Some SFTP servers feature a simple “extension exclusion list” so that administrators can specify certain file extensions that the server should not let users upload. But that’s a pretty weak defense, as a clever attacker could always upload an EXE with a fake extension and then rename it or otherwise find alternative ways to run it on the server, thus compromising its security.

Syncplify.me Server!’s scriptable nature, though, allows you to do a lot more than just disallow certain file extensions. Here’s a sample script that can be attached to the “AfterFileUpload” event handler, to identify EXE files that have been uploaded with fake extensions and delete them right away.

var
  FirstBytes, PEBytes: string;
begin
  FirstBytes := FileReadAsHex(ObjectName, 0, 2);
  PEBytes := FileReadAsHex(ObjectName, 256, 4);
  if ((FirstBytes = '4D5A') and (PEBytes = '50450000')) then
  begin
    // It's an EXE, delete it!
    AddToLog('Identified '+ObjectName+' as an EXE file. Deleting it.');
    if FileDelete(ObjectName) then
      AddToLog('Deleted: '+ObjectName)
    else
      AddToLog('Failed to delete: '+ObjectName);
  end;
end.

The above script is provided as a mere example to identify Windows EXE files. But it could be easily modified in order to identify other file types.

All Windows EXEs, in fact have stable distinguishing features in their binary code, and more precisely: the first 2 bytes (in hex) will always be 4D5A, and the 4 bytes at offset 256 (0x100) will always be 50450000. So if a file has those byte sequences in those exact locations, it’s safe to say it’s a Windows EXE.

Do you need to identify ZIP files instead? The first 4 bytes are always 04034B50.

And so on… many file types can be identified by specific “signatures” in their binary code, that one can easily read using Syncplify.me Server!’s powerful scripting capabilities.

We have just released version 4.0.17 of our Syncplify.me Server! software. This version features the following improvements:

• Added: new bearer-token authorization mode for the REST API (and updated the help/documentation accordingly)
• Added: [%USER_DESC%], [%TODAY%] and [%SESS_CUSTDATA%] in VFS base path definition
• Fixed: bug that prevented JSCH-based clients from downloading files correctly

As usual you can download this new release from our website.

We have just released version 4.0.18 of our Syncplify.me Server! software. This version features the following improvements:

• Added: scripting functions FileMove, StrSHA256, StrSHA512
• Fixed: quota enforcement is now triggered correctly
• Fixed: deployment of High-Availability (HA) virtual servers in Microsoft Azure now works as expected

As usual you can download this new release from our website.

Syncplify.me Server! version 4.0 is now available on AWS Marketplace offering top security with hassle-free deployment, a 15-day free trial, and no up-front license fees.

WILMINGTON, DE – Syncplify, Inc., a young and dynamic US-based software development company, has released Syncplify.me Server!, a highly secure SFTP server available on Amazon Web Services Marketplace (AWS Marketplace). The new service is marketed under the name SFTP.cloud.

Syncplify.me Server! on AWS delivers the same level of security as its on-premises brother product, but without the need to go through a complex, lengthy installation procedure, and with no up-front traditional licensing fees. In fact, after the 15-day trial period, Syncplify.me Server! on AWS is charged on an hourly basis only for the actual usage.

“From a technical standpoint, making our software available on AWS Marketplace was a great choice to deploy a very secure file transfer server onto a highly reliable, globally available infrastructure,” said Fjodr Soyevskji, Chief Technology Officer at Syncplify, Inc.

“We believe that this relationship with AWS will greatly benefit our customers, especially those who need to deploy highly dynamic, secure, file transfer infrastructures that change frequently over time,” said Helga Kessler, Chief Operation Officer.

Customers can deploy the Syncplify.me Server! edition they need (Basic, Professional or Ultimate) on AWS, and they can choose between Windows Server 2008 R2 and Windows Server 2012 R2 EC2 instances.

We have just released version 4.0.19 of our Syncplify.me Server! software. This version features the following improvements:

• Improved: debug-level logging in case the VFS encounters a file-write error
• Added: SSHFS/WebEx compatibility mode

As usual you can download this new release from our website.

SSHFS is a FUSE-based filesystem client for the SSH File Transfer Protocol (SFTP); it’s very common among Linux users to mount SFTP targets as local directories. WebEx is a well-known teamwork collaboration tool by Cisco that uses SSHFS to back-up its data to a remote SFTP server.

Unfortunately, the coupling of SSHFS/WebEx – at the time this article is being written – has at least two problems that can cause serious issues to servers that implement the SFTP protocol and its extensions correctly.

Renaming to an existing file without setting the “overwrite” flag

This is what the current SFTP protocol RFC says about renaming:

Files (and directories) can be renamed using the SSH_FXP_RENAME message.

       byte   SSH_FXP_RENAME
       uint32 request-id
       string oldpath [UTF-8]
       string newpath [UTF-8]
       uint32 flags

where 'request-id' is the request identifier, 'oldpath' is the name of
an existing file or directory, and 'newpath' is the new name for the file
or directory.

'flags' is 0 or a combination of:
       SSH_FXF_RENAME_OVERWRITE  0x00000001
       SSH_FXF_RENAME_ATOMIC     0x00000002
       SSH_FXF_RENAME_NATIVE     0x00000004

If flags does not include SSH_FXP_RENAME_OVERWRITE, and there already
exists a file with the name specified by newpath, the server MUST respond
with SSH_FX_FILE_ALREADY_EXISTS.

Unfortunately, SSHFS (at least in its WebEx implementation) tries to rename its temporary files to existing destinations without setting the required SSH_FXP_RENAME_OVERWRITE flag. Therefore Syncplify.me Server! correctly replies, as required by the SFTP protocol standard, with a SSH_FX_FILE_ALREADY_EXISTS response. This of course causes SSHFS to be unable to “save” files that are being edited/modified.

Renaming before closing the old file handle

This is a little bit more specific to the Windows operating system. Windows file systems do not allow rename operations on open files, unless they were open with the FILE_SHARE_DELETE flag, which, when the file is open for writing is usually not set.

Unfortunately, SSHFS (at least in its WebEx implementation) sends the SSH_FXP_RENAME command before sending the SSH_FXP_CLOSE command to close the file. So, basically, SSHFS requests to rename an open file. If the file was open for writing and therefore wasn’t open with the FILE_SHARE_RENAME flag, the rename operation will invariably fail, once again causing SSHFS to be unable to save files that are being edited/modified.

The work-around

Syncplify.me Server! v4.0 (as of v4.0.19 and up) implements a work-around to address the misbehavior of SSHFS without breaking the SFTP protocol server-wise.

A new configuration flag has been introduced at user level, so that Syncplify.me Server! administrators can apply it only for certain specific user profiles. This flag instructs Syncplify.me Server! to assume that a particular user profile will be used by a WebEx/SSHFS client, and to consequently allow rename operation even when the destination file already exists and the SSH_FXP_RENAME_OVERWRITE was not specified in the client request. In addition to that, the rename operation also forcefully closes the file handle so that the underlying Windows file system can gracefully rename the file.

In our tests we have also noticed that the way SSHFS handles reconnections (at least in its WebEx implementation) is occasionally unable to re-authenticate correctly. To prevent further problems, then, we also suggest Syncplify.me Server! administrators to set the “Session Timeout” to a value high enough to ensure that WebEx client sessions won’t ever be disconnected on the server side.

We have just released version 4.0.20 of our Syncplify.me Server! software. This version features the following improvements:

• Fixed: quotas expressed in KB are now correctly evaluated in KB
• Fixed: issue with detecting legacy MongoDB on Windows XP, Vista and Server 2003
• Fixed: orphan socket handle upon failed PORT (active) transfer (which only affected the FTP protocol)

As usual you can download this new release from our website.

We have just released version 4.0.21 of our Syncplify.me Server! software. This version features the following improvements:

• Added: support for POLY1305 HMAC (SSH/SFTP)
• Added: support for CHACHA20 encryption (SSH/SFTP)
• Added: support for NFS access by impersonation via Windows Client for NFS (experimental)
• Improved: handling of failed active (PORT) data transfer over FTP(E/S)
• Fixed: occasional issue with SHA256 computation during key exchange
• Fixed: bug in the VFS-related commands of the SMSCLI

Note: if after the update you notice any unexpected behavior in the web interface, just hit Ctrl-F5 in your browser; that will force the browser to reload the page as well as all back-end scripts and update the ones that may have been cached from previous versions of the software.

As usual you can download this new release from our website.

A new tiny-tiny product is about to join its “older brother” Syncplify.me Server!… we called it Syncplify.me MicroServer!

In a nutshell, MicroServer! is a portable SFTP server that doesn’t need any installation, just download and double-click to run. It’s free for any use, including business and commercial, but it’s very limited.

Unlike Syncplify.me Server!, in fact, this MicroServer!:

• only supports SFTP (no shell, no tunnels, no FTP/S)
• only supports basic SFTP commands, no remote copy or other “fancy stuff”
• cannot run as a system service
• supports only 1 user profile, 1 root folder, and connections from 1 client at a time
• doesn’t have PKI authentication, nor granular configuration
• doesn’t have web interface, nor CLI, nor REST API

It’s basically a super-simplistic (yet highly secure) SFTP server that fits in less than 3 MB (yes, you’ve read it correctly, less than 3 MegaBytes) and can be carried around on a USB stick, and run directly from there, without even needing to be executed “as Administrator”. Ideal for brief, sudden file transfers, without giving up on security.

Interested in checking out the first BETA? You can download it here.

After the incredible success of the BETA version, we have now officially released version 1.0.1 of our Syncplify.me MicroServer! Apparently the beta was so stable that it didn’t require any bug-fix, and only cosmetic changes were made in this release.

As usual you can download this new release from our website.

We have just released version 4.0.23 of our Syncplify.me Server! software. This version features the following improvements:

• Fixed issue with setting log destination to a SysLog server
• Fixed delay during authentication of Active Directory users in certain situations

Note¹: if after the update you notice any unexpected behavior in the web interface, just hit Ctrl-F5 in your browser; that will force the browser to reload the page as well as all back-end scripts and update the ones that may have been cached from previous versions of the software.

Note²: we skipped version 4.0.22 as we used such build number internally for some laboratory tests.

As usual you can download this new release from our website.

As of version 4.0, Syncplify.me Server! has introduced storage access via VFS (Virtual File System). This new storage virtualization layer allows an administrator to choose among different ways to access the underlying file system; one of them, that encrypts/decrypts data at-rest on the fly, is the DiskAES256 VFS.

When a VFS is of DiskAES256 type, all files uploaded to that VFS will be encrypted and then saved to disk. Similarly, when an SFTP client downloads them, the files will be read from disk and decrypted on-the-fly before they are sent to the client over the network (don’t worry SSH/SFTP network encryption still applies).

So, because of the way it works, as described here above, when you create a new VFS of type DiskAES256 you have to make sure it points to an empty path/directory (that has no files in it). Otherwise it would try to decrypt existing files that are not encrypted in the first place, and fail.

Here’s a brief example of how to use a DiskAES256 VFS. First of all let’s create the new VFS and make sure it points to an empty directory on our file server (but, of course, it could also be a directory on a local drive):

The \\ex4nas\vault directory used in this example is assumed empty.

Now let’s create a user profile, and set its home VFS to the encrypted one we just created. Since such VFS points to a directory on our NAS, we will also have to make sure that impersonation is properly configured (impersonation wouldn’t be necessary if the VFS pointed to a directory on a local disk):

That’s it.

But Syncplify.me Server! allows you to do even more! For example you can set the user’s home VFS to a plain-unencrypted VFS, and use the encrypted VFS as a virtual folder, so that only files in such virtual folder will be encrypted. A brief example in the following 2 screenshots. Here’s the main user profile configuration:

And here’s the virtual folder:

Thank you for your attention.

We have just released version 4.0.24 of our Syncplify.me Server! software. This version features the following improvements:

• New event-handler: BeforeSendDirListToClient
• New scripting framework function: RemoveFromDirList(AMask: string)
• Fixed connection bug in the Command-Line Interface (CLI)

Note: if after the update you notice any unexpected behavior in the web interface, just hit Ctrl-F5 in your browser; that will force the browser to reload the page as well as all back-end scripts and update the ones that may have been cached from previous versions of the software.

As usual you can download this new release from our website.

As of version 4.0.24, Syncplify.me Server! has introduced two new features:

• the BeforeSendDirListToClient event handler
• the RemoveFromDirList method in the scripting framework

These features can be used together to hide certain files from a directory listing. This is useful, for example, when you don’t want certain users to see certain file types when they connect to your SFTP server, but you still want to show such files to other users.

The first thing to do is creating a script. Let’s assume, for the sake of this example, that you want to hide some AutoCAD^® files, and specifically all DWG and DXF files. Then you will need a script like this:

begin
  RemoveFromDirList('*.dwg');
  RemoveFromDirList('*.dxf');
end.

Once the script is ready, you will have to open the user profile you want to apply the rule to, and add an event handler to it, like this:

Once the event is added, do not forget to SAVE the user profile. It will then appear as in the screenshot here below:

Now what happens when we log in as user “test” (the one WITH the script)? Let’s see what FileZilla shows:

See? No DWG or DXF files in the screenshot here above. But when we log in with a different user profile…

The user profile that doesn’t have the script can see all files.

We have just released version 4.0.25 of our Syncplify.me Server! software. This version features the following improvements:

• Added: -jsonoutput parameter to the command-line interface (CLI)
• Improved: notification when adding an IP to the blacklist (in the Web Manager) fails
• Fixed: display of correct expiration timestamp in the blacklist

Note: if after the update you notice any unexpected behavior in the web interface, just hit Ctrl-F5 in your browser; that will force the browser to reload the page as well as all back-end scripts and update the ones that may have been cached from previous versions of the software.

As usual you can download this new release from our website.

Our users and customers are becoming more and more interested in interacting with Syncplify.me Server!’s management API (REST) via PowerShell. The ideal solution would be to have a PowerShell module that exports ready-to-consume functions, in order to make the task easier.

Kyle Parrish, one of our most active users, has recently started a GitHub repository and open-sourced his Syncplify PowerShell Module project. Syncplify will support Kyle’s effort and contribute code to this project that, hopefully, one day will grow into a full-featured PowerShell-based management tool for our server software.

Thank you Kyle! Keep up the great work!

Monitoring a directory for certain files, and as soon as they become available (someone puts them in that directory) upload them somewhere else and then move the original files to a different location (archive) on the local disk. This is one of the most common questions from our FTP Script! users.

For such reason we have prepared the sample script below. It will probably fit the most common cases, and it’s a decent learning tool as well as starting point to create your own (more complex) scripts to accomplish your very own particular task. 

const
  // Related to files and directories
  FilesToMonitor = 'C:\Projects\*.*';
  RemotePath = '/archivedfiles/';
  LocalArchive = 'C:\Destination\';
  // Related to SFTP server connectivity
  SHost = 'sftp.remoteserver.com';
  SPort = 22;
  SUser = 'sftpusername';
  SPass = 'sftppassword';

var
  DirList, ToDelete: TStringList;
  I: integer;
  Cli: TSFTPClient;

begin
  DirList := TStringList.Create;
  while true do
  begin
    DirList.Clear;
    if FileEnum(FilesToMonitor, DirList, true) then
    begin
      if (DirList.Count > 0) then
      begin
        Log('Found '+IntToStr(DirList.Count)+' files');
        ToDelete := TStringList.Create;
        Cli := TSFTPClient.Create;
        try
          Cli.ServerAddr := SHost;
          Cli.ServerPort := SPort;
          Cli.Username := SUser;
          Cli.Password := SPass;
          if Cli.Open then
          begin
            for I := 0 to DirList.Count-1 do
            begin
              Log('Processing file #'+IntToStr(I+1)+': '+DirList[I]);
              begin
                if Cli.Upload(DirList[I], RemotePath+ExtractFilename(DirList[I]), false, feaOverwrite, ftmCopy) then
                begin
                  if FileCopy(DirList[I], LocalArchive+ExtractFilename(DirList[I]), true) then
                  begin
                    ToDelete.Add(DirList[I]);
                    Log('File uploaded and archived: '+ToDelete[I]);
                  end;
                end;
              end;
            end;
            Cli.Close;
            // We not files to be deleted and delete them all at once after disconnecting from the
            // server, because as long as we are connected such files may still be open/locked by
            // the operating system.
            for I := 0 to ToDelete.Count-1 do
              if FileDelete(ToDelete[I]) then
                Log('File deleted: '+ToDelete[I]);
          end;
        finally
          Cli.Free;
          ToDelete.Free;
        end;
      end
      else
        Log('No files matching the pattern/mask were found, will recheck in 1 second');
    end;
    Sleep(1000);
  end;
  DirList.Free;
end.

The code here above is provided “as is” with no guarantee that it will work in any specific customer environment, use it at your own risk.

We have just released version 4.0.26 of our Syncplify.me Server! software. This version features the following improvements:

• Fixed: several Command-Line Interface (CLI) inline help topics
• Fixed: WhiteList and SafeList now automatically sanitize duplicates
• Fixed: virtual server configuration bug that was affecting the FREE edition

Note: if after the update you notice any unexpected behavior in the web interface, just hit Ctrl-F5 in your browser; that will force the browser to reload the page as well as all back-end scripts and update the ones that may have been cached from previous versions of the software.

As usual you can download this new release from our website.

We have just released version 4.0.28 of our Syncplify.me Server! software. This version features the following improvements:

• Fixed: bug in the DiskAES256 virtual file system (VFS) that caused WinSCP to raise an “Error 4: file-write error”

Note: if after the update you notice any unexpected behavior in the web interface, just hit Ctrl-F5 in your browser; that will force the browser to reload the page as well as all back-end scripts and update the ones that may have been cached from previous versions of the software.

As usual you can download this new release from our website.

We have just released version 4.0.29 of our Syncplify.me Server! software. This version features the following improvements:

• Fixed: bug in the DiskAES256 virtual file system (VFS) that caused WinSCP to raise an “Error 4: file-write error”, but only on very large files (larger than 2GB or 4GB depending on the OS)

Note: if after the update you notice any unexpected behavior in the web interface, just hit Ctrl-F5 in your browser; that will force the browser to reload the page as well as all back-end scripts and update the ones that may have been cached from previous versions of the software.

As usual you can download this new release from our website.