How to restrict SFTP Users Access
2 min readDec 13, 2021
Creating SFTP or FTP user is easy, but as default, it can access all your server files. So we need to restrict the access of the SFTP User you have been created. Here are the following steps on how you can do it.
Create a Group
$ groupadd developersCreate a new user and add it to the developers group
$ useradd -G developers dev_userEnsure that user added properly to group developers:
$ id dev_userSample outputs:uid=1122(dev_user) gid=1125(dev_user) groups=1125(dev_user),1124(developers)
Restrict user from login in using ssh
$ usermod -s /usr/sbin/nologin dev_userSet user password
$ passwd dev_userCreate Home Directory for user
$ mkdir /var/www/html/web/developers //parent of home directory, set to root user and group
$ mkdir /var/www/html/web/developers/publicSet Home Directory Access
$ chown dev_user:developers /var/www/html/web/developers/publicSet Home Directory to user
$ usermod -d /var/www/html/web/developers/public dev_userNote: Make sure permission from var folder to developers folder is set to 755
Update SSH Config
$ sudo nano /etc/ssh/sshd_configComment the default subsystem
#Subsystem sftp /usr/lib/openssh/sftp-serverThen add following
Subsystem sftp internal-sftpMatch Group developers
ForceCommand internal-sftp
ChrootDirectory /var/www/html/web/developers
AllowAgentForwarding no
AllowTcpForwarding no
Restart the service
$ service sshd restartTo test
$ sftp user@<IP_ADDRESS>If you have any questions, just drop your comment below. I’ll be much willing to help. 😉
