SFTP server with Chroot & Fail2Ban on CentOS 7.x

Every now and then you might want to transfer a substantial amount of data in a secure manner. Here comes SSH to help you.
You can run these steps on a container, VM or bare metal server.

yum -y install openssh-server 

systemctl enable sshd && systemctl start sshd

Make sure you disable “root login” via /etc/ssh/sshd_config

vi /etc/ssh/sshd_config

PermitRootLogin no
PasswordAuthentication no

AuthorizedKeysFile      /etc/ssh/sftp_users/%u/.ssh/authorized_keys

Match Group sftp_users 
    ChrootDirectory /home/%u/public
    AllowTCPForwarding no
    X11Forwarding no
    ForceCommand internal-sftp


Restart SSH after changing configuration

systemctl restart sshd
Let’s create a group called: sftp_users

groupadd sftp_users

Steps to create a SFTP Chrooted User:

useradd -g sftp_users -s /sbin/nologin $USER-NEW
chmod 755 /home/$USER-NEW
chown root.root /home/$USER-NEW
mkdir -p /home/$USER-NEW/upload

chown $USER-NEW.$USER-NEW /home/$USER-NEW/upload
mkdir -p /etc/ssh/sftp_users/$USER-NEW/.ssh
chmod 700 /etc/ssh/sftp_users/$USER-NEW/.ssh
cat /tmp/pubkey.pub > /etc/ssh/sftp_users/$USER-NEW/.ssh/authorized_keys
chmod 600 /etc/ssh/sftp_users/$USER-NEW/.ssh/authorized_keys
chown -R $USER-NEW.$USER-NEW /etc/ssh/users/$USER-NEW


Next would be to install Fail2Ban

yum -y install epel-release

yum -y install fail2ban fail2ban-systemd

vi /etc/fail2ban/jail.local

ignoreip =
ignorecommand =
bantime = 3600
findtime = 3600
maxretry = 5

vi /etc/fail2ban/jail.d/sshd.local

enabled = true
port = ssh
#action = firewallcmd-ipset
logpath = %(sshd_log)s
maxretry = 5
bantime = 86400

systemctl enable firewalld
systemctl start firewalld
systemctl enable fail2ban
systemctl start fail2ban


Check the status of Fail2Ban

fail2ban-client status

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.