sftp-jailer

SFTP users, firewall, and compliance in one terminal app

sftp-jailer

Many companies use SFTP to exchange data safely. sftp-jailer gives operators a user-friendly terminal interface to create chrooted users, manage SSH keys and password aging, allow fixed partner IP addresses, inspect logs, and tighten firewall access step by step.

Self-hosted Open Source tooling for progressive IP-allowlist lockdown and compliance evidence.

  • User Management
  • Password Aging
  • Firewall
  • Compliance evidence
  • Self-hosted
  • Open Source
  • Go project
  • GNU GPLv3
  • Ubuntu 24.04 LTS
  • Debian 13 (Trixie)
  • More Linux distributions on request
View source See learning mode

Operating surface

User management, firewall, and compliance evidence stay connected

User Management

Manage chrooted SFTP users, SSH keys, password aging, and ownership so every integration has an accountable access path.

Firewall

Progressively lock down source IP allowlists and generate firewall enforcement from reviewed user access.

Compliance

Use logs, reviewed allowlists, and GPLv3 source availability as audit evidence without claiming formal certification.

Problem

Legacy SFTP access tends to stay permissive

Permissive firewall rules, stale SSH keys, unmanaged users, unclear source IP ownership, and weak audit visibility add up over time. sftp-jailer gives operators a path from permissive legacy access to reviewed per-user source IP allowlists without guessing which partner traffic still needs to work.

Before

Permissive legacy SFTP access

After

Reviewed per-user source IP allowlists

Workflow

From observed access to enforced allowlists

  1. Learn

    Learning mode observes existing source IPs before enforcement so teams can migrate without breaking partner transfers.

  2. Review

    Operators connect observed source IPs with users and SSH keys before anything becomes trusted.

  3. Whitelist

    Approved per-user source IPs become the allowlist that defines who may connect.

  4. Enforce

    sftp-jailer configures firewall rules from reviewed allowlists and fits inside existing firewall governance.

  5. Audit

    Operational logs and visibility show what is active without implying formal compliance certification.

Learning mode on a DMZ SFTP host
Partner source IP
DMZ SFTP host
sftp-jailer
Firewall rules
Users and SSH keys
Operational logs

DMZ fit

Built for a hardened SFTP host at the network edge

sftp-jailer fits a DMZ SFTP host with managed source IP access and firewall enforcement boundaries. It configures firewall rules from reviewed allowlists and fits inside existing firewall governance.

Platform and source

Initial support stays explicit

Ubuntu 24.04 LTS and Debian 13 (Trixie) are the initial supported platforms.

More Linux distributions can be supported upon request after testing.

Inspect the Go source on GitHub