How to Configure MySecureShell FTP Server
| |MySecureShell is shortly a free FTP server you can install on your either VPS or Dedicated server to enable file transfer between your server and your local computer (or another server). It is a great alternative to vsFTPd or ProFTPd. MySecureShell or MSS for short, is claimed to be very secure, easy to use, easy to configure and highly configurable because it is based on the very secure protocol called OpenSSH. Yet, the installation is also pretty easy which can be done within seconds on any Linux Distro.
With MSS FTP server you can:
– Control of FTP bandwidth.
– Security rights information.
– Administration of the server with a graphical interface.
– Management of activity of the server with logs.
– Restrictions of users by ip, groups…
– No certificate problems non-certified (for paying for it is authenticated) or certificate generation.
– Support public and private keys for secure authentication without password.
So are your ready to switch your old FTP server to MSS? Follow steps below and you’ll how easy it is to setup and configure MySecureShell on your VPS.
What You Need
- A VPS running your favorite Linux Distro. In this example I use a 512MB cloud VPS from Atlantic.net (a test server of Servermom). Need recommendation? If you need a test server with hourly billing then Atlantic.net, DigitalOcean and few other cloud providers will come in handy.
- SSH client to access your server. Putty or terminal will help you.
- Basic knowledge of top common shell command.
- A cup of coffee or tea
- About 15 minutes of your time
How To
Step 1 – Login to your server as root or as a user with root privilege (sudo):
Step 2 – Install MySecureShell FTP server on your VPS following my previous guide.
Step 3 – Find out in which directory MSS is installed, this is important because youu should specify that path while creating new FTP users or assign exiting users to access the SFTP server. Simply issue this magic command:
whereis mysecureshell
It will then give you an output similar to this:
Step 4 – In my example above, the MSS was installed at /usr/bin/mysecureshell. Next you can create new user with this command:
useradd -m -s /usr/bin/mysecureshell servermom
change the MSS path and servermom with your own. Also define new password for that newly created user:
passwd servermom
example:
Step 5 – Once the user created, you have to assign that user to MSS
usermod -s /bin/mysecureshell servermom
again, replace MSS path and servermom with your own.
Step 6 – You can now use your favorite FTP Client to access your server.
or, if you access your FTP server using another Unix server or Linux local computer, issue this command:
sftp servermom@xxx.xxx.xxx.xxx
change servermom with your own username and xxx.xxx.xxx.xxx is your server IP:
That’s it.
MySecureShell Configuration
Default MSS config file is located at /etc/ssh/sftp_config which you can edit it using your favorite editor like Nano or vi.
nano /etc/ssh/sftp_config
I looks like this by default:
The good news is every line of configuration has its own explanation so you can easily understand what each line is for.
Common Adjustments
1. Limit the download or upload speed for the FTP users.
2. Make users to have access ONLY to their own home directory
<Default> # For all users, they will have access to their own home directory Home /home/$USER </Default>
3. Force users to stay in their home directory, limit their download speed to (any)k and limit their upload speed to (any)k
<Group users> # Force users to stay in their home directory StayAtHome true # Limit their download speed to 128k Download 128k # Limit their upload speed to 16k Upload 16k </Group>
4. Common MySecureShell setting for multiple websites:
– Give clients full rights to manage their website content
– Limit the bandwidth
– Force rights creation
– Limit the number of connexions and idle time
– Restrict their rights on files and folders
can be done with these lines:
<Default> # For all users, they will have access to their own home directory Home /home/$USER # Force users to stay in their home directory VirtualChroot true # Set global download for the server to 100m GlobalDownload 100m # Set global upload for the server to 100m GlobalUpload 100m # Limit user download speed to 1m Download 1m # Limit user upload speed to 1m Upload 1m # Limit 6 users per IP LimitConnectionByIP 6 # We limit a user up to 2 simultaneous connections LimitConnectionByUser 2 # We do not want users to keep forever their idle connection IdleTimeOut 10m # Force user and group to apache daemon username # to avoid rights issues ForceUser www-data ForceGroup www-data # We do not want users to be able to set execution files MaximumRights 0640 0750 # We do not want users to be able to change file attributes DisableSetAttribute true </Default> <VirtualHost www.example.com> # Set home directory for this virtualhost Home /var/www/sites/www.example.com # Set dedicated log file LogFile /var/log/sftp/www.example.com </Group> <VirtualHost www.exemple.fr> # Set home directory for this virtualhost Home /var/www/sites/www.exemple.fr # Set dedicated log file LogFile /var/log/sftp/www.example.com # Override the maximum number of connection per user LimitConnectionByUser 4 </Group>
5. Common command: Adding new user
New ftp user can be added using command below:
sftp-user create username
This example I created a new FTP user called servermom2:
6. Common command: Check FTP server status, stop or restart it
# check the current status (up/down) service mysecureshell status # Allow new SFTP connections service mysecureshell start # Deny new SFTP connections and keep current connected users service mysecureshell stop # Deny new SFTP connexions and kill current running (clean memory as well) service mysecureshell fullstop # Make a fullstop and start service mysecureshell restart
example:
7. Common command: Check MySecureShell installation / config
sftp-verif
sample output:
Conclusion
MySecureShell is really great alternative to vsFTP or ProFTP considering how easy it is to use and to configure. It is also supported with complete straight forward documentation make it easy to learn. So if you want an easy solution to build, setup and have a working FTP server in no time, MySecureShell is the answer.
FTP is a good option only when there is someone to manage it well. However, Binfer is a cheaper and more secure alternative to FTP. See FTP alternative.
Thanks for your opinion
Aren’t steps 4 and 5 redundant? In step 4 you create the user with the shell /usr/bin/mysecureshell but then in step 5 you usermod the user to set their shell to /usr/bin/mysecureshell (at least according to your screenshot, you actually say “/bin/mysecureshell” in your written instructions)
I’m a bit curious. When you try to SFTP into your server, what’s to stop the OpenSSH built in SFTP server from answering? When I did the above, even though my testuser’s shell was set to /bin/MySecureShell when I sftp’d in I realized I wasn’t in a chroot jail, I thought that was odd. I then ran “sftp-who”, which is a secureshell command, and it said no users were sftp’d in. I eventually went to /etc/ssh/sshd_config and changed:
Subsystem sftp /bin/MySecureShell
instead of “internal-sftp” or even “/usr/libexec/openssh/sftp-server”
Once I did that I sftp’d in and this time I was chroot’d, also I ran “sftp-who” and I saw I was sftp’d in. So in your example, #6 above, I suspect you actually just sftp’d into the built in openssh sftp server and not mysecureshell.