How to provide Secure Isolated (Restricted) SFTP Access for file transfer

Often we need to provide secure but restricted sftp access to our clients to upload or download large files.

Regular sftp accounts allow the users to view login names of other users/clients and in many default installations even allow them to browse through the directories and files. In addition, they can also view your system files and any unprotected files and directories including much of your system settings under etc.

When you provide sftp access, you also provide ssh access (sftp is a subsystem of ssh) and as such users can login.

We address these issues by enclosing the user’s home directory in chroot jail, which makes it impossible for the user to break out of his home directory and view other’s files and directories.

Follow the steps below to configure your system.

As root (or sudo) modify /etc/ssh/sshd_config:Change Subsystem sftp line to:

Subsystem sftp internal-sftp

Add this to the end of the file:

Match Group sftp
    ChrootDirectory %h
    X11Forwarding no
    AllowTcpForwarding no
    ForceCommand internal-sftp

Save the changes and restart OpenSSH:

sudo service ssh restart

Create a system group for users with restricted sftp access:

addgroup --system sftp

Now you can add users with addsftpuser and delete with delsftpuser from GitHub project restricted-sftp.

Clone the repository with:

git clone https://github.com/angsuman/restricted-sftp.git

Copy the files addsftpuser and delsftpuser to your ~/bin or any other directory in your PATH like /usr/bin.

Run it with by specifying the login name of the sftp user:

addsftpuser new-login

The only downside is that the user cannot upload/download files and directories under his home directory directly (as it is owned by root) but can do under Files sub-directory. There you have full access and can upload/download/delete/rename files and directories. To create additional directories under home, edit the addftpuser script and create them following the same procedure as Files.

How to list all URL's in Redirect chain

This simple utility is extremely useful in detecting bad redirects and loops, specially in big websites. You can also include it in scripts.

wget http://gmail.com 2>&1 | grep Location:

The response, in this case, is:

Location: https://www.google.com/gmail/ [following]
Location: https://mail.google.com/mail/ [following]
Location: https://accounts.google.com/ServiceLogin?service=mail&passive=true&rm=false&continue=https://mail.google.com/mail/&ss=1&scc=1&ltmpl=default&ltmplcache=2&emr=1&osid=1# [following]

OVH: How to add Additional IP Addresses (IP Alias) on Ubuntu 16.04 / 18.04

Adding additional IP addresses in OVH is rather unconventional and the guide they point to in their mail is non-existent. The process, fortunately, is simple:

  1. ssh to the server as root
  2. cd /etc/systemd/network/
  3. vi *-default.network
  4. Add the new IP address after the original IPv4 Address
    DHCP=no
    Address=Main_IP/24
    Address=Failover_IP/32
  5. Save and close the file
  6. Reboot the server

You should now be able to ssh to the server using the new IP Address (which OVH likes to call Failover IP Address) in addition to the old one.
Repeat the process for any additional IP addresses.
Note: I have tested it on two different OVH Servers (in France & Canada) for Ubuntu 16.04 and Ubuntu 18.04.

LXD: How to easily apt update and upgrade all running LXD containers

It is easy to create large number of LXD / LXC containers as it consumes minimal resources. Coupled with btrfs, it consumes minimal hard-disk space also due to de-duplication built-in within btrfs file system. Soon you would find yourself spending a significant amount of time updating (sudo apt update) and upgrading (sudo apt -y upgrade) all these containers (don’t forget: sudo apt -y autoremove). Here is a simple bash-fu magic which you can run from host to update all the containers:
lxc -c ns --format csv ls|grep RUNNING|cut -f1 -d',' | xargs -I'{}' sh -c "echo Updating '{}';lxc exec '{}' -- apt -qq update;lxc exec '{}' -- apt -qq -y upgrade;lxc exec '{}' -- apt -qq -y autoremove"
The code has been tested on Ubuntu 16.04 but it is expected to work on any Ubuntu system starting from 16.04. For previous version(s) use apt-get instead of apt.