Tagged: Ubuntu

Linux chroot, jail or isolate SFTP user to a directory – Debian/Ubuntu – How-to

I’m assuming you are logged in as root.

!IMPORTANT!
The directory and its parent directories you assign to ChrootDirectory MUST be owned by root and assigned the group root. Otherwise SFTP clients will not be able to connect, access, upload or modify files and directories.

Install Open SSH Server

apt-get install openssh-server -y

chroot user

adduser USERNAME
passwd USERNAME

Edit SSH Server config

nano +77 /etc/ssh/sshd_config

Comment out & add

# Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp

Chroot USERNAME to directory /var/www/html
Add to bottom of config & save file.

### Custom ###
Match User USERNAME
ChrootDirectory /var/www/html
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

Restart SSH Server

service ssh restart

Linux Self-signed SSL Certificate & Setup on NGINX – Debian/Ubuntu – How-to

I like to organize my SSL certs inside my web server folder for easy access and organization. I also like to create sub-folders for each domain and name each certificate with its corresponding domain name (example: /etc/nginx/ssl/domain.com/domain.com.crt). You can organize and name your certs in any way you see fit.

*I assume you are logged in as root.
*Replace NAME with your host/domain name. Don’t forget the NGINX config as well!

Install OpenSSL

apt-get install -y openssl

Create SSL directories

mkdir /etc/nginx/ssl
mkdir /etc/nginx/ssl/NAME
cd /etc/nginx/ssl/NAME

Generate key

openssl genrsa -out "/etc/nginx/ssl/NAME/NAME.key" 2048

Create SSL request

openssl req -new -key "/etc/nginx/ssl/NAME/NAME.key" -out "/etc/nginx/ssl/NAME/NAME.csr"

Validate SSL request and create SSL certificate

openssl x509 -req -days 1825 \
    -in "/etc/nginx/ssl/NAME/NAME.csr" \
    -signkey "/etc/nginx/ssl/NAME/NAME.key" \
    -out "/etc/nginx/ssl/NAME/NAME.crt"

Setup NGINX

Add to NGINX host config

listen 443 ssl;
ssl_certificate     /etc/nginx/ssl/NAME/NAME.crt;
ssl_certificate_key /etc/nginx/ssl/NAME/NAME.key;

Or just use my config. It also includes a non-https redirect, just replace NAME with your host name. (VIEW CONFIG HERE).

wget --no-check-certificate -O /etc/nginx/sites-available/rutorrent-hostip-ssl https://raw.githubusercontent.com/internetbear/library/master/nginx/site-available/hostip-ssl