Use SFTP Instead of Samba Share
Starting with the switch from Raspberry to MiniPC at the beginning of the year, something started to happen. I have made (and will make) many changes to my home IT environment, the following is one of them.
What is SFTP? Simply, file sharing over the SSH port. It can be used in the same way as samba sharing, but it is still much more secure. Just one example of why it's not a good idea to use samba sharing, but you've probably heard of it in 2017: Wannacry.
To tell you the truth, I used samba sharing open to the internet for a long time (years). I have never had my server hacked (not even through this), nor have they even tried to log in. However, since I have gotten more serious about security, the time has come to upgrade it. I replaced my Samba share with SFTP for the following reasons:
- Samba ports should only be shared on default ports due to dumb clients (software) (some where you can't set a unique port)
- Default ports are scanned non-stop by many bots running on the Internet
- SSH port is already open
- SSH is already installed
- Using SSH does not require extra resources (CPU, memory, storage) unlike using samba
- With SSH, you can specify a unique port (and this is strongly recommended)
- I did a quick speed comparison and the difference is not noticeable
And while I'm here, I'll describe how I made the switch.
Let's start!
We will configure the SFTP first and then, if it works, remove the existing Samba installation.
I used the following data in this guide:
Samba user: samba
Your current SSH user: yoursshuser
Server IP: 192.168.0.65
Username: sftpuser
Path to share: /mnt/hdd
SSH port: 54321 (change it to a different one!)
- First of all, check your current samba configuration file, this will allow you to configure SFTP sharing with the appropriate permissions:
cat /etc/samba/smb.conf - Create a new user without shell and home directory for SFTP sharing:
adduser -M -s /bin/false sftpuser - Edit the sshd service config file:
sudo nano /etc/ssh/sshd_config - Here, allow to login to sftpuser with password, force it to use a specific directory, and (if you have not already done so) set a unique port number for SSH:
- AllowUsers yoursshuser sftpuser
Port 54321 # Set it to a different one
Match User sftpuser
PasswordAuthentication yes
ForceCommand internal-sftp -d /mnt/hdd - Restart the SSH service, then try to connect in a new terminal (do not close the current one yet!)
systemctl restart sshd - Give the correct permission to the target folder, like this:
sudo chown sftpuser:yoursshuser -R /mnt/hdd - It's time to test! Here's a guide how to configure an SFTP for Total Commander:
Configure SCP/SFTP with Total Commander (Step-by-Step Guide) - If it works, and you want to make it more secure, use key-based authentication and disable password login in the sshd config file. However, if you use a long password (like 20 characters) and/or have Fail2ban configured, you will be fine.
- Do not forget to remove existing samba packages:
sudo apt purge samba -y - And remove the samba user:
sudo deluser samba - Close the Samba ports on your router (if any)
How do I map an SFTP drive to a letter in Windows?
This is a common request, and I'll show you how you can do it in a few steps:
- Download the WinFsp and SSHFS-Win from GitHub (find this part of the page):
- Install both application (click-click-finish).
- Open File Explorer, and click on Map network drive:
- Enter the path like this:
\\sshfs\sftpuseruser@192.168.0.65!54321
- Enter your credentials and it should work.
If you've found this guide valuable and appreciate the time and effort invested in creating it, please consider supporting us through options like free registrations or other no-cost methods. Your acknowledgment of the time spent is a meaningful way to show your gratitude and encourage the creation of more helpful content. Thank you for recognizing the effort put into providing you with valuable information!
Comments