Category Archives: Security

Is SFTP better than FTPS?

Published by:

First of all, it’s important to say that there is a lot of confusion when it comes to secure file transfer protocols: surprisingly most people think that SFTP and FTPS are “the same thing”. Many other people think that SFTP is “Secure FTP”, which is not, and FTPS is just “you meant SFTP, right?”. So, once and for all, let’s try to shed some clarity on what these protocols really are:

  • SFTP: the acronym stands for SSH File Stransfer Protocol, and – as the name says itself – it is a subsystem of the SSH (Secure Shell) protocol
  • FTPS: it is a “secured” version of the FTP protocol, encapsulated inside a SSL or TLS channel (just like HTTPS, SMTPS, IMAPS, POP3S, …)

So, which one is better? As always, it depends on many other factors. Each protocol was designed to perform at its best in certain particular scenarios, so depending on what exactly you have to accomplish, each one of them may be better or worse in the particular case. Let’s see some of the distinctive features of both protocols, so we can have enough information to make an educated choice in due time. Continue reading

Keeping hackers out of your SFTP server

Published by:

Most SSH(2) and SFTP servers have some sort of built-in countermeasure against the most common attacks. Although some free solutions may be completely defenseless, the vast majority of corporate-grade SFTP servers are usually capable of protecting themselves against – at least – the following threats:

  • DoS (and in some cases DDoS)
  • Hammering
  • Brute-force
  • Password harvesting
  • Protocol violations

All of the above protection mechanisms (except the one against “protocol violations”) assume that the attacker is someone from the outside who is trying to either break in and gain control of your machine, or simply tear it down and cause a service interruption.

The last bullet-point, though, is far more interesting, as it takes into account that the “attacker” (which might not even be a real attacker) may a legitimate user of your SSH/SFTP server, with valid authentication parameters, who sends wrongly formatted commands after he/she has successfully logged in. Continue reading

How to run a HIPAA compliant SFTP server

Published by:

Some people believe that simply switching from FTP to SFTP will make their file transfers compliant to the HIPAA regulation. Well, that’s actually not enough. Whether you’re compliant or not strongly depends on how you configure your SFTP server’s security settings.

First of all it is important to understand that SFTP is not a stand-alone protocol, it is actually a subsystem of the SSH protocol, and therefore securing your SFTP file transfers means making sure that the SSH channel that’s around them is secure.

SSH is a very fine-grained protocol when it comes to security, in fact it features a very effective “security scheme negotiation” upon connection establishment. During such phase, the client and the server negotiate a range of supported encryption (protection) and MAC (verification) algorithms. If the server offers some weak algorithms during such phase, and if the client elects to use one of them, then the security level drops tremendously, and HIPAA compliance is gone. Continue reading