CentOS SFTP 配置进阶技巧
一 安全加固与权限模型
Subsystem sftp internal-sftp
Match Group sftpusers
ChrootDirectory /srv/sftp/%u
ForceCommand internal-sftp
AllowTcpForwarding no
X11Forwarding no
PasswordAuthentication no
PubkeyAuthentication yes
sudo groupadd sftpusers
sudo useradd -g sftpusers -s /sbin/nologin sftpuser
sudo mkdir -p /srv/sftp/sftpuser/uploads
sudo chown root:root /srv/sftp/sftpuser
sudo chmod 755 /srv/sftp/sftpuser
sudo chown sftpuser:sftpusers /srv/sftp/sftpuser/uploads
sudo chmod 755 /srv/sftp/sftpuser/uploads
二 日志审计与故障排查
LogLevel VERBOSE
sudo systemctl restart sshd
sudo grep sftpuser /var/log/secure
三 认证与访问控制
ssh-keygen -t ed25519 -f ~/.ssh/id_sftpuser -C "sftpuser@sftp"
# 或 RSA
ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_sftpuser -C "sftpuser@sftp"
sudo mkdir -p /etc/ssh/sftp-keys/sftpuser
sudo cp id_sftpuser.pub /etc/ssh/sftp-keys/sftpuser/authorized_keys
sudo chown -R root:root /etc/ssh/sftp-keys/sftpuser
sudo chmod 600 /etc/ssh/sftp-keys/sftpuser/authorized_keys
# /etc/ssh/sshd_config
PasswordAuthentication no
PubkeyAuthentication yes
AuthorizedKeysFile /etc/ssh/sftp-keys/%u/authorized_keys
sudo yum install -y fail2ban
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
# jail.local 中启用 [sshd] 段:enabled = true, port = 22, maxretry = 3, bantime = 3600
sudo systemctl enable --now fail2ban
sudo firewall-cmd --permanent --zone=public --add-port=4422/tcp
sudo firewall-cmd --reload
sudo semanage port -a -t ssh_port_t -p tcp 4422
sudo systemctl restart sshd
# 客户端:sftp -P 4422 user@host
提示:端口变更并不能替代强认证与访问控制。四 性能与稳定性优化
# 启用压缩(可选)
Subsystem sftp /usr/libexec/openssh/sftp-server -l COMPRESS
MaxSessions 100
MaxStartups 50:30:100
ClientAliveInterval 60
ClientAliveCountMax 3
五 自动化与运维脚本
#!/usr/bin/env bash
set -e
if [[ $# -ne 2 ]]; then
echo "Usage: $0 <username> <pubkey_file>"
exit 1
fi
U=$1; PUB=$2; G=sftpusers; D=/srv/sftp
sudo useradd -g "$G" -d "$D/$U" -s /sbin/nologin "$U"
sudo mkdir -p "$D/$U/uploads"
sudo chown root:root "$D/$U"
sudo chmod 755 "$D/$U"
sudo chown "$U:$G" "$D/$U/uploads"
sudo chmod 755 "$D/$U/uploads"
sudo mkdir -p /etc/ssh/sftp-keys/"$U"
sudo cp "$PUB" /etc/ssh/sftp-keys/"$U"/authorized_keys
sudo chown -R root:root /etc/ssh/sftp-keys/"$U"
sudo chmod 600 /etc/ssh/sftp-keys/"$U"/authorized_keys
echo "User $U created (key-only)."
# 重载:sudo sshd -t && sudo systemctl reload sshd