There are many options for receiving uploaded files from the offline collector , for example using S3 buckets , Azure storage services and even the AWS SFTP transfer service .
However sometimes it is simpler to set up your own SFTP server to receive incoming uploads (it is certainly cheaper than the AWS managed service).
Setting up SSH and SFTP can be tricky for novice Linux users. It is easy to misconfigure things in ways that can leave a server open to exploitation.
Unless you have a strong reason to prefer using SFTP we recommend you consider less arcane alternative options such as the one described in How to set up a local S3 dropbox server using MinIO.
This tip explains how to set up a server securely.
Create a new Linux based VM and open port 22 for incoming requests. This can be in the cloud or on prem.
Create an sftpupload
user
sudo adduser sftpupload
mkdir -p /var/sftp/files
chown root:root /var/sftp/files
# Allow anyone to write there
chmod o+wx /var/sftp/files
# No directory listing possible
chmod o-r /var/sftp/files
/etc/ssh/sshd_config
:PasswordAuthentication no
Match User sftpupload
ForceCommand internal-sftp
PasswordAuthentication no
ChrootDirectory /var/sftp
PermitTunnel no
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no
and then restart the sshd
service:
$ sudo systemctl restarts sshd
sftpupload
usersudo -u sftpupload bash
$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/sftpuser/.ssh/id_rsa)
# Authorize the user's public key for access
$ cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
# Make sure that secure permissions are applied for the directory
$ chmod -v 600 /home/sftpupload/.ssh/
$ sftp localhost
sftp> put /etc/passwd /files/passwd.txt
Uploading /etc/passwd to /files/passwd.txt
sftp> ls -l files
remote readdir("/files/"): Permission denied
As you can see the sftpupload
user does not have permission to read
the directory but can upload files to it.
If we try shell access via SSH it will correctly be denied:
$ ssh localhost
This service allows sftp connections only.
Connection to localhost closed.
In the offline collector configuration you should use the private key
(/home/sftpupload/.ssh/id_rsa
) of the form:
-----BEGIN OPENSSH PRIVATE KEY-----
.....
-----END OPENSSH PRIVATE KEY-----
and for the Endpoint value, specify it in the form <hostname or IP>:<ssh port>
.