Create an AWS EC2 based SFTP server

Create a server in AWS Management Console:

1. Navigate to Services | Compute | EC2
2. Pick a region from upper right drop down
• Remember: EC2 is a per region service. Instances will be deployed in the region selected.
3. Choose Launch Instance and then optionally select Free tier only checkbox.
4. Chose Amazon Linux 2 AMI (HVM), SSD Volume Type.  
5. Chose t2.micro instance and then Next: Configure Instance Details
6. Keep all the options default assuming Number of Instances is 1 and  chose Next: Add Storage
7. Keep default 8 GB General Purpose SSD (gp2) and chose Next: Add Tags
• Remember: 12 month free tier provides 30 GB of EBS storage, combined over any combination of General Purpose (SSD) or Magnetic Disks
8. Add tags as desired and chose Next: Configure Security Group
• Tags are key value pairs you define to assist with management as your AWS environment grows.
• A simple but useful tag example might be Name : OpenSSHserver01
9. Chose Create a new security group, name it WebDMZ or something appropriate. The idea is we are controlling access to this server from the Internet.  Chose Review and Launch
• One rule needs to be SSH over TCP port 22 from Anywhere, or optionally a specific IP if possible.
10. Review options and choose Launch
11. When prompted, chose an existing keypair or create a new one. If creating new, download the keypair to a known location.  Chose Launch Instances.
12. Chose View Instances and monitor progress.
13. When the Instance State changes to running you can test remote access.

Test remote access:

1. In the AWS Console, copy the IPv4 Public Address to your clipboard.
2. If you created a new keypair, in Windows run PuTTYgen.
3. Choose Load and point to your .pem file you downloaded previously. You may have to change the file type to All Files *.* to find it.  Then choose Save private key to use it in PuTTY.  Name and save it somewhere appropriate.
4. Open PuTTY, expand SSH and chose Auth.
5. Browse to the new private key you just saved.
6. Choose Session, paste the IPv4 Public Address into Host Name (or IP Address)
7. When prompted for a user name, enter ec2-user
8. It would be a good idea to run sudo yum update to apply any available updates.

Change server remote access from keypair to user / password authentication:

1. Set a password for ec2-user via sudo passwd ec2-user
2. Open sshd_config file via sudo nano ../../etc/ssh/sshd_config
3. Change PasswordAuthentication no to PasswordAuthentication yes
4. Restart the SSH service via sudo service sshd restart
5. Test access via SFTP using username / password authentication (I personally use the WinSCP client)
6. Test CRUD access by copying and deleting file in /home/ec2-user folder

Create a CHROOT jail for SFTP user(s):

1. Create a new user group via sudo groupadd sftponly where sftponly is your group name
2. Add a new user and prevent SSH login via /bin/false via sudo useradd -g sftponly -s /bin/false -m -d /home/sftpuser sftpuser where sftpuser is the username
1. IF the user already exists, modify it appropriately via sudo usermod -G sftponly -s /bin/false sftpuser
3. Set the new user password via sudo passwd sftpuser
4. Change the permissions on the user's home directory. Make root the owner, essentially disabling access from the new user. Run:
1. sudo chown root /home/sftpuser
2. sudo chmod 755 /home/sftpuser
5. Create a home sub-directory that the new user can use, here sftpfolder. Run:
1. sudo mkdir /home/sftpuser/sftpfolder
2. sudo chmod 755 /home/sftpuser/sftpfolder
3. sudo chown sftpuser:sftponly /home/sftpuser/sftpfolder
6. Configure SSH via sudo nano  ../../etc/ssh/sshd_config
7. Change the sftp subsystem. Change subsystem sftp /usr/lib/openssh/sftp-server line to subsystem sftp internal-sftp
8. Add information re: the sftponly group to the SSH configuration. Add the following to the end of the sshd_config file: 
• Match Group sftponly
• ChrootDirectory %h
• ForceCommand internal-sftp
• AllowTcpForwarding no
• X11Forwarding no
9. restart SSH via service sshd restart