SFTP Server

Healthcare Blocks can enable SFTP functionality on an existing or new server. SFTP is FTP tunneled through SSH.

Roles

Your SFTP server has two types of users - administrators and external users.

By default, you are an administrator, and you will use SSH to connect via port 22. You can also use the SCP command to retrieve files.

External users, on the other hand, will connect via port 222, using the SFTP command or a desktop SFTP software to transfer files.

Creating New SFTP Users

First, SSH to your server using an administrator account:

ssh my-username@my-server-address

Next, use the SFTP admin tool to manage users:

sudo sftp_admin create_user username

The admin tool will generate and display a random password. If you'd like to change the password, do:

sudo sftp_admin change_pw username

To view a list of users:

sudo sftp_admin list_users

To delete a user:

sudo sftp_admin del_user username

Where Files are Stored

Your SFTP server uses a Linux concept known as CHROOT to physically isolate each SFTP user to a specific part of the filesystem. Thus, it is impossible for an SFTP user to access another user’s data. The exception, of course, are administrator accounts, which can access the entire filesystem via SSH and SCP protocols.

User-specific files are located in user-named subdirectories under /data/sftp_chroot/users.

When a user is created, a default subdirectory named files is also created. Files should be uploaded into this location because the SFTP subsystem does not permit uploads in the parent directory.

If you'd like to rename the files directory or have others automatically created when users are created, you can edit /data/sftp_chroot/config.yaml and set one or more names:

# inside /data/sftp_chroot/config.yaml:
userdirs:
  - inbound
  - outbound

Note: each user directory also contains a directory named dev. Do not delete this directory as it is required by the SFTP subsystem for logging purposes.

Viewing Activity Logs

To satisfy HIPAA requirements, all SFTP activity is logged. You can view recent activity by using the following commands.

# view all log entries
sudo grep 'sftp' /var/log/syslog

# tail in real-time
sudo tail -f /var/log/syslog | grep 'sftp'

Older logs are stored in S3. See accessing archived logs for more info.

How to Enable Filesystem Backups

Please refer to this article for guidance.

Example Command Line SFTP Session

# connect
sftp -P 2222 myuser@host

# list directories on server
ls

# list directories on local computer
lls

# change directory
cd files

# upload file
put patients.csv

# download file
get claims-summary.pdf

Please create a ticket if you'd like to add SFTP functionality to an existing or new server.