Setup Secure FTP server on CentOS

Setup SFTP Server

When finished you’ll have a SFTP server setup that is configured so the users are in a chroot environment, and can not ssh, or telnet to the server.

Install SSH server if it is not already

yum install openssh-server openssh-client

Create group that is limited to sftp so they can’t ssh, scp etc.

groupadd sftpusers

Add chroot settings to /etc/ssh/sshd_config.  The %u is a variable, which is the users username.

Match Group sftpusers
ChrootDirectory /sftp/%u
ForceCommand internal-sftp

Make ftp directory

mkdir /sftp

Add SFTP user

useradd -g sftpusers -d /sftp -s /sbin/nologin newsftpuser

Create password for new user

passwd newsftpuser

Create directory for user

mkdir /sftp/newsftpuser

Create directory to put ftp files

mkdir /ftp/newsftpuser/files

Change permissions

chown newsftpuser:sftpusers /ftp/newsftpuser/files/

Restart sshd

systemctl restart sshd

Should be good to go.  Test it by logging in with your favorite FTP client.

SSH Errors

ssh: connect to host port 22: Connection refused

Wrong SSH port.  Check /etc/ssh/sshd_config on linux, or in RouterOS IP->services->SSH

ssh_exchange_identification: Connection closed by remote host

Check the hosts.allow and hosts.deny files. If your getting this error connecting to a Mikrotik check the IP services and the “Available From” addresses.

Allow WHM/cPanel ssh logins from specific IP addresses using iptables

For some reason the hosts.allow and hosts.deny files don’t seem to work on cPanel.  One of the alternative methods to limit ssh logins to specific addresses is to use iptables.

Allow access from specific IP addresses. 

Replace and with your addresses.  You can add more addresses using the “,”.  Also if your ssh port is not the default port, be sure to change it.

iptables -A INPUT -s, -p tcp --dport 22 -j ACCEPT

Reject access from everywhere else

iptables -A INPUT -s -p tcp --dport 22 -j REJECT

You can see your rules with

 iptables -L --line-numbers

If you need to add another rule after the fact, you’ll need to make sure that it is above the REJECT rule. you can use the “-I” to insert it between rules.

Example: inserts rule as the second rule in the INPUT chain

iptables -I INPUT 2 -s -p tcp --dport 22 -j ACCEPT

Install SSH Server on Linux (Debian, Ubuntu, Fedora, CentOS, RedHat)

Debian / Ubuntu

sudo apt-get install -y openssh-server

RPM based Distros, Fedora / CentOS / RedHat

sudo dnf install -y openssh-server

or use yum

sudo yum install -y openssh-server

Start ssh service

sudo systemctl start sshd

By default the SSH service should start when the system starts, but if not try the following command to enable the service on boot up.

Debian / Ubuntu

systemctl enable ssh

Fedora, CentOS, RedHat

systemctl enable ssh

Change SSH port

Not necessary, but it is a good idea to change the default ssh port.  To change the port edit the sshd file.

vi /etc/ssh/sshd_config

Upgrade Firmware on Ubiquiti Airmax Equipment from the Command Line/SSH

Upgrading the firmware via the command line is super easy.  Basic steps are

  1. Upload firmware file to radio using ftp, scp, or download directly to radio using wget
  2. Move the firmware the /tmp and rename to fwupdate.bin
  3. Upgrade the firmware by running
ubntbox fwupdate.real -m fwupdate.bin

More Detail explanation

Downloading Firmware to Radio

There are a couple of ways to get the firmware uploaded to the radio

  1. Download from Ubiquiti’s website and upload via ftp, scp, filezilla or like
  2. Download directly to the radio using wget

Using wget

ssh into the radio.  Change username and ip address as needed.

ssh ubnt@

cd to the /tmp directory

cd /tmp

Find the firmware file on Ubiquiti’s website, accept the terms, copy the link and paste the link in the terminal after wget.  Replace the below link with the appropriate firmware link.


Installing Firmware

Rename firmware

mv *.bin fwupdate.bin

Start the upgrade

ubntbox fwupdate.real -m fwupdate.bin

The radio will now upgrade and reboot

Another Method.  Using the script

Another way to upgrade a radios firmware from the command line is to use the UBNTMOD tool.  More info on the UBNTMOD script is available here.

Make sure you have the firmware downloaded to your computer and run with the “-U” upgrade option.


bob@localhost:~$ ./ -i -U WA.v8.4.2.35930.171017.1722.bin

Run Speedtest on Ubiquiti Devices from Command Line

This utilizes iperf to test the speed between two Ubiquiti devices.

SSH into first device and start iperf server on one device

iperf -s

SSH into the second device and run the following command to start the speedtest.  Change the ip address to the iperf server ip.

iperf -c -P5

The “-P” Option sets the thread count to 5.  It makes the test a little bit more realistic.


XM.v5.6.9# iperf -c -P5
Client connecting to, TCP port 5001
TCP window size: 16.0 KByte (default)
[  5] local port 51493 connected with port 5001
[  9] local port 51497 connected with port 5001
[  6] local port 51494 connected with port 5001
[  8] local port 51496 connected with port 5001
[  7] local port 51495 connected with port 5001

[ ID] Interval       Transfer     Bandwidth
[  9]  0.0-10.0 sec  4.91 MBytes  4.12 Mbits/sec
[ ID] Interval       Transfer     Bandwidth
[  6]  0.0-10.0 sec  4.97 MBytes  4.16 Mbits/sec
[ ID] Interval       Transfer     Bandwidth
[  8]  0.0-10.0 sec  4.86 MBytes  4.08 Mbits/sec
[ ID] Interval       Transfer     Bandwidth
[  7]  0.0-10.0 sec  4.94 MBytes  4.13 Mbits/sec
[ ID] Interval       Transfer     Bandwidth
[  5]  0.0-10.0 sec  5.00 MBytes  4.19 Mbits/sec
[SUM]  0.0-10.0 sec  24.7 MBytes  20.7 Mbits/sec


How To export private SSH key on Linux

All that needs to be done is the “id_rsa” key needs to be copied to the “new” host.  You can do this with SCP or sftp.

Example with SCP

The following examples are showing how to export a RSA private key, if your using DSA, then replace id_rsa with id_dsa.

Copy private key from remote server to local machine for the local user

scp root@ ~/.ssh/

Copy private key from localhost to remote host.  This command copies the local users private key to the root user @

scp ~/.ssh/id_rsa root@


Allow SSH access from a specific host using hosts.allow and hosts.deny on Linux

This is just a quick write on the hosts.allow and deny files.  You can lookup “spawn” and/or “twist” for some advanced usage.


So to limit an IP address, or a IP range access to SSH, do the following

Deny all incoming request for SSH

Edit the “hosts.deny” file

vi /etc/hosts.deny

add the following line

sshd : ALL

Now edit “hosts.allow” and allow the client IP, or IP range to access SSH

vi /etc/hosts.allow

add the following line to allow a single IP

sshd :

If you want to allow the whole subnet, then replace the above line with this one

sshd : 192.168.1.

hosts.allow overrides hosts.deny.  So you deny everything and then allow exceptions.

How to install WordPress via ssh

Quick look at the commands.  Skip below to view the explanation of the commands

cd ~/
tar zxvf latest.tar.gz
vi wordpress/wp-config.php   <-- Edit MySQL settings
mv -R wordpress/ /var/www/html/
steve@localhost ~: chrome


SSH into your webserver


Download the latest version of WordPress

cd ~/ && wget

Extract the WordPress archive

tar zxvf latest.tar.gz

Create MySQL database and user

Refer to here if you want to do it from the command line.  The recommended way is through your web control panel i.e. cPanel, Plesk, EHCP etc.

Edit wp-config.php

Enter in the DB information.

vi wordpress/wp-config.php

Move WordPress files to web directory

mv -R wordpress/* /path/to/webdir

If you want to install WordPress inside a sub directory on your website i.e. instead of going to “” to access your WordPress site, you go to “”, then create a sub directory in your root web directory and move the WordPress files there.

Open up a browser and go to your website ( to finish the WordPress installation.


Set up ssh keys in zenoss 5

Here are the basic steps of how to setup ssh keys for zenoss.

  1. Log into the zenoss server
  2. Open up docker container
  3. Change to zenoss user
  4. Generate ssh keys
  5. Upload ssh keys
  6. Exit out of container
  7. Commit container


[root@zenoss ~]# serviced service shell -s AddingSSHkey -i zope bash
I0709 3:02:47.791788 01773 server.go:341] Connected to the control center at port
I0709 3:02:48.127949 01773 server.go:435] Acquiring image from the dfs...
I0709 3:02:48.131438 01773 server.go:437] Acquired!  Starting shell
Trying to connect to logstash server...
Connected to logstash server.
[root@321feeg2253a /]# su zenoss
[zenoss@321feeg2253a /]$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/zenoss/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/zenoss/.ssh/id_dsa.
Your public key has been saved in /home/zenoss/.ssh/
The key fingerprint is:
12:ab:14:d5:54:09:d3:1f:f7:12:21:ae:hd:16:a5:1b zenoss@321feeg2253a
The key's randomart image is:
+--[ DSA 2048]----+
|     =====F      |
|    S+== + AA    |
|  A=+=++  +      |
| AB= .. + =      |
|  ++S S  +.      |
|   ..    -       |
|                 |
|                 |
|                 |
[zenoss@321feeg2253a /]# ssh-copy-id admin@
The authenticity of host ' (' can't be established.
RSA key fingerprint is 12:ab:14:d5:54:09:d3:1f:f7:12:21:ae:hd:16:a5:1b.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
admin@'s password:

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'admin@'"
and check to make sure that only the key(s) you wanted were added.

[zenoss@321feeg2253a /]# exit
[root@321feeg2253a /]# exit
[root@zenoss ~]# serviced snapshot commit AddingSSHkey
[root@zenoss ~]# exit