Couldn’t setup sftp in ec2

amazon ec2sftpvsftpd

I was trying to setup sftp in AWS EC2 by following the instructions in https://silicondales.com/tutorials/aws-ec2-tutorials/setup-ftp-sftp-aws-ec2-instance/

I have done below steps

Launched a new EC2 instance
Logged in as ec2-user
Installed vsftpd
Updated security group rules by Custom TCP Rules – port ranges 20-21 and 1024-1048

Below changes are done in /etc/vsftpd/vsftpd.conf

anonymous_enable=NO
pasv_enable=YES
pasv_min_port=1024
pasv_max_port=1048
pasv_address=[MY PUBLIC IP]
chroot_local_user=YES

Created a new user and set the password

adduser silicondales
passwd silicondales

Restarted /etc/init.d/vsftpd restart. It is successful as I get the message

After all this I try to connect from my local machine

sftp -oPort=1024 <username>:<password>@<public ip address> and getting ssh: connect to host <Public_IP> port 1024: Connection refused error.I couldn't figure out the issue. Please help me to solve this

Best Answer

SSH, which is already running, provides SFTP. The same key you login to SSH with allows SFTP logins. The SFTP service is provided by SSH, the same software that lets you log in.

You can add users and allow them to login via SFTP. This for example makes it easier to create a user that only has access to your webroot. I have an article about that for Amazon Linux on my blog, which includes some pictures. The essential parts are

Create a new user

sudo su
sudo useradd fred
passwd fred

Create a new key pair

su fred
ssh-keygen -f rsa

mkdir .ssh

touch .ssh/authorized_keys
chmod go-w ~/
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

cat fred.pub >> /home/fred/.ssh/authorized_keys

Allow the user to log in

vi /etc/ssh/sshd_config
PasswordAuthentication no
AllowUsers ec2-user fred

Related Solutions

Python CGI on Amazon AWS EC2 micro-instance — a how-to!

(Strange post, so hopefully this won't be as strange a reply).

On the subject of security flaws: it is considered general bad practice to store cgi-bin scripts within the document root of the web server. Even the W3C eludes to it under "Are compiled languages such as C safer ..." in their World Wide Web Security FAQ:

Consider the following scenario. For convenience's sake, you've decided to identify CGI scripts to the server using the .cgi extension. Later on, you need to make a small change to an interpreted CGI script. You open it up with the Emacs text editor and modify the script. Unfortunately the edit leaves a backup copy of the script source code lying around in the document tree. Although the remote user can't obtain the source code by fetching the script itself, he can now obtain the backup copy by blindly requesting the URL:
    http://your-site/a/path/your_script.cgi~
(This is another good reason to limit CGI scripts to cgi-bin and to make sure that cgi-bin is separate from the document root.)

This is not as significant a threat as the ability to write a file within the document root. However, an attacker could obtain the source code of the cgi, devise a directed attack against it, and use it as a stepping stone into the server.

To mitigate this, you can add the following lines to the lighttpd.conf (or some variation therein) to direct cgi-bin to a directory separate from the /var/www/lighttpd document root.

$HTTP["url"] =~ "/cgi-bin/" { cgi.assign = ( "" => "" ) }
alias.url = ( "/cgi-bin/" => "/usr/lib/cgi-bin/" )

This requires both the cgi and alias modules for lighttpd.

Ftp – Amazon Ec2: Issue with Setting up FTP Server

Either pasv_address needs to be the external IP address, or pasv_addr_resolve=YES needs to be set so that the hostname you entered will be resolved when vsftpd starts. If you use a hostname with pasv_addr_resolve, vsftpd has to be restarted if the IP address changes.

Best Answer

Related Solutions

Python CGI on Amazon AWS EC2 micro-instance — a how-to!

Ftp – Amazon Ec2: Issue with Setting up FTP Server

Related Topic