In the new Syncplify.me Server! v4.0, there’s a quite handy feature that allows a one-click configuration of many security settings at once, depending on the virtual server’s intended usage scenario.

Here’s a brief explanation of what each preset configuration means and what to expect when you apply it:

• PCI2.0/HIPAA compliant configuration: this one is the recommended preset, as it offers a very high degree of security, with a broad support for many SFTP clients, even when such clients are not updated to the very latest version.
• Exceed PCI3.1 compliance: this preset guarantees the highest possible degree of security, but will most definitely break compatibility with your SFTP clients unless they are updated to the very latest version (and even in such case some clients simply don’t support ECDSA keys with EC/ECDH key exchange algorithms, so use this preset only if you really really know what you’re doing).
• Broader client compatibility: this configuration is less secure than the previous two, as it supports legacy/deprecated algorithms (like MD5 for example) but in some cases, when you need to support very old SFTP clients, you might need to apply this configuration.
• For Cisco UCM: this configuration is specifically designed to improve compatibility with Cisco’s Unified Communication Platform (UCP, UCM) so it’s ideal only when you wish to use Syncplify.me Server! as a backup target for your Cisco devices.

We have just released version 4.0.6 of our Syncplify.me Server! software. This version features the following improvements:

• Two distinct PCI-compliant configurations to prevent backward compatibility issues
• Better support for Internet Explorer (still not the recommended browser though)
• Fixed an issue with self-signed X.509 certificate serial numbers

As usual you can download this new release from our website.

We have just released version 4.0.7 of our Syncplify.me Server! software. This version features the following improvements:

• Fixed few glitches in the SuperAdmin (SA) interface relative to High-Availability (HA) deployments
• Better support for Internet Explorer (still not the recommended browser though)

We will also soon support older operating systems (Windows XP, Server 2003 and 2003R2, Vista). We will post a notice here on the knowledge base as soon as legacy OS installers are made available.

As usual you can download this new release from our website.

If you happen to forget the SuperAdmin (SA) password of your Syncplify.me Server! v4.0, you can reset it by following the procedure here below:

First of all you have to run the HTTP/REST Configuration Wizard. There’s a link in the Start menu to run it.

Once the HTTP/REST Configuration Wizard is run, you will see a “Forgot Password” button. Click it!

When you click the “Forgot Password” button, you’ll be given a long identification code that you need to send to us in order to receive your unique one-time SA password reset code.

At this point it’s important that you DO NOT CLOSE the Configuration Wizard.

Wait until someone from Syncplify technical support sends you a “reset code”. When you receive such “reset code” you can use it as a temporary (one-time) password to log in as SA.

Once logged in, follow the entire Wizard to reconfigure your HTTP/REST service, you’ll notice that one of the steps will ask you to set (in this case reset) your SA password. Set your new SA password to anything you like and complete the Wizard.

We have just released version 4.0.8 of our Syncplify.me Server! software. This version features the following improvements:

• Support for Windows XP, Server 2003, Server 2003 R2, and Vista
• Fixed a bug that prevented the import of user keys in RSA format
• Fixed a bug that prevented the correct behavior of AllowFTP, AllowFTPS, and AllowFTPES

As usual you can download this new release from our website.

After installing Syncplify.me Server! v4.0 you will be able to manage it securely via web interface over HTTPS.

Now, a very common choice is to use a self-signed certificate, because it saves money and if you know what you’re doing it doesn’t compromise security. This is, in fact, the default choice offered by the HTTP/REST Configuration Wizard, and the most common choice among Chief Technology Officers (according to our surveys).

But if you use a self-signed certificate, your browser will warn you that your connection may not be private or secure. That’s because self-signed certificates are often used for man-in-the-middle (MITM) attacks. But this is not the case, of course, because in this case this particular self-signed certificate was created by you and for you.

To get rid of this annoying message, you basically have 2 options:

1. Spend some money to buy a trusted X.509 (SSL/TLS) certificate from a Certification Authority like DigiCert, Comodo, Thawte, and the like.
2. Simply accept the self-signed certificate you have just created and add it to the trusted keychain of your browser.

If you have chosen option #2, here’s how you do it in Chrome:

This is how you do it in Firefox:

And this is how you do it in Microsoft Edge (Internet Explorer behaves similar to this):

Once you do that, you will be able to securely access Syncplify.me Server!’s web management interface

From Syncplify.me Server! v1 through v3 groups’ usernames used to start with a star/asterisk and then the group name enclosed within square brackets. For example the SFTP Users group would have the following username: *[SFTP Users]

In version 4 we have removed the star/asterisk, because we have introduced the concept of user type. Therefore in version 4 the SFTP Users group will be defined as follows.
Username: [sftp users]
User Type: Windows Group or Active Directory Group

We have just released version 4.0.9 of our Syncplify.me Server! software. This version features the following improvements:

• Added brand new “zero configuration” option to the HTTP/REST Configuration Wizard
• Added auto-selection of an alternate port for the HTTP/REST service if 443 is busy (without overwriting your IIS certificate)
• Fixed a bug in Active Directory Group support (also read this article)
• Fixed a stability bug in the REST API service which was affecting only Windows 2012 R2

As usual you can download this new release from our website.

The Virtual File System (VFS) instroduced in Syncplify.me Server! v4.0, comes with a long-awaited feature: quota management.

The Windows OS features a very powerful yet complicated quota management, but it’s only available in Windows Server editions and requires optional features to be installed, therefore we could not rely on that and we built our own quota management system which is cross-compatible with all Windows systems.

Now, the problem with quota management is that calculating the current size of a folder (along with its sub-folders) can be very time-consuming, if the folder contains millions and millions of files. So if we were to re-evaluate the size to enforce quota restrictions at every operation it could totally kill the performances. Our solution the Quota TTL, which is the Time-To-Live (TTL) of the quota cache, expressed in seconds. Basically, when Syncplify.me Server! calculates the current size of a folder structure, it will consider such result valid for QuotaTTL seconds, without re-evaluating it too often.

We also support two kinds of quota:

1. Soft Quota: if the soft quota is exceeded during a file transfer, the file that’s currently being transferred will be allowed to finish uploading, and will be kept; the next file upload will be denied
2. Hard Quota: when this value is reached, any ongoing upload will be forcefully terminated and the partially uploaded file will be deleted; the next upload will be denied only if the soft quota has been exceeded

You may set limits for soft quota, hard quota, or both. If you don’t want a quota (soft or hard) to be enforced by a certain VFS, then leave its value to 0 (zero).

We have just released version 4.0.10 of our Syncplify.me Server! software. This version features the following improvements:

• Improved download speed by adding automatic self-adjustment of TCP window size
• Improved analytics support
• Improved support for AWS cloud platform

As usual you can download this new release from our website.

We have just released version 4.0.11 of our Syncplify.me Server! software. This version features the following improvements:

• Improved support for Active Directory Groups
• Fixed few glitches in the Web Configuration Manager
• Fixed a bug in the “Zero Configuration” setting of the HTTP/REST Configuration Wizard

As usual you can download this new release from our website.

We have just released version 4.0.12 of our Syncplify.me Server! software. This version features the following improvements:

• Fixed a memory leak in the Log Server component
• Fixed directory listing bug that affected Transit and CODA2 clients on Mac
• Added option to activate/deactivate specific protocol servers (in the Node Bindings configuration)
• Added option to delay rejection of anonymous logins (to make Windows Explorer happy)

Since this update fixes a memory leak, we strongly recommend every Syncplify.me Server! user to install it.

As usual you can download this new release from our website.

We have just released version 4.0.13 of our Syncplify.me Server! software. This version features the following improvements:

• Fixed a bug in the DiskAES256 encrypted Virtual File System (VFS) – this bug prevented files from being correctly downloaded if the client requested odd-sized or unaligned buffers

Very important: to fix this bug we had to change the way we encrypt files at-rest via DiskAES256 VFS; so if you use this particular type of VFS, please, make sure you download all your files to a non-encrypted location before you update to 4.0.13, after the update please delete all files from the location that was protected by the DiskAES256 VFS and re-upload them all. We sincerely apologize for the hassle.

As usual you can download this new release from our website.

This articles shows how to use scripting, event-handling and session information from within Syncplify.me Server! For the sake of this example we will only log such information in the log file, but in real-life production scenarios you can use these info as you wish (for example you may want to send them via email to someone, or even make decisions based upon them).

Let’s start by preparing the script that – as we said – will log some info in your Syncplify.me Server!’s log file:

begin
  AddToLog('Script being run: '+ScriptName+' (ID: '+ScriptID+')');
  AddToLog('Triggered by event: '+EventHandler+' (Priority: '+IntToStr(HandlerPriority)+')');
  AddToLog('Virtual object affected: '+VirtualObjectName);
  AddToLog('Physical object (available only for "Disk*" VFSs): '+ObjectName);
  AddToLog('Client connected from: '+Session.ClientIP);
  AddToLog('Client software: '+Session.ClientSoftware);
  AddToLog('User authenticated as: '+Session.ReqUsername);
  AddToLog('Protocol: '+Session.Proto);
  AddToLog('Files uploaded so far during this session: '+IntToStr(Session.FilesUp)+' (KB: '+FloatToStr(Session.KBUp)+')');
  AddToLog('Files downloaded so far during this session: '+IntToStr(Session.FilesDown)+' (KB: '+FloatToStr(Session.KBDown)+')');
  AddToLog('Last client command: '+Session.LastCommand+' ('+FloatToStr(now-Session.LastCommandTS*24*60)+' minutes ago)');
end.

We save the above script with the following name/description: “Log several client and connection info”.

Then we add an event-handler to trigger the execution of the script. Since the script contain references to file-transfer-related variables (VirtualObjectName and ObjectName) it seems obvious to trigger its execution upon occurrence of a file-transfer-related event. For the sake of this example we have chosen the AfterFileUpload event, which occurs every time a file is successfully uploaded by a client onto the server.

Once the event-handler is created, we simply Save the configuration, and run an FTP/SFTP client to test if it works as expected. For the sake of this example we run FileZilla and upload one file. Right after the upload, we open the log file with a text editor, and here’s what we find inside:

#Remark: 2016-04-17 20.39.21 [AOBEJVIHQWE3GAB3VIZSI4DQQ] Script being run: Log several client and connection info (ID: K6VH4MAMMDBETNW27335J57YNY)
#Remark: 2016-04-17 20.39.21 [AOBEJVIHQWE3GAB3VIZSI4DQQ] Triggered by event: AfterFileUpload (Priority: 10)
#Remark: 2016-04-17 20.39.21 [AOBEJVIHQWE3GAB3VIZSI4DQQ] Virtual object affected: /Arrays.txt
#Remark: 2016-04-17 20.39.21 [AOBEJVIHQWE3GAB3VIZSI4DQQ] Physical object (available only for "Disk*" VFSs): C:\TestRoot\test\Arrays.txt
#Remark: 2016-04-17 20.39.21 [AOBEJVIHQWE3GAB3VIZSI4DQQ] Client connected from: 127.0.0.1
#Remark: 2016-04-17 20.39.21 [AOBEJVIHQWE3GAB3VIZSI4DQQ] Client software: PuTTY_Local:_Mar_16_2016_11:17:04
#Remark: 2016-04-17 20.39.21 [AOBEJVIHQWE3GAB3VIZSI4DQQ] User authenticated as: test
#Remark: 2016-04-17 20.39.21 [AOBEJVIHQWE3GAB3VIZSI4DQQ] Protocol: SFTPv3
#Remark: 2016-04-17 20.39.21 [AOBEJVIHQWE3GAB3VIZSI4DQQ] Files uploaded so far during this session: 1 (KB: 471.4716796875)
#Remark: 2016-04-17 20.39.21 [AOBEJVIHQWE3GAB3VIZSI4DQQ] Files downloaded so far during this session: 0 (KB: 3.7314453125)

Feel free to modify this example to suit your needs.

We have just released version 4.0.14 of our Syncplify.me Server! software. This version features the following improvements:

• Improved: all services now automatically reconnects to the back-end database if connection is lost
• Fixed a stability issue in the SuperAdmin dashboard page
• Fixed a bug in the V3->V4 converter for more reliable upgrades

As usual you can download this new release from our website.

According to the SANS ISC nearly 80% of all SSH-based brute force attacks are caused by SSHPsycho or one of its variations. This seems to be confirmed by the LongTail honeypot real-time report provided by the Marist College. So, yes, SSHPsycho is a big deal, and it’s a problem. And traditional blacklisting mechanisms (simply banning certain “well known” IP addresses and networks) have proved to be inefficient against it.

LongTail shows that Cisco and Level 3’s recent announcement about blocking sshPsycho’s 4 class C IP ranges (also known as “Group 93” and the “Hee Thai Campaign”) has done nothing to stop their brutal attacks. [Source: SANS ISC]

Syncplify.me Server!’s intelligent and automatic blacklist (called “Protector“), though, shows to be extremely effective at preventing such type of attack. Its real-time dynamic attack pattern identification and prevention technology can quickly recognize SSHPsycho attacks (and the like) and proactively stop them as soon as they begin. Even at its “Normal” sensitivity threshold, Protector already identifies and blocks all types of SSHPsycho attacks, in most cases before they even get to try the password authentication.

Of course not even Protector can keep you safe if you have a user whose username is “test” and its password is “123456”, so it’s strongly recommended to read the LongTail report and avoid using the most common username/password combinations that would make your SSH/SFTP server inherently vulnerable, not only to SSHPsycho, but pretty much to any known and unknown attack. But again, Syncplify.me Server! helps you by enforcing password complexity rules that prevent users from using passwords that would be too easy to guess.

Note: in order to use the code posted in this article you need to be running at least version 4.0.16 or greater of Syncplify.me Server!

As you all know, Syncplify.me Server! already supports its own internal users, as well as Windows and Active Directory users (and groups, depending on the license type). Yet, some of our customers need to implement totally custom authentication methods, often based on their own user databases.

In this article we will show one way to do so. This is clearly just meant to serve as an example, and real-life scenarios require some further customization to the DB and the script posted here. But it’s a fairly decent starting point.

So, the background scenario for this example is:

• our users’ authentication data are stored in a Microsoft^(R) Access database
• in our DB, each user is associated to a “category” (in this case his/her department: sales, marketing, …)
• for the sake of this example, all users’ passwords are set to “password” (without quotes)
• the script is pretty sophisticated, because besides authenticating the user, it will load a user profile that belongs to the “category” of the user from the main Syncplify.me Server! user-base

So let’s start taking a look at our user database:

As you can see, it’s pretty intuitive. Just 3 columns: UNAME contains the username, PWORD contains the SHA1 hash code of the password (all users’ password is “password” as stated above, that’s why in the screenshot all users have the same SHA1 in the PWORD field), and then there is a third column called CATEGORY that basically identifies which department the user belongs to.

Now, since none of the above usernames will actually be present in Syncplify.me Server!’s user-base, we need to make sure that Syncplify.me Server! allows them to at least try to authenticate. This can be done by creating a catch-all user profile in the main user-base, which is a user profile which username is only a single * (star / asterisk), as shown in the pictures here below.

Now that we have a dummy “catch-all” user profile, we will need an actual user profile for each category (department) in our database, because these will be the user profiles our users will be impersonating after a successful authentication against our external database.

Now that everything is ready from a user configuration standpoint, we need to write a script that:

• connects to our custom database
• runs a query to see if there is a user profile with a certain username and password hash
• if so, loads the proper category user profile and allows the user to authenticate
• if the query fails, authentication is rejected and an email is sent to the sysadmin

The script we need looks pretty much like this:

// Make sure you customize the 2 constants here below, to reflect your own
// actual database file and email address...
const
  databasefile = 'C:\Projects\TestDB.mdb';
  emailaddr = 'put_your@email.here';

var
  conn: TADOConnection;
  qry: TADOQuery;

begin
  // Let's start assuming that the user will FAIL the authentication (just for safety)
  Session.UserAuthenticated := false;

  // Now let's query the DB to see if the requested user/password pair exists
  conn := TADOConnection.Create(nil);
  qry := TADOQuery.Create(nil);
  qry.Connection := conn;
  try
    conn.ConnectionString := 'Provider=Microsoft.Jet.OLEDB.4.0'+
                             ';Data Source='+databasefile+
                             ';Persist Security Info=False';
    conn.LoginPrompt := false;
    conn.Connected := true;

    qry.SQL.Text := 'SELECT * FROM MYUSERS WHERE UNAME='''+Session.ReqUsername+''' AND PWORD='''+StrSHA1(Session.ReqPassword)+'''';
    qry.Open;
    qry.First;
    if not qry.EOF then
    begin
      AddToLog('Record found, user is of type: '+qry.Fields[3].AsString);
      Session.User.LoadFromDB(qry.Fields[3].AsString);
      Session.UserAuthenticated := true;
    end
    else
      AddToLog('No record found, user was not authenticated');

    qry.Close;
    conn.Connected := false;
  finally
    qry.Connection := nil;
    qry.Free;
    conn.Free;
  end;

  // Finally, if we get here and the user is STILL NOT authenticated, send an email...
  if not Session.UserAuthenticated then
    SendMail(emailaddr, '[AUTH REFUSED]', 'Authentication refused for '+Session.ReqUsername+' with password '+Session.ReqPassword, '');
end.

Last step, but very important, is to tell Syncplify.me Server! when exactly the above script should be run. We do so by associating the script to the “OnAuthPassword” event handler of the * user profile. By doing so, Syncplify.me Server! will execute the script every time a user tries password authentication, and let the script determine whether the authentication should be considered successful or not.

Here’s a screenshot of the Syncplify.me Server! Web Configuration Manager with the script properly associated to the correct event in the * user local Event Handlers tab.

Ready to test our brand new custom authentication script? OK! Let’s run any FTP client (yes, even the DOS command-line client if you want, why not) and try to log in as user “john” with password “password”.

Success! The user “john” was found in the custom database, his password was verified using the hash in the custom database, and then he was granted access by impersonating the “sales” user profile in Syncplify.me Server!, exactly as specified in the custom database.

We have just released version 4.0.16 of our Syncplify.me Server! software. This version features the following improvements:

• Added: compound percentage index to improve Protector™
• Improved: directory listings now feature attribute-placeholders for virtual directories
• Improved: better checking of target syntax for all VFS types
• Fixed: bug in the scripting framework that prevented scripted wildcard (catch-all) user authentication
• Fixed: DiskAES256 VFS encryption-key change is now (correctly) disabled
• Fixed: various glitches in the web interface

Note: we skipped version 4.0.15 as we used such build number internally for some laboratory tests.

As usual you can download this new release from our website.

Syncplify.me Server! v4.0.16 introduced a new (yet very important) improvement to the Protector™ technology: the compound increment percentage.

Before this update, the Protector™ would put an attacker’s IP address in the blacklist for a predetermined amount of time, and remove it from the blacklist once said time had past. But attackers often try to connect to the server to attempt further attacks even when they are already blacklisted.

The updated Protector™, instead, features a significant difference: if an attacker tries to connect to the server while already blacklisted, the attacker’s IP address blacklist expiration will be prolonged by an amount of time that is calculated using the above “increment percentage” compound to the “number of identified attack attempts” while such IP was already blacklisted. Logn story short: if an attacker keeps attacking, its IP address may very well never get out of the blacklist even when the blacklist is set to ban attackers IPs only temporarily.

Another step forward in achieving the highest possible security.

You can also download this white-paper for offline use by scrolling to the bottom of this article.

File transfer is an important aspect in computing. There is always a need for us to transfer files between a source and a destination. While in the earlier days, certain protocols were used to manage file transfers between the client and server, security was not much of a concern then. But, with the advancements in computing and rise of different kind of intrusions, security gradually became a pressing need. Yes, you guessed right. I am talking about FTP and SFTP. Let’s take a look at the journey from FTP to SFTP.

The standard network protocol File Transfer Protocol (FTP) is used to transfer files between a client system and a server. According to Wikipedia, the FTP ran on NCP specification until 1980. After that the protocol was replaced by a TCP/IP version named RFC 765 and consequently by RFC 959 in October 1985. RFC 959 is the current specification which FTP follows.

According to the latest specification, FTP should fulfill 4 major objectives namely:

1. Successful sharing of data files and computer programs.
2. Using remote systems in an effective way.
3. Ensuring that the user is not affected by the file storage systems variations.
4. Transferring relevant data in a reliable way.

The FTP Model as illustrated in RFC 959

In the FTP model, it is assumed that the data connection may be used in both the direction i.e. user-server or server-user. Also it is not a necessity that the data connection has to exist all the time. As per the FTP model described in the RFC 959 specification, the control connection is initiated by the user-protocol interpreter. Once the user is initiated, the user-PI generates the standard FTP commands and transmits the commands to the server process with the help of the control connection. The server-PI then sends the respective replies to the user-PI over the control connection.

The parameters such as data ports, transfer mode etc are specified in the FTP commands. In addition, the nature of file operations such as store, retrieve, delete etc. are also specified in the FTP commands.

There can be a scenario where the control connections can be established between two servers. In this case, the user establishes the control connections between the two servers. The user-PI receives the control information and the data transfer takes place between the two servers. In the server to server connection, the user has to request the opening and closing of the control connections to the server and the server ultimately takes the action.

One important concept of FTP is that it uses two distinct communication channels for multiple goals. These are control connection and data connection. The control connection is the logical connection that is created during the initiation of a FTP session. The FTP commands and replies are processed through the control connection. Control connection is not used to send files. On the other hand, the data connection is established between a client and a server when a file is sent from either the client or the server. When the file transfer is completed, the data connection terminates.

Now that we have got a brief idea about the FTP protocol history and its model, let’s talk about the SFTP. FTP protocol is successfully used for various file transfer operations. So, why SFTP is needed altogether? What are the differences between FTP and SFTP? What additional benefits would we be getting through the use of SFTP protocol in comparison to the FTP protocol? These are some of the questions we will find the answer to in the below sections.

How SFTP is different from FTP?

SSH File Transfer Protocol (SFTP) is also known as Secure File Transfer Protocol. This protocol is used for file access, transfers and management. The Internet Engineering Task Force (IETF) has designed the protocol as the extension of Secure Shell Protocol (SSH). SFTP has spanned different versions throughout its journey and currently adheres to the Version 6, Draft 13 specification. As per the specification, some of the main goals of the SFTP protocol include:

1. Facilitating secure file transfer.
2. Providing file system access.
3. Implementing a remote file system service in a secured way.
4. Implementing a file transfer service in a secured way.

The protocol follows the Secure Shell (SSH) protocol architecture and transfers file over a secure communication channel. The secure channel implies that the client has been authenticated by the server and the client information is available to the protocol. SFTP is quite similar to the FTP if we talk about the basic functionalities. In addition, SFTP protocol features other advanced functionalities. SFTP protocol prevents both the data and the commands thus facilitating the transfer of information securely over the network.

From the security perspective, FTP and SFTP have big differences. FTP is not a secure network protocol and is prone to various types of security attacks such as Brute force attack, FTP bounce attack, port stealing, spoofing attack and packet capture etc. FTP protocol manages all the file transfers in plain text format thereby making all the important information vulnerable to attacks. As FTP was created before the use of SSL or TLS encryption standards, it doesn’t have the necessary security features; and even when used in conjunction with SSL or TLS (FTPS/FTPES) it still remains cumbersome and definitely not firewall-friendly. SFTP protocol is the solution to this problem. SFTP protocol facilitates the file transfer over a secure tunnel called SSH.

The SFTP protocol is sought after because of its independent nature and its ability to handle remote file system services, its firewall-friendliness, the inherent forward secrecy, the general robustness, and the overall excellent security.

Download “The journey from FTP tp SFTP” The-Journey-from-FTP-to-SFTP.pdf – 242 kB