SFTP (Secure Shell File Transfer Protocol) is a means of transferring files securely from a client to a server over a network.

Sometimes, you may want to grant SFTP access to allow users to upload files on your Linux server. However, this could pose a security risk to the entire file system.

To mitigate this risk, chroot is used. It changes the root directory of the user during an SFTP session, ensuring isolation from the main system.

Chrooted users cannot break the jail but can still run standard SFTP commands to manage their directories and files.

This is a step-by-step guide for creating an SFTP chroot environment on an Ubuntu 16.04 instance that locks users to their home directory while restricting shell access for security purposes.

Prerequisites

• A Linux server running Ubuntu 16.04.

• A non-root user with sudo privileges

Step 1: Creating an SFTP Group

To manage chrooted users, create a group using the groupadd command:

sudo groupadd sftpusers

Replace sftpusers with your preferred group name.

Step 2: Setting Up OpenSSH

SFTP operates over SSH and inherits its security features, including data encryption that prevents password sniffing and man-in-the-middle attacks.

OpenSSH reads configuration settings from /etc/ssh/sshd_config. Modify this file using a text editor such as nano:

sudo nano /etc/ssh/sshd_config

Locate the line:

#Subsystem sftp /usr/lib/openssh/sftp-server

And change it to:

Subsystem sftp internal-sftp

Add the following lines at the end of the file:

Match Group sftpusers
    ChrootDirectory %h
    X11Forwarding no
    AllowTcpForwarding no
    ForceCommand internal-sftp

Ensure to replace sftpusers with the group name you created.

Explanation of Configuration:

• Subsystem sftp internal-sftp: Configures the in-process SFTP server, simplifying chroot configurations.
• Match Group sftpusers: Applies the settings to users in the sftpusers group.
• ChrootDirectory %h: Restricts users to their home directory.
• X11Forwarding no: Disables X11 forwarding to limit access to graphical applications.
• AllowTcpForwarding no: Disables TCP forwarding to enhance security.
• ForceCommand internal-sftp: Ensures only the SFTP process runs upon login.

Restart the SSH daemon after making changes:

sudo service ssh restart

Step 3: Configuring User Accounts

Create and configure user accounts. For example, to create a user named jacob:

sudo adduser jacob

Follow the prompts to set the user password and details. By default, this command creates a home directory /home/jacob. Add the user to the sftpusers group:

sudo usermod -G sftpusers jacob

Change the ownership of the user’s home directory to root:

sudo chown root:root /home/jacob

Set the appropriate permissions:

sudo chmod 755 /home/jacob

Create subdirectories within the user’s home and assign ownership:

sudo mkdir /home/jacob/outbound
sudo chown jacob:jacob /home/jacob/outbound

sudo mkdir /home/jacob/inbound
sudo chown jacob:jacob /home/jacob/inbound
sudo chmod 700 /home/jacob/inbound

chmod 700 only allows jacob user to read and write and will not allow any other user to read.

Step 4: Testing the Configuration

Connect to your server using SFTP with the newly created user:

sftp jacob@<your-vps-ip>

Verify the connection by running the pwd command:

sftp> pwd
Remote working directory: /

Step 5: Confirming Shell Access Restriction

Attempt to connect via SSH with the restricted user credentials. If the setup is correct, shell access should be denied.

Congratulations! You have successfully created a chroot environment with SFTP access for your users.

The post Setup SFTP Server And Users In Ubuntu Linux appeared first on TEKSpace Blog.

Let’s Encrypt offers a straightforward process for obtaining and renewing SSL/TLS certificates through automated tools. These certificates are recognized by major web browsers, allowing websites to establish secure HTTPS connections without the financial burden typically associated with purchasing certificates. Let’s Encrypt simplified the process of issuing and renewing certificates, which helped increase the use of HTTPS, improve online privacy, and enhance website and application security.

In this tutorial, we will learn how to set up let’s encrypt SSL certificate to secure Nginx server on Ubuntu Linux.

Before we get started, we need to make sure Nginx web server is set up. Use the below link to set up Nginx server on Ubuntu.

• How to install Nginx on Ubuntu Linux.
• Pointing domain name to correct server.

NOTE: DNS setup is beyond the scope of the article. Please ensure domain name is pointing to correct server before proceeding with the below guide.

sudo apt install python3-certbot-nginx certbot 

Output:

rahil@ubuntu:~$ sudo apt install python3-certbot-nginx certbot
[sudo] password for rahil:
Reading package lists... Done
Unpacking python3-zope.component (4.3.0-3) ...
Selecting previously unselected package python3-certbot.
Preparing to unpack .../09-python3-certbot_1.21.0-1build1_all.deb ...
Unpacking python3-certbot (1.21.0-1build1) ...
Selecting previously unselected package certbot.
Preparing to unpack .../10-certbot_1.21.0-1build1_all.deb ...
Unpacking certbot (1.21.0-1build1) ...
Selecting previously unselected package python3-certbot-nginx.
Preparing to unpack .../11-python3-certbot-nginx_1.21.0-1_all.deb ...
Unpacking python3-certbot-nginx (1.21.0-1) ...
Selecting previously unselected package python3-icu.
Preparing to unpack .../12-python3-icu_2.8.1-0ubuntu2_amd64.deb ...
Unpacking python3-icu (2.8.1-0ubuntu2) ...
Setting up python3-configargparse (1.5.3-1) ...
Setting up python3-requests-toolbelt (0.9.1-1) ...
Setting up python3-parsedatetime (2.6-2) ...
Setting up python3-icu (2.8.1-0ubuntu2) ...
Setting up python3-zope.event (4.4-3) ...
Setting up python3-zope.hookable (5.1.0-1build1) ...
Setting up python3-josepy (1.10.0-1) ...
Setting up python3-rfc3339 (1.1-3) ...
Setting up python3-zope.component (4.3.0-3) ...
Setting up python3-acme (1.21.0-1ubuntu0.1) ...
Setting up python3-certbot (1.21.0-1build1) ...
Setting up certbot (1.21.0-1build1) ...
Created symlink /etc/systemd/system/timers.target.wants/certbot.timer → /lib/systemd/system/certbot.timer.
Setting up python3-certbot-nginx (1.21.0-1) ...
Processing triggers for man-db (2.10.2-1) ...
Scanning processes...
Scanning candidates...
Scanning linux images...

Running kernel seems to be up-to-date.

Restarting services...
 systemctl restart unattended-upgrades.service

No containers need to be restarted.

No user sessions are running outdated binaries.

No VM guests are running outdated hypervisor (qemu) binaries on this host.

Certbot offers a range of plugins for acquiring SSL certificates. The Nginx plugin handles Nginx reconfiguration and config reloading as needed. To utilize this plugin, enter the following command:

sudo certbot --nginx -d demo.tekspace.io

Note: In the above command execution, I am only requesting a certificate fo a sub-domain. If you are using your main domain and want to add WWW. Simply add like this sudo certbot --nginx -d tekspace.io www.tekspace.io

Output:

rahil@ubuntu:/etc/nginx/sites-enabled$ sudo certbot --nginx -d demo.tekspace.io
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): example@outlook.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
Account registered.
Requesting a certificate for demo.tekspace.io

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/demo.tekspace.io/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/demo.tekspace.io/privkey.pem
This certificate expires on 2023-11-28.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Deploying certificate
Successfully deployed certificate for demo.tekspace.io to /etc/nginx/sites-enabled/demo_tekspace_io
Congratulations! You have successfully enabled HTTPS on https://demo.tekspace.io

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The output above will install and configure a new SSL certificate from Let’s Encrypt to secure Nginx. The certificates and private key obtained by certbot will be stored in /etc/letsencrypt/live/demo.tekspace.io/privkey.pem and  /etc/letsencrypt/live/demo.tekspace.io/fullchain.pem path. Certbot will automatically configure the Nginx configuration file, also known as server block for traffic to https.

That’s it! You now have a new certificate from Let’s Encrypt and staged directly to the location where Nginx can reference those certificates. Browse your application over https and if there are no certificate errors, you have a valid certificate installed.

Certificate details:

Let’s Encrypt certificates are valid for a period of ninety days, which encourages users to automate the process of renewal. The certbot package, which we previously installed, streamlines this by incorporating a systemd timer that executes twice daily. It automatically renews certificates within a thirty-day window before expiration.

sudo systemctl status certbot.timer

Output:

rahil@ubuntu:/etc/nginx/sites-enabled$ sudo systemctl status certbot.timer
● certbot.timer - Run certbot twice daily
     Loaded: loaded (/lib/systemd/system/certbot.timer; enabled; vendor preset: enabled)
     Active: active (waiting) since Wed 2023-08-30 21:07:52 UTC; 1h 5min ago
    Trigger: Thu 2023-08-31 03:58:55 UTC; 5h 45min left
   Triggers: ● certbot.service

Here is another command that can come handy to test certificate renewals.

sudo certbot renew --dry-run

Output:

rahil@ubuntu:/etc/nginx/sites-enabled$ sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/demo.tekspace.io.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Account registered.
Simulating renewal of an existing certificate for demo.tekspace.io

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all simulated renewals succeeded:
  /etc/letsencrypt/live/demo.tekspace.io/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

If no errors are observed, you’re in good shape. Certbot will manage certificate renewal and Nginx reloads as needed. Should automated renewal encounter an issue, Let’s Encrypt will notify you via the specified email address, alerting you in advance of certificate expiration.

Conclusion

Throughout this guide, you’ve successfully installed the Let’s Encrypt client, certbot. You’ve also obtained SSL certificates for your domain, configured Nginx to employ these certificates, and established automated renewal. For additional guidance on Certbot usage, the official documentation serves as an excellent resource to begin with.

The post How To Setup Lets Encrypt SSL Certificate With Nginx on Ubuntu 22.04 appeared first on TEKSpace Blog.

1. Install the latest ghost-cli via npm

sudo npm i -g ghost-cli@latest

2. Renew certificate by executing the below command

ghost setup ssl-renew

3. Switch to root user

sudo su

4. Upgrade acme.sh inside letsencrypt

"/etc/letsencrypt"/acme.sh --upgrade --home "/etc/letsencrypt"

5. Renew SSL through acme.sh

"/etc/letsencrypt"/acme.sh --cron --home "/etc/letsencrypt" --debug --log

The post How to renew Ghost blog Let’s Encrypt Certificate appeared first on TEKSpace Blog.

1. Make sure your iCloud backup is turned off from the iCloud app.

2. Delete current iCloud Photos folder from C:\Users\UserName\Pictures\

3. Re-create iCloud Photos folder in C:\Users\UserName\Pictures\

4. Create a link of the folder path to point to external drive or external partition.

mklink /J "C:\Users\USERNAME\Pictures\iCloud Photos" "E:\iCloud\Photo_Backup"

The reason I am recreating folder again is that when an iCloud app is installed it has a hidden file that doesn’t show up after you change view to show hidden files. To avoid failure of below command to link to an external path. I just deleted and recreated the folder.

Replace USERNAME with your own username. The above command will create a folder link in your pictures folder that will point to E:\ path.

C:\>mklink /J "C:\Users\USERNAME\Pictures\iCloud Photos" "E:\iCloud\Photo_Backup"Junction created for C:\Users\USERNAME\Pictures\iCloud Photos <<===>> E:\iCloud\Photo_Backup

MKLINK [[/D] | [/H] | [/J]] Link Target

        /D      Creates a directory symbolic link.  Default is a file
                symbolic link.
        /H      Creates a hard link instead of a symbolic link.
        /J      Creates a Directory Junction.
        Link    Specifies the new symbolic link name.
        Target  Specifies the path (relative or absolute) that the new link
                refers to.

5. Once Above steps are completed go ahead and click on check box for Photos to start backing up to external path as shown below:
Click on Photos check box

New popup will open:
Click on the iCloud Photos and Shared Albums checkbox and click on Done.

In the iCloud photo app, click on “Apply” button.

This will automatically start creating a Photos folder in iCloud Photos and you will see the folder getting synced with files.

The post How to Change iCloud Photos Default Folder Location appeared first on TEKSpace Blog.