Project Httpsrv 2.0 – Increase security on SFTP (SSH) by configuring a chroot for the user in Linux

Increase SFTP security using chrooted users using httpsrv 2.0 and Linux
By default a user using SFTP can browse the whole directory-tree on the server
A chrooted user is restricted  to a single root-path and access to files in the system
Regarding to this will work from OpenSSH Version 4.9
This tutorial requires that you have httpsrv 2.0 installed on your system
You can also use this tutorial to increase security on any OpenSSH
Run all commands below as root or sudo

Click here to watch the tutorial on YouTube

Please read this post to install and compile httpsrv 2.0:
Project httpsrv v2.0 – Script to compile, install and manage on DEB/RPM based Linux

1. Install dependencies and other software

apt-get install openssh-server openssh-client nano -y

yum install openssh-server openssh-client nano -y

2. Configure a password for user: httpsrv

passwd httpsrv

3. Configure chroot in: /etc/ssh/sshd_config
Copy and paste one line at a time

echo " " >> /etc/ssh/sshd_config
echo "# Chroot for httpsrv" >> /etc/ssh/sshd_config
echo "Match User httpsrv" >> /etc/ssh/sshd_config
echo "ChrootDirectory /srv/httpsrv/chroot" >> /etc/ssh/sshd_config
echo "ForceCommand internal-sftp" >> /etc/ssh/sshd_config
echo " " >> /etc/ssh/sshd_config
  • You may also match on a group using the directive: Match Group

4. Restart SSH to apply new configuration
OBS: systemctl may not work on older releases

systemctl restart ssh.service
or: /etc/init.d/ssh restart
or: service ssh restart

systemctl restart sshd.service
or: /etc/init.d/sshd restart
or: service sshd restart

5. Configure httpd.conf and change to below
Example: nano /srv/httpsrv/conf/httpd.conf

DocumentRoot "/srv/httpsrv/chroot/htdocs"
<Directory "/srv/httpsrv/chroot/htdocs">

6. Restart httpsrv and test the new configuration

httpsrv restart

You can now test your installation
Open a web browser and navigate to:

You shall now be able to connect to your server using SFTP and the built in account for httpsrv
This account is added to your system during the installation of httpsrv, directories for chroot is prepared in httpsrv 2.0

The user httpsrv is by default using the shell: /bin/false for security reasons
This shell shall only permit the user to connect and login through SFTP

By using this configuration you restrict the user ’httpsrv’ and force the root-path to /srv/httpsrv/chroot
The webserver will serve files from the writable folder in: /srv/httpsrv/chroot/htdocs

To further enhance security on OpenSSH and SFTP you can change the default port that the service is listening on and disable the root-user to login


#Port 22 > Port 2222
#PermitRootLogin yes > PermitRootLogin no


Donation are not required but very much appreciated.
Click the below link to donate with PayPal (PayPal.Me)