Category Archives: Scripting

Configuration Scripting Security

Keeping hackers out of your SFTP server

Published by:

Most SSH(2) and SFTP servers have some sort of built-in countermeasure against the most common attacks. Although some free solutions may be completely defenseless, the vast majority of corporate-grade SFTP servers are usually capable of protecting themselves against – at least – the following threats:

  • DoS (and in some cases DDoS)
  • Hammering
  • Brute-force
  • Password harvesting
  • Protocol violations

All of the above protection mechanisms (except the one against “protocol violations”) assume that the attacker is someone from the outside who is trying to either break in and gain control of your machine, or simply tear it down and cause a service interruption.

The last bullet-point, though, is far more interesting, as it takes into account that the “attacker” (which might not even be a real attacker) may a legitimate user of your SSH/SFTP server, with valid authentication parameters, who sends wrongly formatted commands after he/she has successfully logged in. Continue reading

Scripting

Why should your SFTP Server be “scriptable”?

Published by:

Scripting is a well-known technique to extend systems or software functionality by adding short portions of code, usually written in an easy, high lever language, often referred to as a “scripting language”.

JavaScript, for example, was born with such intent in mind. The purpose was to extend the (back then very static) behavior of web pages, utilizing short programs that would be run directly within the browser itself. Since then, JavaScript has gone very far, and today it can probably be considered a full-blown programming language (although it still retains features, like “late binding” that make it suitable for quick script crafting).

But scripting as a technique is still widely used by System Administrator, in the form of Batch/PowerShell scripts in Windows envirnoments, or Shell scripts in Unix-like environments.

From a software designer perspective, adding scripting capabilities to a computer program means letting users free to extend it and make it do that one “additional custom step” that the original designer could never think about, simply because it addresses a very specific issue or necessity that is unique to the specific user.

Keeping the above in mind, it’s easy to maintain that an SFTP server is much more than just some tool that allows to transfer files from one point to another rendering interception useless. An SFTP server is actually a living ecosystem where files reside, are moved, copied, audited, analyzed, … Continue reading