Is SFTP better than FTPS?

Published by:

First of all, it’s important to say that there is a lot of confusion when it comes to secure file transfer protocols: surprisingly most people think that SFTP and FTPS are “the same thing”. Many other people think that SFTP is “Secure FTP”, which is not, and FTPS is just “you meant SFTP, right?”. So, once and for all, let’s try to shed some clarity on what these protocols really are:

  • SFTP: the acronym stands for SSH File Stransfer Protocol, and – as the name says itself – it is a subsystem of the SSH (Secure Shell) protocol
  • FTPS: it is a “secured” version of the FTP protocol, encapsulated inside a SSL or TLS channel (just like HTTPS, SMTPS, IMAPS, POP3S, …)

So, which one is better? As always, it depends on many other factors. Each protocol was designed to perform at its best in certain particular scenarios, so depending on what exactly you have to accomplish, each one of them may be better or worse in the particular case. Let’s see some of the distinctive features of both protocols, so we can have enough information to make an educated choice in due time. Continue reading

Keeping hackers out of your SFTP server

Published by:

Most SSH(2) and SFTP servers have some sort of built-in countermeasure against the most common attacks. Although some free solutions may be completely defenseless, the vast majority of corporate-grade SFTP servers are usually capable of protecting themselves against – at least – the following threats:

  • DoS (and in some cases DDoS)
  • Hammering
  • Brute-force
  • Password harvesting
  • Protocol violations

All of the above protection mechanisms (except the one against “protocol violations”) assume that the attacker is someone from the outside who is trying to either break in and gain control of your machine, or simply tear it down and cause a service interruption.

The last bullet-point, though, is far more interesting, as it takes into account that the “attacker” (which might not even be a real attacker) may a legitimate user of your SSH/SFTP server, with valid authentication parameters, who sends wrongly formatted commands after he/she has successfully logged in. Continue reading

How to run a HIPAA compliant SFTP server

Published by:

Some people believe that simply switching from FTP to SFTP will make their file transfers compliant to the HIPAA regulation. Well, that’s actually not enough. Whether you’re compliant or not strongly depends on how you configure your SFTP server’s security settings.

First of all it is important to understand that SFTP is not a stand-alone protocol, it is actually a subsystem of the SSH protocol, and therefore securing your SFTP file transfers means making sure that the SSH channel that’s around them is secure.

SSH is a very fine-grained protocol when it comes to security, in fact it features a very effective “security scheme negotiation” upon connection establishment. During such phase, the client and the server negotiate a range of supported encryption (protection) and MAC (verification) algorithms. If the server offers some weak algorithms during such phase, and if the client elects to use one of them, then the security level drops tremendously, and HIPAA compliance is gone. Continue reading

Why should your SFTP Server be “scriptable”?

Published by:

Scripting is a well-known technique to extend systems or software functionality by adding short portions of code, usually written in an easy, high lever language, often referred to as a “scripting language”.

JavaScript, for example, was born with such intent in mind. The purpose was to extend the (back then very static) behavior of web pages, utilizing short programs that would be run directly within the browser itself. Since then, JavaScript has gone very far, and today it can probably be considered a full-blown programming language (although it still retains features, like “late binding” that make it suitable for quick script crafting).

But scripting as a technique is still widely used by System Administrator, in the form of Batch/PowerShell scripts in Windows envirnoments, or Shell scripts in Unix-like environments.

From a software designer perspective, adding scripting capabilities to a computer program means letting users free to extend it and make it do that one “additional custom step” that the original designer could never think about, simply because it addresses a very specific issue or necessity that is unique to the specific user.

Keeping the above in mind, it’s easy to maintain that an SFTP server is much more than just some tool that allows to transfer files from one point to another rendering interception useless. An SFTP server is actually a living ecosystem where files reside, are moved, copied, audited, analyzed, … Continue reading

SFTP Server on Windows: how to install

Published by:

Installing an SFTP Server on the Windows operating system can be easy and straightforward. There are several options, but in this article we will focus on how to install Server! and configure it for the first use.

First of all, we have to download Server!, and make sure we’re downloading the version that matches the bit-length of our operating system (32 or 64 bit).

Now, before we install the software we need to make sure that nothing is going to conflict with it. For example we need to make sure that no other SSH or SFTP server is running on the same computer. Furthermore, since Server! also implements the FTP(S) protocol family, we need to make sure that the FTP server feature of IIS (Internet Information Services) is disabled or – even better – not installed. Continue reading