1

I was trying to setup sftp in AWS EC2 by following the instructions in https://silicondales.com/tutorials/aws-ec2-tutorials/setup-ftp-sftp-aws-ec2-instance/

I have done below steps

  1. Launched a new EC2 instance
  2. Logged in as ec2-user
  3. Installed vsftpd
  4. Updated security group rules by Custom TCP Rules – port ranges 20-21 and 1024-1048

  5. Below changes are done in /etc/vsftpd/vsftpd.conf

    anonymous_enable=NO
pasv_enable=YES
pasv_min_port=1024
pasv_max_port=1048
pasv_address=[MY PUBLIC IP]
chroot_local_user=YES

  6. Created a new user and set the password

    adduser silicondales
passwd silicondales

  7. Restarted /etc/init.d/vsftpd restart. It is successful as I get the message

After all this I try to connect from my local machine

sftp -oPort=1024 <username>:<password>@<public ip address> and getting ssh: connect to host <Public_IP> port 1024: Connection refused error.I couldn't figure out the issue. Please help me to solve this

Selvakumar P
  • 305
  • 2
  • 8
  • 16

2 Answers2

3

OK, to answer this, something needs to be clarified: vsftpd implements the FTP protocol. sftp does not implement the FTP protocol. In spite of having "ftp" in its name, has very little to do with FTP, other than emulating its behavior on the client side. If you want to use sftp, you do not need vsftpd. Rather, sftp uses the SSH server that is likely already present on your server.

From a networking and security point of view, ssh/sftp are much more secure and maintainable than ftps (which is what vsftpd can provide), and unless you have a very good reason to not use sftp, just ditch vsftpd. You don't need it.

EEAA
  • 109,363
  • 18
  • 175
  • 245
  • Looking at some of the forums now it seems If I need sftp then I should go with public/private keys not with password based authentication. Is that true ? – Selvakumar P Jun 28 '17 at 17:53
  • 1
    Yes, key-based authentication is far superior from a security and usability POV. Set up keys and then disable password authentication entirely. – EEAA Jun 28 '17 at 17:54
2

SSH, which is already running, provides SFTP. The same key you login to SSH with allows SFTP logins. The SFTP service is provided by SSH, the same software that lets you log in.

You can add users and allow them to login via SFTP. This for example makes it easier to create a user that only has access to your webroot. I have an article about that for Amazon Linux on my blog, which includes some pictures. The essential parts are

Create a new user

sudo su
sudo useradd fred
passwd fred

Create a new key pair

su fred
ssh-keygen -f rsa

mkdir .ssh

touch .ssh/authorized_keys
chmod go-w ~/
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

cat fred.pub >> /home/fred/.ssh/authorized_keys

Allow the user to log in

vi /etc/ssh/sshd_config
PasswordAuthentication no
AllowUsers ec2-user fred
Tim
  • 31,888
  • 7
  • 52
  • 78
  • I have followed same steps above and getting `Connection to closed by remote host` error when I connect via sftp from my terminal – Selvakumar P Jun 29 '17 at 05:20
  • I guess you'll need to do some debugging. See if there's any connection logging perhaps, and try with a different client. There's also a chance there's something else to configure in the sshd, which is /etc/ssh/sshd_config – Tim Jun 29 '17 at 05:32
  • Figured out, ChrootDirectory was not owned by root – Selvakumar P Jun 29 '17 at 07:25
  • I might be misunderstanding, but shouldn't the key be made on `fred`s computer, and then send over `fred.pub` to the machine in question? Not seeing how making an SSH key on the instance you want to SSH into allows `fred` to get on that instance (but, I'm not sure, which is why I'm here in the first place) – dwanderson Sep 24 '18 at 21:06
  • @dwanderson I don't think it matters much where the key is made. If you can make them on your PC then send the public key to the server, that's probably more secure, but personally I don't have ssh on my Windows PC. Creating the keys on the server and sending the private key across a secure channel like TLS or FTPS is fine. I'm happy for someone who knows more about this than me to correct me or add additional information. – Tim Sep 25 '18 at 00:14
  • @Tim - ohhh, I wasn't considering the part where you send the private key to the client, so I thought both pub and priv existed only on server, which is why I was confused. I get it now, thanks for clarifying! – dwanderson Sep 25 '18 at 21:03