BestHub
Sign in
Operations 12 min read

Mastering SFTP: Complete Guide to Planning, Configuring, and Scaling Secure File Transfers

This comprehensive guide walks you through SFTP server planning, SSH configuration, account creation, directory permissions, logging, monitoring, high‑availability setups, and automation scripts, providing step‑by‑step commands and best practices for secure and scalable file transfers.

MaGe Linux Operations
MaGe Linux Operations
MaGe Linux Operations
Mastering SFTP: Complete Guide to Planning, Configuring, and Scaling Secure File Transfers

SFTP Planning

SFTP server listens on port 30022. Accounts are created per project using a naming convention of region‑project‑user (e.g., CHN‑projectname‑a) with appropriate read/write permissions and chroot directories.

Configure SFTP

Modify SSH configuration

# vi /etc/ssh/sshd_config
#Subsystem  sftp  /usr/libexec/openssh/sftp-server
Subsystem       sftp    internal-sftp
Match Group sftp
Match LocalPort 20912
ChrootDirectory  %h   # chroot to the user's home directory
ForceCommand    internal-sftp
# systemctl restart sshd

Create SFTP accounts

Create directory structure

# mkdir -p /data/projectname/projectname
# chmod 775 /data/projectname/projectname

Create SFTP users

# useradd -s /bin/false -d /data/projectname CHN-projectname-b
# useradd -s /bin/false -d /data/projectname CHN-projectname-a

Set user passwords

# echo 'CHN-projectname-b:password1' | chpasswd
# echo 'CHN-projectname-a:password2' | chpasswd

Create permission group

# groupadd projectnameRW

Add write‑permission users to the group

# usermod -aG projectnameRW CHN-projectname-b
# (add CHN-projectname-a to the group if it also needs write access)

Configure directory ownership

# chown root:projectnameRW /data/projectname/projectname

Configure ACL permissions

# chmod -R g+s /data/CN-project/CN-project
# setfacl -Rm d:g:groupname:rwx /data/CN-project/CN-project
# (for existing data) chown -R :groupname /data/CN-project/CN-project
# chmod -R 775 /data/CN-project/CN-project

Restart SSH service

# systemctl restart sshd

SFTP client usage

Linux 6

# sftp -oPort=30022 [email protected]

Linux 7

# sftp -P 30022 [email protected]

SFTP log auditing

Enable verbose logging

# Subsystem sftp internal-sftp -l VERBOSE -f AUTHPRIV
# ForceCommand internal-sftp -l VERBOSE -f AUTHPRIV

Configure log destination

# authpriv.*    /var/log/sftp.log

Restart services to apply

# systemctl restart sshd
# systemctl restart rsyslog

SFTP log rotation

/var/log/sftp.log {
    monthly
    missingok
    rotate 6
    compress
    delaycompress
    dateext
    create 0600 root root
    sharedscripts
    postrotate
        /bin/kill -HUP `cat /var/run/syslogd.pid` || true
    endscript
}

Connection‑limit per user

# cat /etc/security/limits.d/95-sftp-limit.conf
@ sftpusername hard nproc 400   # limit connections (double the actual limit)

Authentication‑limit

# cat /etc/ssh/sshd_config
MaxStartups 1000:30:1200

Maximum open files per user

# cat /etc/security/limits.conf
* soft nofile 100000
* hard nofile 100000

SFTP monitoring items

Monitor connection count

# netstat -an | grep -E '10.*:30022' | wc -l
# or
# ps -ef | grep 'sshd:' | grep 'notty' | wc -l

Log‑based connection alerts

# cat /var/log/sftp.log
Mar 27 14:38:28 ... error: do_exec_no_pty: fork: Resource temporarily unavailable [postauth]
...

High‑availability SFTP

Shared storage with Alibaba Cloud NAS

Use NAS as the /data volume and replace ACL commands with nfs4_setfacl.

Consistent UID/GID across servers

Run the provided Bash script to create users on multiple SFTP servers while keeping UID/GID identical.

#!/bin/bash
# ... (script omitted for brevity) ...
check_server_alive ${server1} ${sftpport}
# ... create users, set passwords, configure directories ...
add_user ${new_user}

Automation script for multiple servers

The script creates project directories, adds SFTP users, sets chroot, configures NAS permissions, and applies ACLs.

#!/bin/bash
# environment variables
homedir='CN-ProjectName'
# create directory
mkdir -p /data/${homedir}/${homedir}
chmod 775 /data/${homedir}/${homedir}
chown root:root /data/${homedir}
# create users and set permissions (script details omitted)

SFTP idle timeout

Subsystem       sftp    internal-sftp
Match Group sftp
Match LocalPort 20981
    ClientAliveInterval 600
    ClientAliveCountMax 0
    ChrootDirectory %h
    ForceCommand internal-sftp -l VERBOSE -f AUTHPRIV

SFTP server migration

Refer to external documentation for migration steps.

SFTP diagram
SFTP diagram
Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

LinuxServer ConfigurationSFTP
MaGe Linux Operations
Written by

MaGe Linux Operations

Founded in 2009, MaGe Education is a top Chinese high‑end IT training brand. Its graduates earn 12K+ RMB salaries, and the school has trained tens of thousands of students. It offers high‑pay courses in Linux cloud operations, Python full‑stack, automation, data analysis, AI, and Go high‑concurrency architecture. Thanks to quality courses and a solid reputation, it has talent partnerships with numerous internet firms.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment