Follow these steps to set up an SFTP server on an EC2 instance.
Start by installing the SFTP server:
sudo yum install vsftpd
Allow inbound traffic in your instance’s security group:
Edit /etc/vsftpd/vsftpd.conf:
- Change
anonymous_enable=YEStoanonymous_enable=NO. - Add the following to the end of the file:
pasv_enable=YES
pasv_min_port=1024
pasv_max_port=1048
pasv_address=<public IP of this EC2 instance>
Restart the SFTP server:
sudo /etc/init.d/vsftpd restart
or
sudo /sbin/service vsftpd restart
/etc/vsftpd/user_list lists users who are NOT allowed SFTP access:
# vsftpd userlist
# If userlist_deny=NO, only allow users in this file
# If userlist_deny=YES (default), never allow users in this file
root
bin
daemon
adm
lp
sync
shutdown
halt
mail
news
uucp
operator
games
nobody
Create a new user for SFTP:
sudo adduser sftpuser
sudo passwd sftpuser
gpasswd -a sftpuser ftp
At this point, SFTP users are NOT restricted to their home directories. To do so, uncomment chroot_local_user=YES in /etc/vsftpd/vsftpd.conf & restart the SFTP server.
To start the SFTP server automatically on instance reboot, run this:
sudo chkconfig --level 345 vsftpd on
or sudo ntsysv on Red Hat.
To restrict a user to a specific directory, change their home:
sudo usermod -d /var/www/ sftpuser
sudo usermod -aG www sftpuser
sudo usermod -aG apache sftpuser
or set local_root=/var/www/html in /etc/vsftpd/vsftpd.conf.
If you have Uncomplicated FireWall enabled:
sudo ufw allow ftp
If you have IP Tables firewall enabled, add the following in /etc/sysconfig/iptables:
-A INPUT -m state --state NEW -m tcp -p tcp --dport 20:21 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 1024:1048 -j ACCEPT
& restart IP Tables:
sudo service iptables restart
If you get this error:
500 OOPS: vsftpd: refusing to run with writable root inside chroot ()
See this — Fixing 500 OOPS: vsftpd: refusing to run with writable root inside chroot ().
Also see — Fixing Write Permissions for Chrooted FTP Users in vsftpd.
