How to Setup a sFTP Server in Google Cloud and Restrict Access

In this short article I'll show the steps necessary to properly setup a sFTP Server in Google Cloud's Compute Engine, so that an user can send files and only have access to a specific folder.

This procedure won't take more than 12 minutes and the user will authenticate using an username and password. In sFTP, there is also the possibility of authenticating via certificate. In this case, you should add the certificate to Compute Engine instance metadata and to your sFTP client.

First, go to Google Cloud Platform - Compute Engine and click Create Instance. Give it a name and choose the type of instance. GCP will tell you automatically how much it will cost.

In Boot Disk, click Change and choose CentOS and the size of the disk. Leave the rest as default and click Create.

At this point, you probably already have a Firewall rule to allow TCP connections on Port 22. If not, go to Console / VPC Network and create a firewall rule that will allow this incoming TCP connection on port 22. Once in VPC Network, reserve a static IP address to the newly created instance.

Now, SSH into this new instance, we will do some configurations:

First add an user:

sudo adduser USERNAME        

Now, assign a password to this user

sudo passwd USERNAME        

Then, create a group restricted for this user:

sudo groupadd restricted        

And add him/her to the group:

sudo usermod -g restricted USERNAME        

Now, create the folder with write access to upload files:

mkdir upload
sudo chmod -R 777 ./upload        

Now, open the SSH daemon configuration file with:

sudo vi /etc/ssh/sshd_config        

Do the following:

Type letter i to edit and replace:

Subsystem sftp /usr/lib/openssh/sftp-server        

with:

Subsystem sftp internal-sftp        

At the end of file, add:

Match group restricted
ChrootDirectory /home/
ForceCommand internal-sftp
AllowTcpForwarding no
X11Forwarding no        

And three more setups:

ListenAddress XXX.XXX.XXX.XXX
PasswordAuthentication yes
PermitRootLogin no        

Note that the sFTP will listen to IPv4, not IPv6. Listening to the whole Internet (ListenAddress 0.0.0.0) is very risky, because of brute force password attacks. So, you can setup a specific IP to listen, or even use iptables and firewall to block unwanted connections outside sshd_config. Also, be sure this block of the file is properly setup:

 # GSSAPIAuthentication yes
GSSAPICleanupCredentials no        

Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the system.

Press :wq! to exit. If you did a mistake and want to start again, type :q! If you want to develop a script to automatically upload files to Google Cloud Storage, before restarting click Edit instance and add the startup script:

Now, you may restart the instance. Note that you still will be able to SSH into the instance:

Now open Filezilla and enter:

sftp://external_IP_of_instance + username + password + Port 22

Done ! You can also access sFTP via command line:

sudo apt install lftp
lftp sftp://USERNAME:PASSWORD@EXTERNAL_IP

put file.txt