How to restrict SFTP Users Access
2 min readDec 13, 2021
Creating SFTP or FTP user is easy, but as default, it can access all your server files. So we need to restrict the access of the SFTP User you have been created. Here are the following steps on how you can do it.
Create a Group
$ groupadd developers
Create a new user and add it to the developers group
$ useradd -G developers dev_user
Ensure that user added properly to group developers:
$ id dev_userSample outputs:uid=1122(dev_user) gid=1125(dev_user) groups=1125(dev_user),1124(developers)
Restrict user from login in using ssh
$ usermod -s /usr/sbin/nologin dev_user
Set user password
$ passwd dev_user
Create Home Directory for user
$ mkdir /var/www/html/web/developers //parent of home directory, set to root user and group
$ mkdir /var/www/html/web/developers/public
Set Home Directory Access
$ chown dev_user:developers /var/www/html/web/developers/public
Set Home Directory to user
$ usermod -d /var/www/html/web/developers/public dev_user
Note: Make sure permission from var folder to developers folder is set to 755
Update SSH Config
$ sudo nano /etc/ssh/sshd_config
Comment the default subsystem
#Subsystem sftp /usr/lib/openssh/sftp-server
Then add following
Subsystem sftp internal-sftpMatch Group developers
ForceCommand internal-sftp
ChrootDirectory /var/www/html/web/developers
AllowAgentForwarding no
AllowTcpForwarding no
Restart the service
$ service sshd restart
To test
$ sftp user@<IP_ADDRESS>
If you have any questions, just drop your comment below. I’ll be much willing to help. 😉