Exposing SFTP server differently

Photo by JF Martin on Unsplash

SFTP (Secure File Transfer Protocol) uses SSH (Secure Shell) protocol to securely transfer files between server and the client and hence by default listens on port 22.

There is no major harm in exposing your SFTP server over the default port but the security tools like wiz.io, DivvyCloud, etc. will flag the firewall rule allowing incoming connections on port 22 from all over the internet. In this case, we either suppress the finding or use a non-standard port to expose our SFTP server.

In this article, we will learn about exposing our SFTP server on AWS on a non-standard port let’s say 8222 but you are free to choose any other port you want to.


SFTP Server

Let’s start with creating an internal facing SFTP server within the VPC.

Protocols

Identity Provider

Endpoint Type 1.1

Endpoint Type 1.2

Note: We select the default security group for the SFTP server but at a later stage we will be associating it to a different security group that will accept incoming traffic only from the NLB.

Storage

Additional Details 1.1

Additional Details 1.2

On the review page, confirm all the inputs and proceed with the SFTP server creation process. Your SFTP server should be available within few seconds.

SFTP Server

Because we created an internal facing SFTP server we need to expose it using a Network Load Balancer so that our users can interact with the server over internet but before we do that let’s create 2 EIPs for our NLB.

Note: Now, you might be thinking why did we create an internal SFTP server then. Great question. That’s because as of writing this article, AWS Transfer Family only accepts connections on port 22.

EIP (Elastic IP)

Let’s navigate to the EC2 service to create two EIPs for our Network Load Balancer.

New EIP

New EIP

Just hit the Allocate button and you should have an EIP also known as static public IP created for you. Repeat the same process again to generate the second one.

EIPs


Network Load Balancer

Let’s head over to the EC2 service and create a network load balancer. But, before creating the load balancer we need to create the target group and attach private IPs of the VPC endpoint attached to our SFTP server.

Target Group 1.1

Target Group 1.2

In the next step we need to provide the IP address of the VPC endpoint attached to the server. To retrieve that, we need to navigate to the Transfer Family service and click on the server id to get the details. Private IPs of the endpoint will be available under the Endpoint configuration section.

SFTP Private IPs

Target Registration 1.1

Once you add all the private IPs click on the Include as pending below button which will add the targets to the Review targets section. Once all the private IPs are added in this table click the Create target group button.

Target Registration 1.2

NLB Target Group

Awesome, now that we have the target group let’s create the Network Load Balancer.

NLB 1.1

NLB 1.2

NLB 1.3

After reviewing all the inputs, go ahead and create the Network Load Balancer.

Active NLB

Note: NLB will take few minutes to reach to the active state.

You must have noticed that we are allowing AWS to assign a random public IP for our Network Load Balancer but if you want a static IP for your NLB you can create EIPs and attach them to the NLB during the creation process. As of writing this article, you cannot change the IP address associated to the NLB after its creation.

Remember, while creating the SFTP server we attached the default security group to our SFTP server. It’s now time to create a new security group for our SFTP server and change the default one with the new one.

Note: You can also create the security group prior to the launch of SFTP server and attach it during the SFTP server creation process to make the process simple. We are using the difficult path so that in future if we ever want to update the security group associated to the SFTP server we will be aware of the steps.

Security Group

The security group for our SFTP server will be listening on port 22 from the private IPs of the Network Load Balancer or the EIPs attached to the NLB so before creating the security group let’s grab the private IPs and for that we once again need to navigate to the EC2 service and visit the Elastic IPs page using the left panel.

Grab the private IP either from the column present in the table or select a public IP from the list and you should see it in the details panel below.

Elastic IPs

Once you have noted down the private IPs, let’s switch to the Security Group link available in the left panel within the EC2 service.

New Security Group 1.1

New Security Group 1.2

New Security Group Ready

Last but not he least, let’s update the security group for our SFTP server. The process isn’t very straightforward because we cannot do this from within the Transfer Family service. Instead, we update the VPC Endpoint’s security group that is associated to our SFTP server. Alright, to see the VPC endpoint let’s head over to the VPC service and use the Endpoints link available in the left panel.

VPC Endpoint

Select the VPC Endpoint that is attached to the SFTP server and click on Actions dropdown where you will see the option to manage the security groups. Select the new security group from the list and hit the Modify button.

VPC Endpoint Security Group Update

Awesome! Your SFTP server is now listening on a non-standard port i.e., 8222 in this case. Before we say good bye let’s test if our SFTP server is in working condition using telnet.

SFTP Telnet

If you see the same output, pat yourself on the back. You deserve it. If not, don’t worry, just go through the article once again properly and I’m sure you will succeed.


Covering the basics

  • SFTP stands for SSH File Transfer Protocol. It’s a channel that is responsible for securely transferring files over a network using the SSH protocol. The public key is stored with the SFTP server and the user holds the private key.

  • AWS Transfer Family support SFTP, FTPS and FTP protocol for creating a file-sharing server. It recently added support for AS2 (Applicability Statement 2) protocol that allows business to securely transfer files over the internet.

  • Unlike SFTP that uses SSH to transfer files over the network, AS2 uses TLS/SSL for encrypting the channel and S-MIME for encrypting the actual data. It also supports message validation through MDN (Message Disposition Notification) that helps fulfil non-repudiation.

Vimal Paliwal

Vim is a DevSecOps Practitioner with over eight years of professional experience. Over the years, he has architected and implemented full fledged solutions for clients using AWS, K8s, Terraform, Python, Shell, Prometheus, etc keeping security as an utmost priority. Along with this, during his journey as an AWS Authorised Instructor he has trained thousands of professionals ranging from startups to fortune companies.

Previous
Previous

Authenticate to Kubernetes API server running on AWS using IAM role

Next
Next

Secure database authentication using AWS IAM