Docker/Compose/SFTP: Difference between revisions

From Chorke Wiki
Jump to navigation Jump to search
← Older edit
VisualWikitext
No edit summary
 
(19 intermediate revisions by the same user not shown)
Line 1: Line 1:
==Linux » UFW » Allow » 20022==
==Linux » UFW » Allow » 20022==
<syntaxhighlight lang="bash">
{|class='wikitable mw-collapsible' style='width:100%;margin:3px 0'
!scope='col' style='text-align:left' colspan='2'|
Linux » UFW » Allow » 20022
|-
|valign='top' style='width:50%'|
<syntaxhighlight style='margin:3px 0' lang='bash'>
sudo ufw allow 20022/tcp
sudo ufw allow 20022/tcp
sudo ufw status numbered
sudo ufw status numbered
</syntaxhighlight>
</syntaxhighlight>
|valign='top' style='width:50%'|
|}


==Docker » Compose » Volume==
==Docker » Compose » Volume==
<syntaxhighlight lang="bash">
{|class='wikitable mw-collapsible' style='width:100%;margin:3px 0'
!scope='col' style='text-align:left' colspan='2'|
Docker » Compose » Volume
|-
|valign='top' style='width:50%'|
<syntaxhighlight style='margin:3px 0' lang='bash'>
mkdir -p /opt/shahed/chorke/academia/var/playground/sftp
mkdir -p /opt/shahed/chorke/academia/var/playground/sftp
ln    -s /opt/shahed/chorke/academia/var/playground/sftp \
ln    -s /opt/shahed/chorke/academia/var/playground/sftp \
Line 12: Line 24:
       cd ${HOME}/Documents/sftp-playground/
       cd ${HOME}/Documents/sftp-playground/


mkdir -p ./data/{etc/ssh/sshd_config.d,home/{academia,agronomy}/upload}
mkdir -p ./data/{etc/{sftp,ssh/sshd_config.d},home/{academia,agronomy}/upload}
ls  -lah ./data/{etc/ssh/sshd_config.d,home/{academia,agronomy}/upload}
ls  -lah ./data/{etc/{sftp,ssh/sshd_config.d},home/{academia,agronomy}/upload}
</syntaxhighlight>
</syntaxhighlight>
----
|valign='top' style='width:50%'|
<syntaxhighlight lang="bash">
|-
|valign='top'|
<syntaxhighlight style='margin:3px 0' lang='bash'>
cat <<'CFG' | tee ./data/etc/ssh/sshd_config >/dev/null
cat <<'CFG' | tee ./data/etc/ssh/sshd_config >/dev/null
# Secure defaults
# Secure defaults
Line 29: Line 43:


# Limited access
# Limited access
X11Forwarding no
PermitRootLogin no
PermitRootLogin no
X11Forwarding no
AllowTcpForwarding no
AllowTcpForwarding no
PubkeyAuthentication no
PermitEmptyPasswords no
PasswordAuthentication yes


# Force sftp and chroot jail
# Force sftp and chroot jail
Line 42: Line 60:
CFG
CFG
</syntaxhighlight>
</syntaxhighlight>
----
|valign='top'|
<syntaxhighlight lang="bash">
|-
sudo chown 0:0 -R ./data/etc/ssh
|valign='top'|
sudo chmod 644    ./data/etc/ssh/sshd_config
<syntaxhighlight style='margin:3px 0' lang='bash'>
sudo chmod 755    ./data/etc/ssh/sshd_config.d
makepasswd --chars 12  --count 5 --crypt-md5
</syntaxhighlight>
cat <<'CFG' | tee ./data/etc/sftp/users.conf >/dev/null
----
<syntaxhighlight lang="bash">
cat <<'CFG' | tee ./users.conf >/dev/null
academia:sadaqah!:1001
academia:sadaqah!:1001
agronomy:sadaqah!:1002
agronomy:sadaqah!:1002
CFG
CFG
</syntaxhighlight>
</syntaxhighlight>
|valign='top'|
|-
|valign='top'|
<syntaxhighlight style='margin:3px 0' lang='bash'>
echo 'sadaqah!'|makepasswd --crypt-md5 --clearfrom=-
cat <<'CFG' | tee ./data/etc/sftp/users.conf >/dev/null
academia:$1$9PfGgh6y$MOtEU48nCvgWmwlotjhj5.:e:1001
agronomy:$1$9PfGgh6y$MOtEU48nCvgWmwlotjhj5.:e:1002
CFG
</syntaxhighlight>
|valign='top'|
|-
|valign='top'|
<syntaxhighlight style='margin:3px 0' lang='bash'>
sudo chown 0:0 -R ./data/etc/
sudo chmod 600    ./data/etc/sftp/users.conf
sudo chmod 644    ./data/etc/ssh/sshd_config
sudo chmod 755    ./data/etc/ssh/sshd_config.d
</syntaxhighlight>
|valign='top'|
|}


==Docker » Compose » Create==
==Docker » Compose » Create==
<syntaxhighlight lang="yaml">
{|class='wikitable mw-collapsible' style='width:100%;margin:3px 0'
!scope='col' style='text-align:left' colspan='2'|
Docker » Compose » Create
|-
|valign='top' style='width:50%'|
<syntaxhighlight style='margin:3px 0' lang='yaml'>
cat <<'YML' | tee ./docker-compose.yml >/dev/null
cat <<'YML' | tee ./docker-compose.yml >/dev/null
---
---
Line 71: Line 111:
     volumes:
     volumes:
       - ./data/etc/ssh:/etc/ssh
       - ./data/etc/ssh:/etc/ssh
      - ./users.conf:/etc/sftp/users.conf:ro
       - ./data/home/academia/upload:/home/academia/upload
       - ./data/home/academia/upload:/home/academia/upload
       - ./data/home/agronomy/upload:/home/agronomy/upload
       - ./data/home/agronomy/upload:/home/agronomy/upload
      - ./data/etc/sftp/users.conf:/etc/sftp/users.conf:ro
YML
YML
</syntaxhighlight>
</syntaxhighlight>
|valign='top' style='width:50%'|
|}


==Docker » Compose » Manage==
==Docker » Compose » Manage==
<syntaxhighlight lang="bash">
{|class='wikitable mw-collapsible' style='width:100%;margin:3px 0'
!scope='col' style='text-align:left' colspan='2'|
Docker » Compose » Manage
|-
|valign='top' style='width:50%'|
<syntaxhighlight style='margin:3px 0' lang='bash'>
docker compose up  -d
docker compose up  -d
docker compose logs -ft
docker compose logs -ft
docker compose down
docker compose down
</syntaxhighlight>
</syntaxhighlight>
|valign='top' style='width:50%'|
|}


==Docker » Compose » Systemd==
==Docker » Compose » Systemd==
<syntaxhighlight lang="ini">
{|class='wikitable mw-collapsible' style='width:100%;margin:3px 0'
!scope='col' style='text-align:left' colspan='2'|
Docker » Compose » Systemd
|-
|valign='top' style='width:50%'|
<syntaxhighlight style='margin:3px 0' lang='ini'>
cat << INI | sudo tee /etc/systemd/system/sftp.service >/dev/null
cat << INI | sudo tee /etc/systemd/system/sftp.service >/dev/null
[Unit]
[Unit]
Line 95: Line 149:
User=sftp
User=sftp
Group=sftp
Group=sftp
ExecStart=/usr/bin/docker-compose -f /etc/sftp/docker-compose.yml up
ExecStart=/usr/bin/docker compose -f /etc/sftp/docker-compose.yml up
ExecStop=/usr/bin/docker-compose -f /etc/sftp/docker-compose.yml stop
ExecStop=/usr/bin/docker compose -f /etc/sftp/docker-compose.yml stop


[Install]
[Install]
Line 102: Line 156:
Alias=sftpd.service
Alias=sftpd.service
INI
INI
</syntaxhighlight>
|valign='top' style='width:50%'|
|}
==Playground==
{|class='wikitable mw-collapsible' style='width:100%;margin:3px 0'
!scope='col' style='text-align:left' colspan='3'|
Playground
|-
|colspan='3'|
<syntaxhighlight style='margin:3px 0' lang='bash'>
docker exec -it sftp ash
sftp -P 20022 academia@localhost
sftp -P 20022 agronomy@localhost
ssh-keygen -f ${HOME}/.ssh/known_hosts -R '[localhost]:20022'
sftp -o PreferredAuthentications=password -o PubkeyAuthentication=no -P 20022 academia@localhost
sftp -o PreferredAuthentications=password -o PubkeyAuthentication=no -P 20022 agronomy@localhost
</syntaxhighlight>
|-
|valign='top' style='width:33%'|
<syntaxhighlight style='margin:3px 0' lang='bash'>
nmap vpn.shahed.biz --reason -Pn --top 20
nmap vpn.shahed.biz --reason -Pn -p25,465,587,993
</syntaxhighlight>
|valign='top' style='width:34%'|
<syntaxhighlight style='margin:3px 0' lang='bash'>
sudo tail -n100 -f /var/log/auth.log
sudo tail -n100 -f /var/log/kern.log
</syntaxhighlight>
|valign='top' style='width:33%'|
<syntaxhighlight style='margin:3px 0' lang='bash'>
sudo cat /etc/shadow|grep nobody
last
</syntaxhighlight>
|-
|valign='top'|
<syntaxhighlight style='margin:3px 0' lang='bash'>
sudo apt-get install makepasswd
echo 'sadaqah!'|makepasswd --crypt-md5 --clearfrom=-
</syntaxhighlight>
|valign='top'|
<syntaxhighlight style='margin:3px 0' lang='bash'>
makepasswd --chars 12 --count 5 --crypt-md5
makepasswd --chars 12 --count 5 --crypt
</syntaxhighlight>
|valign='top'|
<syntaxhighlight style='margin:3px 0' lang='bash'>
makepasswd --chars 12 --count 5
makepasswd --chars 12
</syntaxhighlight>
|-
|valign='top' colspan='2'|
<syntaxhighlight style='margin:3px 0' lang='bash'>
cat << EXE | sudo bash
sed 's|#PasswordAuthentication yes|PasswordAuthentication no|' -i /etc/ssh/sshd_config
sed 's|#PubkeyAuthentication yes|PubkeyAuthentication yes|'    -i /etc/ssh/sshd_config
sed 's|#PermitEmptyPasswords no|PermitEmptyPasswords no|'      -i /etc/ssh/sshd_config
sed 's|#PermitRootLogin yes|PermitRootLogin no|'              -i /etc/ssh/sshd_config
systemctl restart ssh
EXE
</syntaxhighlight>
</syntaxhighlight>
|valign='top'|
<syntaxhighlight style='margin:3px 0' lang='bash'>
cat << EXE | sudo bash
sshd -T | grep -i PasswordAuthentication
sshd -T | grep -i PubkeyAuthentication
sshd -T | grep -i PermitEmptyPasswords
sshd -T | grep -i PermitRootLogin
systemctl status  ssh
EXE
</syntaxhighlight>
|}


==References==
==References==
{|
{|class='wikitable mw-collapsible' style='width:100%;margin:3px 0'
|valign='top'|
!scope='col' style='text-align:left' colspan='3'|
References
|-
|valign='top' style='width:33%'|
* [https://hub.docker.com/r/atmoz/sftp Docker » <code>atmoz/sftp</code> » Repo]
* [https://hub.docker.com/r/atmoz/sftp Docker » <code>atmoz/sftp</code> » Repo]
* [https://github.com/atmoz/sftp Docker » <code>atmoz/sftp</code> » SCM]
* [https://github.com/atmoz/sftp Docker » <code>atmoz/sftp</code> » SCM]
* [[Docker/Compose/GitLab|Docker » Compose » GitLab]]
* [[Docker/Compose/GitLab|Docker » Compose » GitLab]]
* [[Docker/Compose/N8N|Docker » Compose » N8N]]
* [[Docker Compose|Docker » Compose]]
* [[Docker Compose|Docker » Compose]]
* [[Docker]]
* [[Docker]]


|valign='top'|
|valign='top' style='width:34%'|


|valign='top'|
|valign='top' style='width:33%'|


|-
|colspan='3'|
----
|-
|-
|valign='top'|
|valign='top'|
Line 134: Line 266:


|valign='top'|
|valign='top'|
* [[SSH/Public Key Authentication|Security » SSH » Authentication]]
* [[Terraform]]
* [[Terraform]]
* [[Kubectl]]
* [[Kubectl]]

Latest revision as of 10:52, 15 January 2026

Linux » UFW » Allow » 20022

Linux » UFW » Allow » 20022 

sudo ufw allow 20022/tcp
sudo ufw status numbered

Docker » Compose » Volume

Docker » Compose » Volume 

mkdir -p /opt/shahed/chorke/academia/var/playground/sftp
ln    -s /opt/shahed/chorke/academia/var/playground/sftp \
         ${HOME}/Documents/sftp-playground
      cd ${HOME}/Documents/sftp-playground/

mkdir -p ./data/{etc/{sftp,ssh/sshd_config.d},home/{academia,agronomy}/upload}
ls  -lah ./data/{etc/{sftp,ssh/sshd_config.d},home/{academia,agronomy}/upload}

cat <<'CFG' | tee ./data/etc/ssh/sshd_config >/dev/null
# Secure defaults
# See: https://stribika.github.io/2015/01/04/secure-secure-shell.html
Protocol 2
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key

# Faster connection
# See: https://github.com/atmoz/sftp/issues/11
UseDNS no

# Limited access
X11Forwarding no
PermitRootLogin no
AllowTcpForwarding no

PubkeyAuthentication no
PermitEmptyPasswords no
PasswordAuthentication yes

# Force sftp and chroot jail
Subsystem sftp internal-sftp
ForceCommand internal-sftp
ChrootDirectory %h

# Enable this for more logs
#LogLevel VERBOSE
CFG

makepasswd --chars 12  --count 5 --crypt-md5
cat <<'CFG' | tee ./data/etc/sftp/users.conf >/dev/null
academia:sadaqah!:1001
agronomy:sadaqah!:1002
CFG

echo 'sadaqah!'|makepasswd --crypt-md5 --clearfrom=-
cat <<'CFG' | tee ./data/etc/sftp/users.conf >/dev/null
academia:$1$9PfGgh6y$MOtEU48nCvgWmwlotjhj5.:e:1001
agronomy:$1$9PfGgh6y$MOtEU48nCvgWmwlotjhj5.:e:1002
CFG

sudo chown 0:0 -R ./data/etc/
sudo chmod 600    ./data/etc/sftp/users.conf
sudo chmod 644    ./data/etc/ssh/sshd_config
sudo chmod 755    ./data/etc/ssh/sshd_config.d

Docker » Compose » Create

Docker » Compose » Create 

cat <<'YML' | tee ./docker-compose.yml >/dev/null
---
services:
  sftp:
    image: atmoz/sftp:alpine
    container_name: sftp
    network_mode: bridge
    restart: always
    ports:
      - 20022:22
    volumes:
      - ./data/etc/ssh:/etc/ssh
      - ./data/home/academia/upload:/home/academia/upload
      - ./data/home/agronomy/upload:/home/agronomy/upload
      - ./data/etc/sftp/users.conf:/etc/sftp/users.conf:ro
YML

Docker » Compose » Manage

Docker » Compose » Manage 

docker compose up   -d
docker compose logs -ft
docker compose down

Docker » Compose » Systemd

Docker » Compose » Systemd 

cat << INI | sudo tee /etc/systemd/system/sftp.service >/dev/null
[Unit]
Description=Docker SFTP
After=docker.service

[Service]
Restart=always
User=sftp
Group=sftp
ExecStart=/usr/bin/docker compose -f /etc/sftp/docker-compose.yml up
ExecStop=/usr/bin/docker  compose -f /etc/sftp/docker-compose.yml stop

[Install]
WantedBy=multi-user.target
Alias=sftpd.service
INI

Playground

Playground 

docker exec -it sftp ash
sftp -P 20022 academia@localhost
sftp -P 20022 agronomy@localhost

ssh-keygen -f ${HOME}/.ssh/known_hosts -R '[localhost]:20022'
sftp -o PreferredAuthentications=password -o PubkeyAuthentication=no -P 20022 academia@localhost
sftp -o PreferredAuthentications=password -o PubkeyAuthentication=no -P 20022 agronomy@localhost

nmap vpn.shahed.biz --reason -Pn --top 20
nmap vpn.shahed.biz --reason -Pn -p25,465,587,993

sudo tail -n100 -f /var/log/auth.log
sudo tail -n100 -f /var/log/kern.log

sudo cat /etc/shadow|grep nobody
last

sudo apt-get install makepasswd
echo 'sadaqah!'|makepasswd --crypt-md5 --clearfrom=-

makepasswd --chars 12 --count 5 --crypt-md5
makepasswd --chars 12 --count 5 --crypt

makepasswd --chars 12 --count 5
makepasswd --chars 12

cat << EXE | sudo bash
sed 's|#PasswordAuthentication yes|PasswordAuthentication no|' -i /etc/ssh/sshd_config
sed 's|#PubkeyAuthentication yes|PubkeyAuthentication yes|'    -i /etc/ssh/sshd_config
sed 's|#PermitEmptyPasswords no|PermitEmptyPasswords no|'      -i /etc/ssh/sshd_config
sed 's|#PermitRootLogin yes|PermitRootLogin no|'               -i /etc/ssh/sshd_config
systemctl restart ssh
EXE

cat << EXE | sudo bash
sshd -T | grep -i PasswordAuthentication
sshd -T | grep -i PubkeyAuthentication
sshd -T | grep -i PermitEmptyPasswords
sshd -T | grep -i PermitRootLogin
systemctl status  ssh
EXE

References

References

Retrieved from "https://wiki.chorke.org/index.php?title=Docker/Compose/SFTP&oldid=16112"