CentOS 7 SFTP Setup

Posted on Posted in CentOS, SFTP

I wanted to setup SFTP + non-standard directories + fail2ban and figured an end-to-end solution had to be documented at this point by someone…somewhere.  Nope – I had to stitch together several pieces from a handful of stackoverflow posts to finally get a consolidated solution.  I made this a bit more complicated than I expected due to changing default location for the public keys, which then caused SELinux to block key exchange at first.  That issue has been fixed in the script below and will survive reboots.


Configure CentOS

  1. Log into new CentOS server with admin rights
  2. Update /etc/ssh/sshd_config
  3. Restart sshd


Create script to automate account creation, account folders, and account autorized_keys files

  1. Save the following on your SFTP server as sftpAccountSetup.sh and chmod 755 when complete
  2. Call sudo bash sftpAccountSetup account1 account2 account3
    1. The script will check for existing username and exit if found.  Be sure the accounts you attempt to create do not exist already
  3. Get the public key for the account and add content to /sftpkeys/accountX/.ssh/authorized_keys
    1. If you or your clients are primarily Windows shops just use puttygen.  Be sure to copy text from the puttygen GUI – it should not contain any line breaks
  4. Attempt connecting from your remote client, remembering to specify the private key
    1. tail -f /var/log/secure to view log activity
    2. edit /etc/ssh/sshd_config, uncomment LogLevel, set to DEBUG3 and restart sshd if you’re still having issues with key authentication


Install fail2ban

  1. Install and setup new config file for fail2ban
  2. Edit new jail.local in the [sshd] section, the following will block your source IP after 2 bad attempts for 30 seconds.  It’s not a bad way to see the fail2ban in action but obviously increase the bantime if using in a production environment.
  3. sudo systemctl restart fail2ban; systemctl status fail2ban
  4. Use fail2ban-client status sshd to view sshd lockouts
    1. iptables -L can also display details about the ban
    2. tail -f /var/log/fail2ban.log to view log activity
  5. Use fail2ban-client set sshd unbanip x.x.x.x to remove the ban