Category Archives: Configuration

Keeping hackers out of your SFTP server

Published by:

Most SSH(2) and SFTP servers have some sort of built-in countermeasure against the most common attacks. Although some free solutions may be completely defenseless, the vast majority of corporate-grade SFTP servers are usually capable of protecting themselves against – at least – the following threats:

  • DoS (and in some cases DDoS)
  • Hammering
  • Brute-force
  • Password harvesting
  • Protocol violations

All of the above protection mechanisms (except the one against “protocol violations”) assume that the attacker is someone from the outside who is trying to either break in and gain control of your machine, or simply tear it down and cause a service interruption.

The last bullet-point, though, is far more interesting, as it takes into account that the “attacker” (which might not even be a real attacker) may a legitimate user of your SSH/SFTP server, with valid authentication parameters, who sends wrongly formatted commands after he/she has successfully logged in. Continue reading

How to run a HIPAA compliant SFTP server

Published by:

Some people believe that simply switching from FTP to SFTP will make their file transfers compliant to the HIPAA regulation. Well, that’s actually not enough. Whether you’re compliant or not strongly depends on how you configure your SFTP server’s security settings.

First of all it is important to understand that SFTP is not a stand-alone protocol, it is actually a subsystem of the SSH protocol, and therefore securing your SFTP file transfers means making sure that the SSH channel that’s around them is secure.

SSH is a very fine-grained protocol when it comes to security, in fact it features a very effective “security scheme negotiation” upon connection establishment. During such phase, the client and the server negotiate a range of supported encryption (protection) and MAC (verification) algorithms. If the server offers some weak algorithms during such phase, and if the client elects to use one of them, then the security level drops tremendously, and HIPAA compliance is gone. Continue reading

SFTP Server on Windows: how to install

Published by:

Installing an SFTP Server on the Windows operating system can be easy and straightforward. There are several options, but in this article we will focus on how to install Server! and configure it for the first use.

First of all, we have to download Server!, and make sure we’re downloading the version that matches the bit-length of our operating system (32 or 64 bit).

Now, before we install the software we need to make sure that nothing is going to conflict with it. For example we need to make sure that no other SSH or SFTP server is running on the same computer. Furthermore, since Server! also implements the FTP(S) protocol family, we need to make sure that the FTP server feature of IIS (Internet Information Services) is disabled or – even better – not installed. Continue reading