The Buffalo WZR-HP-G300NH2 router has already come with SFTP server functionality in the professional firmware, and can be easily configure to be Internet-accessible. However it is not secure because:
- You have to use the root account to login to the SFTP server
- Shell access is available for root account
- root account can be login from Internet
So to make our SFTP server more secure, here is what I have done:
- Create another account for SFTP access
- Configure the account to have only SFTP access but no shell access
- Block root account access from Internet
- Apply limit on number of connection per minutes
- Use a different port other than the default SSH port 22
To have the above done, I have added the following to the startup script through administrator web page:
if [ -d /mnt/sda_part1/home ]; then grep -q users /etc/group || echo "users:x:100:" >> /etc/group grep -q vcd /etc/passwd || echo "vcd:(makepasswd):500:100:VCD:/mnt/sda_part1/home/vcd:/usr/libexec/sftp-server" >> /etc/passwd chmod 755 /tmp/etc dropbear -w -s -g -j -k -r -P /var/run/dropbear-sftp.pid /tmp/root/.ssh/ssh_host_rsa_key -d /tmp/root/.ssh/ssh_host_dss_key -p (port) fi
and added the following to Firewall through administrator web page:
iptables -I INPUT -p tcp --dport (port) -m state --state NEW -m limit --limit 30/min -j ACCEPT
Reboot your router to trigger the startup script running
There are several places that need to notice:
- Before you add the script, make sure you have created a folder for the SFTP server with the appropriate owner and group
- Remember to replace the two paths used in the script with your path to the folder for SFTP server. In my case I have used /mnt/sda_part1/home/vcd
- Adding the group is not essential but my personal practice for completeness
- You should replace the (makepasswd) by a password hash. The password should be something look like this.
You can obtain the password by executing the following command on a with makepasswd installed.
echo "mypassword" | makepasswd --clearfrom=- --crypt-md5
Remember to escape the character such as $ in your hashed password or else the password field will be blank!
- The login shell has been configure to use /usr/libexec/sftp-server. In this way the user will only have the SFTP access but not the shell acess
- chmod 755 /tmp/etc is needed to allow the SFTP server access the user account information in /etc/passwd. This is because the original permission only allow root account access and the /etc/passwd is located inside.
- For the dropbear options used, you can see below for the meaning:
Dropbear sshd v2011.54 Usage: dropbear [options] Options are: -b bannerfile Display the contents of bannerfile before user login (default: none) -d dsskeyfile Use dsskeyfile for the DSS host key (default: /etc/dropbear/dropbear_dss_host_key) -r rsakeyfile Use rsakeyfile for the RSA host key (default: /etc/dropbear/dropbear_rsa_host_key) -F Don't fork into background -E Log to stderr rather than syslog -m Don't display the motd on login -w Disallow root logins -s Disable password logins -g Disable password logins for root -j Disable local port forwarding -k Disable remote port forwarding -a Allow connections to forwarded ports from any host -p [address:]port Listen on specified tcp port (and optionally address), up to 10 can be specified (default port is 22 if none specified) -P PidFile Create pid file PidFile (default /var/run/dropbear.pid) -W (default 24576, larger may be faster, max 1MB) -K (0 is never, default 0, in seconds) -I (0 is never, default 0, in seconds)
- You should also replace the (port) with the port number you want to use with SFTP
- You can adjust the connection rate limit in the iptables rule
- If you enable NAS Samba after you added the script and reboot your computer, you might be unable to login because the NAS Samba has overwrite the /etc/passwd file