Project httpsrv 2.0 – Increase security with chrooted user using SSH (SFTP) Linux


Increase SFTP security using chrooted users using httpsrv 2.0 and Linux
By default a user using SFTP can browse the whole directory-tree on the server
A chrooted user is restricted  to a single root-path and access to files in the system
Regarding to wiki.archlinux.org this will work from OpenSSH Version 4.9
This tutorial requires that you have httpsrv 2.0 installed on your system
You can also use this tutorial to increase security on any OpenSSH
Run all commands below as root or sudo

Video: Click here to watch on YouTube

Please read this post to install and compile httpsrv 2.0:
Project httpsrv v2.0 – Script to compile, install and manage on DEB/RPM based Linux

1 Install dependencies and other software

Ubuntu

apt-get install openssh-server openssh-client nano -y

CentOS

yum install openssh-server openssh-client nano -y

2 Configure a password for user: httpsrv

passwd httpsrv

3 Configure chroot in: /etc/ssh/sshd_config
Copy and paste one line at a time

echo " " >> /etc/ssh/sshd_config
echo "# Chroot for httpsrv" >> /etc/ssh/sshd_config
echo "Match User httpsrv" >> /etc/ssh/sshd_config
echo "ChrootDirectory /srv/httpsrv/chroot" >> /etc/ssh/sshd_config
echo "ForceCommand internal-sftp" >> /etc/ssh/sshd_config
echo " " >> /etc/ssh/sshd_config

You may also match on a group using the directive: Match Group

4 Restart SSH to apply new configuration
OBS: systemctl may not work on older releases

Ubuntu

systemctl restart ssh.service
or: /etc/init.d/ssh restart
or: service ssh restart

CentOS

systemctl restart sshd.service
or: /etc/init.d/sshd restart
or: service sshd restart

5 Configure httpd.conf and change to below
Example: nano /srv/httpsrv/conf/httpd.conf

DocumentRoot "/srv/httpsrv/chroot/htdocs"
<Directory "/srv/httpsrv/chroot/htdocs">

6 Restart httpsrv and test the new configuration

httpsrv restart

You can now test your installation
Open a web browser and navigate to:
http://localhost/test/phpinfo.php
http://localhost/phpmyadmin
http://localhost

You shall now be able to connect to your server using SFTP and the built in account for httpsrv
This account is added to your system during the installation of httpsrv, directories for chroot is prepared in httpsrv 2.0
The user httpsrv is by default using the shell: /bin/false for security reasons
This shell shall only permit the user to connect and login through SFTP

By using this configuration you restrict the user ’httpsrv’ and force the root-path to /srv/httpsrv/chroot
The webserver will serve files from the writable folder in: /srv/httpsrv/chroot/htdocs

To further enhance security on OpenSSH and SFTP you can change the default port that the service is listening on and disable the root-user to login

Directives:
Examples

#Port 22 > Port 2222
#PermitRootLogin yes > PermitRootLogin no

References:
project-httpsrv-v2-deb-rpm-based-linux
https://wiki.archlinux.org/index.php/SFTP_chroot

DONATE
Donation are not required but very much appreciated.
Click the below link to donate with PayPal (PayPal.Me)
Link: https://www.paypal.me/freddan88

GitHub
Link: https://github.com/freddan88