Secure file transfer

cazz · January 16, 2022, 12:37pm

I have see some old topic here about the question and I just wonder if that have make it simple to create a secure file server with nethserver.
I was thinking SFTP with chrooted jail environment and fail2ban.

Just wonder is that is still template and script or is it more easy now with GUI?

mrmarkuz · January 16, 2022, 9:05pm

You still need a custom template for the chroot jail.

Fail2ban already blocks bad SSH logins and there’s also 2FA for SSH for additional security.

cazz · January 17, 2022, 3:59pm

Ahh ok then I going to see what I can do
Thanks

cazz · January 17, 2022, 4:37pm

Hi again
I did find this that did look simple
SFTP chroot howto - Howto - NethServer Community

but have not got it to work.
I have create a user and a group in GUI and it can login to SFTP but is not chroot jail

I think it have to do something about how to connect the template to the group.

Nethserver have a local LDAP that have a user and group (call chrooted) but not sure how to connect the group from LDAP to the template.

I have try with both “chrooted@mydomain.se” and “chrooted@sftp.mydomain.se” and even just “chrooted”

mrmarkuz · January 17, 2022, 7:10pm

There’s an error in the howto.

To apply the configuration and write the config files for sshd

signal-event nethserver-openssh-save

is needed instead of

signal-event nethserver-sssd-save

You may check if /etc/ssh/sshd_config contains the needed line for chroot:

ChrootDirectory /var/lib/nethserver/home/

cazz · January 17, 2022, 7:20pm

Thanks, now it works
The only think and I’m not sure if it can be done is that now the script have make so they can’t go outside home folder and they can’t access eachothers folders but they can see the name of other people homefolders. Is that possible to make them stay inside their own homefolders?

I did try to add
/var/lib/nethserver/home/%u
but then I can’t access SFTP

mrmarkuz · January 17, 2022, 7:36pm

Yes, the home folders need to be owned by root to make chroot work.

This should work for the home folders:

ChrootDirectory %h

cazz · January 17, 2022, 7:44pm

if I use %h I can’t login at all.
It just say error and I have to look in the log.
But it is ok, as long it works I’m happy

mrmarkuz · January 17, 2022, 7:46pm

Did you change owner for the user folder?

chown root: /var/lib/nethserver/home/user

cazz · January 17, 2022, 7:51pm

Yes I did and now user have no access to it own home folders.

mrmarkuz · January 17, 2022, 7:59pm

Sorry, you need to set permissons too:

chmod 755 /var/lib/nethserver/home/user

Source:

cazz · January 17, 2022, 8:04pm

ok have read but 755 make a user access his and his friends home folder
That they can see name of other people homefolder is ok.

pagaille · February 1, 2022, 8:13am

Thanks for correcting that @mrmarkuz. @cazz I’m happy my howto could help someone else.