writable by the ftp user. This directory is used
# as a secure chroot() jail at times vsftpd does not require filesystem
# access.
secure_chroot_dir=/var/run/vsftpd/empty
#
# This string is the name of the PAM service vsftpd will use.
pam_service_name=vsftpd
#
# This option specifies the location of the RSA certificate to use for SSL
# encrypted connections.
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
ssl_enable=NO

#
# Uncomment this to indicate that vsftpd use a utf8 filesystem.
#utf8_filesystem=YES

# keep chroot enabled, and configure FTP directories. 
# In this case, we will create an ftp directory inside the user home 
# which will serve as the chroot and a writable uploads directory 
# for uploading files.
user_sub_token=$USER
local_root=/home/$USER/ftp

allow_writeable_chroot=YES
 
# vsftpd can use any port for passive FTP connections.
# We’ll specify the minimum and maximum range of ports 
# and later open the range in our firewall.
pasv_min_port=30000
pasv_max_port=31000


# allow only certain users to log in to the FTP server 
userlist_enable=YES
userlist_file=/etc/vsftpd.user_list
userlist_deny=NO

変更点のみ 

~$ diff -uprN /etc/vsftpd.conf.original /etc/vsftpd.conf
--- /etc/vsftpd.conf.original	2018-02-06 01:55:32.000000000 +0900
+++ /etc/vsftpd.conf	2019-09-22 16:54:58.583925247 +0900
@@ -28,7 +28,7 @@ anonymous_enable=NO
 local_enable=YES
 #
 # Uncomment this to enable any form of FTP write command.
-#write_enable=YES
+write_enable=YES
 #
 # Default umask for local users is 077. You may wish to change this to 022,
 # if your users expect that (022 is used by most other ftpd's)
@@ -111,7 +111,7 @@ connect_from_port_20=YES
 # You may restrict local users to their home directories.  See the FAQ for
 # the possible risks in this before using chroot_local_user or
 # chroot_list_enable below.
-#chroot_local_user=YES
+chroot_local_user=YES
 #
 # You may specify an explicit list of local users to chroot() to their home
 # directory. If chroot_local_user is YES, then this list becomes a list of
@@ -153,3 +153,25 @@ ssl_enable=NO
 #
 # Uncomment this to indicate that vsftpd use a utf8 filesystem.
 #utf8_filesystem=YES
+
+# keep chroot enabled, and configure FTP directories. 
+# In this case, we will create an ftp directory inside the user home 
+# which will serve as the chroot and a writable uploads directory 
+# for uploading files.
+user_sub_token=$USER
+local_root=/home/$USER/ftp
+
+allow_writeable_chroot=YES
+
+# vsftpd can use any port for passive FTP connections.
+# We’ll specify the minimum and maximum range of ports 
+# and later open the range in our firewall.
+pasv_min_port=30000
+pasv_max_port=31000
+
+
+# allow only certain users to log in to the FTP server 
+userlist_enable=YES
+userlist_file=/etc/vsftpd.user_list
+userlist_deny=NO
+

ユーザーを新規追加しておく

Create a new user named newftpuser: 

$ sudo adduser ftp_user
ユーザー `ftp_user' を追加しています...
新しいグループ `ftp_user' (1001) を追加しています...
新しいユーザー `ftp_user' (1001) をグループ `ftp_user' に追加しています...
ホームディレクトリ `/home/ftp_user' を作成しています...
`/etc/skel' からファイルをコピーしています...
新しい UNIX パスワードを入力してください: ★ ftp_user と入力する
新しい UNIX パスワードを再入力してください: ★ ftp_user と入力する 
passwd: パスワードは正しく更新されました
ftp_user のユーザ情報を変更中
新しい値を入力してください。標準設定値を使うならリターンを押してください
	フルネーム []: 
	部屋番号 []: 
	職場電話番号 []: 
	自宅電話番号 []: 
	その他 []: 
以上で正しいですか? [Y/n] Y

Add the user to the allowed FTP users list: 

~$ sudo bash -c "echo 'ftp_user' | sudo tee -a /etc/vsftpd.user_list"

Create the FTP directory tree and set the correct permissions: 

~$ sudo mkdir -p /home/ftp_user/ftp/upload/
~$ sudo chmod 550 /home/ftp_user/ftp/
~$ sudo chmod 750 /home/ftp_user/ftp/upload/
~$ sudo chown -R ftp_user:ftp_user /home/ftp_user/ftp/

Restart the vsftpd Service

restart the vsftpd service for changes to take effect:

sudo systemctl restart vsftpd

動作状況を確認する 

~$ sudo systemctl status vsftpd
● vsftpd.service - vsftpd FTP server
   Loaded: loaded (/lib/systemd/system/vsftpd.service; enabled; vendor preset: enabled)
   Active: active (running) since Sun 2019-09-22 15:50:56 JST; 19s ago
  Process: 5116 ExecStartPre=/bin/mkdir -p /var/run/vsftpd/empty (code=exited, status=0/SUCCESS)
 Main PID: 5117 (vsftpd)
    Tasks: 1 (limit: 4672)
   CGroup: /system.slice/vsftpd.service
           └─5117 /usr/sbin/vsftpd /etc/vsftpd.conf

 9月 22 15:50:56 test-ftp-server systemd[1]: Stopping vsftpd FTP server...
 9月 22 15:50:56 test-ftp-server systemd[1]: Stopped vsftpd FTP server.
 9月 22 15:50:56 test-ftp-server systemd[1]: Starting vsftpd FTP server...
 9月 22 15:50:56 test-ftp-server systemd[1]: Started vsftpd FTP server.

ftp server account の例

host IP address192.168.3.19
usernameftp_user
passwordftp_user

Windows に ftp clientをinstallする

https://forest.watch.impress.co.jp/library/software/ffftp/

FFFTP(64bit版)
v4.2(19/09/11)

FFFTPを起動する

接続-ホストの設定-新規ホスト を選択する

変更した項目のみ

基本タブ

ホストの設定名ftp server
ホスト名192.168.3.19
ユーザー名ftp_user
パスワード/フレーズftp_user

拡張タブ

文字コードタブ

ダイヤルアップタブ

高度タブ

暗号化タブ

暗号化なしで接続を許可チェックする
FTPS(Explicit)で接続チェックしない
FTPS(Implicit)で接続チェックしない

特殊機能タブ

トップ   一覧 単語検索 最終更新   ヘルプ   最終更新のRSS