Windows Server 2022 SFTP

KB ID 0001779

Problem

Note: This will also work on Server 2019

There’s really no excuse to be using FTP any more, it’s insecure and your username, passwords and data are sent in clear text! So let’s put the secure in FTP and deploy Windows Server 2022 SFTP instead! 

Note: Yes there’s FTPS as well (and it’s not the same), that adds a secure layer to the old FTP protocol. SFTP is a completely different protocol and it runs on top os SSH (TCP Port 22).

Deploy Windows Server 2022 SFTP

Firstly let’s check what version of OpenSSH server is available to us, then install that version (in this example 0.0.1.0)

[box]

Get-WindowsCapability -Online | Where-Object Name -like 'OpenSSH*'

Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0

[/box]

Now start the service, and set the service ‘Startup type’ to automatic, so it will start when the server boots up.

[box]

Start-Service sshd

Set-Service -Name sshd -StartupType 'Automatic'

[/box]

Assuming you have the Windows Firewall on, we need to allow TCP port 22 though the local firewall.

[box]

New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH SSH Server' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22 -Program "C:\Windows\System32\OpenSSH\sshd.exe"

[/box]

To be honest, that is the SFTP server up and running. Now you will need a user to access the service with. This can either be a LOCAL user on the SFTP server itself…

 …or a Domain User (if you joined the SFTP Server to be a Domain Member).

Windows Server 2022 SFTP Upload Folder and File Locations

Be default each user that connects will have a folder created for them under the C:\Users folder that belongs to them. Some people might not like it in that location, (but remember we are essentially dealing with a *nix program here, and thats how *nix behaves).

Setup a Windows Server 2022 SFTP Default Root Folder

If you want to have another folder as the root folder (remember then everyone is then using the SAME folder!) Then create that folder.

Then edit;

[box]

C:\ProgramData\SSH\ssd.conf

[/box]

Note: Remember ProgramData is a hidden folder so you might not be able to see it!

Locate ChrootDirectory and remove the word ‘none‘ after it, and then paste in YOUR folder path. Finally REMOVE the hash (or pound if your American) symbol from the start of that line (as illustrated). Dont forget to save the file and restart the ssh service (Restart-Service sshd).

ALWAYS test that it works from the same subnet first, (to save really annoying your firewall admin). Here I’m uploading a test text file using the FileZilla client from another server.

And to prove it’s not ‘smoke and mirrors‘ here’s the file.

So now to make the server available to the outside world then, you either need to ‘Port Forward TCP Port 22’ from a public IP address to their servers internal IP address, or if the server has its own public IP (or you have one free). Create a static one-to-one NAT on the firewall, and allow TCP traffic on port 22 inbound.

Related Articles, References, Credits, or External Links

NA

Backing up a Remote Linux Machine With Windows (Using Rsync and Cygwin)

KB ID 0000892 

Problem

The goal here was for me to get a backup of my VPS server (Running CentOS 6). My background is primarily Windows based, so I wanted a solution where I can just run the backup from a Windows machine, (i.e. my my laptop) and let it connect, login and perform the backup.

What is Rsync? If you are familiar with Robocopy it’s similar, it can perform a backup/sync of data and encrypt that data while it’s passing over the network. In addition, once the initial sync has been done, the next time you run it, it only replicates the changes. This makes it ideal for backups.

What is Cygwin? Basically it’s a Linux ‘Shell’ that will run on a Windows machine.

Solution

 

Step 1: Install Cygwin on My Windows Client

1. Download Cygwin (URL is on the image below), and install on the machine that will be performing the backups. When prompted accept all the defaults to download form the internet > Accept the install directory C:cgywin64 > Install for All users > Set the local Package Directory to the Desktop > Internet = Direct Connection > Choose a Download site > Next.

2. When asked to select packages > Expand Net.

3. Select openssh and rsync to be installed.

4. Expand shells > Select bash to be installed. > Complete the installation.

Step 2: Generate SSH Keys in Cygwin

5. Launch Cygwin and generate some SSH Keys.

[box]

ssh-keygen -t rsa -b 2048

KEEP PRESSING ENTER TO ACCEPT THE DEFAULTS, AND HAVE A BLANK PASSPHRASE

[/box]

Step:3 Create a User (On the Remote Linux Host) to Perform Backups

6. Connect to the server via SSH, (or open a terminal session). Logon as, (or su to) root.

[box]

useradd {username} -s /bin/bash
passwd {username}
ENTER AND CONFIRM THE PASSWORD 

[/box]

7. To ensure your user has the correct folders in their home folder the easiest way is generate a pair of keys on the remote Linux machine (the same as you did before).

[box]

ssh-keygen -t rsa -b 2048

[/box]

Step 4: Copy the Public SSH Key from the Windows Machine to the Linux Machine

8. Above, Cygwin told us the keys are in /home/{username}/.ssh > Go to that directory and make sure they are there > Make a copy of the id_rsa.pub key > Call the copy authorized_keys > Copy that key to the correct folder on the remote Linux machine (via SCP).

[box]

cd /home/{username}/.ssh <<Note This is the username on the Cygwin machine)
ls
CHECK id_rsa.pub IS LISTED
cp id_rsa.pub authorized_keys
ls
CHECK authorized_keys IS LISTED
scp
authorized_keys {username}@{Linux Machine's name/IP}:/home/{username}/.ssh

Note The username (above) is the username on the Linux Machine

[/box]

9. Now check we can login to the remote Linux machine, from the Windows machine (without having to provide a password for the user we created). Note: Sometimes you need to do this twice before it will work.

[box]

ssh {username}@{Linux Machine's name/IP}

[/box]

If successful, your prompt should change to that of the remote Linux machine.

10. To return to Cygwin, simply type exit.

Step 5: On the Windows Machine Create a Backup Job

11. On the Windows machine create a folder that will hold the backup files (create it in the C:cygwin64 folder).

12. Lets test our backup to that folder. (Note: This does not back any data up it just performs a ‘dry run’).

[box]

rsync -avzun {username}@{Linux Machine's name/IP}:/ /VPS-Backup

[/box]

Note: Above I’ve chosen the root ‘/’ directory, you may just want to select specific folders to backup e.g.

  • /var/www/ The Default location for Apache’s Website Files.
  • /var/lib/mysql The Default location for MySQL Databases.

Warning: Folder locations may differ depending on the server and how it was setup.

13. Tailor the following, and save it on the Windows machine, in the C:cyqwinbin directory as Remote-Server-Backup.sh

[box]

# Remote-Server-Backup.sh
#
#
# rsync tool to download server data
# from [Remote Linux Server name] to [Windows Backup Machine]
#
#
# download only those files on [Remote Linux Server name] in
#
[server directory]
# Only files that are newer than what is already on the
#
[Windows Backup Machine Directory]
#
# Syntax
#
# rsync -avzu [user name]@[Remote Linux Server name]:
#[server directory] [Windows Backup Machine Directory]
# Windows Shortcut Target Should be
#C:cygwin64binbash.exe --login -i '/bin/Remote-Server-Backup.sh'

rsync -avzu {username}@{Linux Machine's name/IP}:/ /VPS-Backup

[/box]

14. On the Windows machine create a new shortcut.

15. Browse to, and select c:cygwinbinbash.exe

16. Give it a sensible name > Finish

17. Open the properties of the shortcut and change the Target: to;

[box]

C:cygwin64binbash.exe --login -i '/bin/Remote-Server-Backup.sh'

[/box]

Note: You may also want to change the icon to the Cygwin one at C:cygwin64Cygwin.ico

18. Run the shortcut to perform the backup.

You could (if you wanted), use the Window scheduler to schedule this for you, but I prefer to do it myself.

Related Articles, References, Credits, or External Links

NA