Firewalls and FTP external IP address for PASV

Yesterday we came across what, at first, seemed to be a pretty odd case, and we think it’s worth sharing it with our users.

Most firewalls (we’d say all the ones we know) have NAT/PAT capabilities, and many are able to perform protocol-level inspection when the connection is not encrypted. SSH (and SFTP) are always encrypted, but FTP can be either encrypted or not; yet, theoretically protocol inspection should only prevent protocol-related attacks, not modify client requests or server responses.

Yet, yesterday a customer with a perfectly configured instance of Syncplify.me Server! was experiencing a weird behavior: FTPS/FTPES (encrypted) sessions were working perfectly, while plain FTP sessions were dropped upon every attempt to open a data connection to transfer files. Continue reading

Extending your SFTP Server: Lesson #1

This is the first of a series of video lessons to help our users learn how to unleash the full power of Syncplify.me Server! by writing scripts that are executed automatically upon occurrence of certain events.

This first script is kind of a “hello world”, but it’s meant to give our users a glimpse of the features Syncplify.me Server! puts at their disposal.

Once you’ve watched the video, if you don’t want to re-type the script by hand, here’s the source code for you, ready to copy and paste.

 

Authenticating users via PKI

We have already talked about the SSH Server Key, which is used to verify the server’s identity and to negotiate the security (hmac/encryption) parameters. In this article, instead, we want to explain how to use PKI to authenticate users in Syncplify.me Server!

First of all it is important to understand that – unlike the Server Key – these user-specific key pairs are not used for encryption, but only and exclusively to authenticate users, thus to verify their identity and decide whether to let them log into the server or not.

Authenticating users via PKI certainly grants a much higher degree of security that simply using a password, and is therefore a highly recommended authentication method. Continue reading

CloudBerry Backup and Syncplify.me Server! Free (SFTP)

Some users reported the inability to perform backups from CloudBerry Backup to Syncplify.me Server! Free Edition.

Therefore we have analyzed the situation, and this is what we have discovered:

  • By default CloudBerry Backup tries to use 5 (five) concurrent connections to your SFTP server
  • The free edition of Syncplify.me Server! is limited to 3 (three) concurrent connections, and drops/cuts the 2 connections that exceed such limit

Since the number of concurrent connection cannot be changed in Syncplify.me Server! Free (hey, after all, it’s a forever-free product for personal use only) then our recommendation is to set CloudBerry to perform 3 concurrent connections instead of 5. Continue reading

New online and offline license activation method

Syncplify.me Server! v3.1.5.45 has introduced (per our customers’ request) a brand new online/offline license activation method that greatly simplifies the purchase process.

You don’t have to deal with the “System ID” anymore, in fact the Instance Controller now features a brand new “I have a License Code” button that you can push to activate the short and human-friendly license code you bought online. Note: the old “I have a License File” method is still supported for backward compatibility, but it is actually used only for offline activation of Enterprise licenses.

liccode

Continue reading

Project codename: Foundation

More frequently than expected we receive questions from our users relative to the “codenames” of the various editions of our Syncplify.me Server! software. Since now our version 3 is solid enough to allow us to fully focus on version 4 development, we think this is a good time to answer that question, and give our readers few more details regarding what to expect in the upcoming new major version. Continue reading

Linux sftp client error 6: invalid packet (solution)

Some users of Syncplify.me Server! have reported that when trying to connect to Syncplify.me Server! using the command-line sftp client from certain (but not all) Linux versions they are suddenly disconnected with the error message shown in the picture here below:

linuxbefore

The error code 6 (invalid packet) signifies that the Linux sftp client was not able to negotiate a secure session with the server due to the (client) inability to verify the contents of the KEX packet coming from the server.

Continue reading

Syncplify.me Server! scripting: Session.Terminate and Blacklist

In a previous article we’ve been talking about the new properties and methods introduced by Syncplify.me Server! v3 to improve the session object. One of such methods is Session.Terminate that basically instructs the FTP(S) or SFTP server to forcefully terminate the session as soon as the script execution ends.

In such post we have mentioned the addition of another useful function, often used in conjunction with Session.Terminate: the Blacklist function (which name is pretty self-explanatory). In this article we will explain how to use it.

First of all, let’s see the functions definition:

There are 3 parameters:

  1. IPorNetwork: the first parameter clearly should be the specific IP address (e.g.: 192.168.172.25) or the network/subnet (e.g.: 192.168.172.0/255.255.255.0) that you want to blacklist
  2. AMinutes: this is pretty intuitive too, it is the number of minutes you want the above IP address or network to be blacklisted for (unless you are permanently blacklisting it, see point #3 here below)
  3. AType: this parameter can be either ttTemporary or ttPermanent. If you want to temporarily blacklist the IP/network you will use ttTemporary and the IP/network will stay in the blacklist only for AMinutes minutes. Instead if you use ttPermanent the IP/network will be blacklisted forever (unless manually removed) and the AMinutes parameter will be ignored.

Continue reading

Syncplify.me Server!: No worries about POODLE SSLv3 bug.

By now, everyone has heard about the POODLE bug, that’s scaring every system administrator these days.

Unfortunately it is a design flaw in SSLv3, therefore the only thing you can do to go around it is to disable SSLv3 from all your servers (whatever they are, IIS, Apache, …, all SSL-capable servers).

Fortunately Syncplify.me Server! has – by design – a very easy way to do that. As shown in the picture below, just make sure the SSLv3 option is unchecked, and save your configuration. There you go, you’re safe now.

poodle

True impersonation and [USER_HOME] directory

One of the main new features that come with Syncplify.me Server! v3.0 is true impersonation of Windows and Active Directory users.

Unlike previous versions, the new v3.0 actually impersonates the authenticated Windows or AD user and therefore accesses the underlying file system with such user’s privileges, limitations, and ACL. Syncplify.me Server!’s native file and directory permissions still apply, but they are applied only *after* the operating system rules, therefore they can further restrict the OS configuration, but not expand it (for safety reasons). Continue reading