This totally free White Paper discusses the needs of healthcare providers and institutions, debunks some myths, and explains how to achieve the required levels of security and compliance.
Feel free to download it and use it under the CC BY-NC-ND 4.0 license.
In light of the recent news regarding ransomware targeting MongoDB, we would like to inform all of our users and customers that we are actively working to add support for MongoDB’s authentication directly inside our software.
In the meantime, though, it is very important to understand that:
Because of the above reasons we believe that all Syncplify.me Server! instances deployed in non-HA mode are safe unless the network and Windows Firewall configuration has been altered by the users/customers themselves.
For HA (high-availability) instances, we do strongly recommend our users/customers to make sure their network firewall and Windows Firewall rules only allow connections to the DB server(s) from the machines running the SFTP front-end nodes. No other machine should be allowed to connect to your DB server(s).
This said, we want to reassure everyone – once again – that we are also actively working (with high priority) to add MongoDB authentication directly into our software.
Many of our users are asking how to add multiple user accounts to Syncplify.me Server! at once. Most of them already have a CSV (comma-separated value) text file with username and passwords of the user profiles to be added, so it would make a lot of sense for them to have a simple procedure to import such users from the existing CVS file. You can actually do that very easily by writing a tiny PowerShell script that internally calls our SMSCLI (Syncplify.me Server! Command-Line Interface), and this article shows one way to do so.
The first step is to make sure that we know what VFS these imported users will be using as their “home directory”. For the sake of this example (and to keep it as easy as possible) we will use a parametric VFS like the one shown in the image here below: Continue reading
Version 4.x of Syncplify.me Server! introduced a remarkable amount of new features, and improved some of the existing ones greatly. The latter is the case of high availability deployments, which have been rendered much easier and a lot more powerful.
This article explains one way (not the only possible one) to install and deploy a highly available multi-node Syncplify.me Server! in your network.
First of all, let’s prepare 3 virtual machines:
Monitoring a directory for certain files, and as soon as they become available (someone puts them in that directory) upload them somewhere else and then move the original files to a different location (archive) on the local disk. This is one of the most common questions from our FTP Script! users.
For such reason we have prepared the sample script below. It will probably fit the most common cases, and it’s a decent learning tool as well as starting point to create your own (more complex) scripts to accomplish your very own particular task. Continue reading
As of version 4.0.24, Syncplify.me Server! has introduced two new features:
These features can be used together to hide certain files from a directory listing. This is useful, for example, when you don’t want certain users to see certain file types when they connect to your SFTP server, but you still want to show such files to other users.
The first thing to do is creating a script. Let’s assume, for the sake of this example, that you want to hide some AutoCAD® files, and specifically all DWG and DXF files. Then you will need a script like this:
|
1 2 3 4 |
begin RemoveFromDirList('*.dwg'); RemoveFromDirList('*.dxf'); end. |
Once the script is ready, you will have to open the user profile you want to apply the rule to, and add an event handler to it, like this: Continue reading
As of version 4.0, Syncplify.me Server! has introduced storage access via VFS (Virtual File System). This new storage virtualization layer allows an administrator to choose among different ways to access the underlying file system; one of them, that encrypts/decrypts data at-rest on the fly, is the DiskAES256 VFS.
When a VFS is of DiskAES256 type, all files uploaded to that VFS will be encrypted and then saved to disk. Similarly, when an SFTP client downloads them, the files will be read from disk and decrypted on-the-fly before they are sent to the client over the network (don’t worry SSH/SFTP network encryption still applies).
So, because of the way it works, as described here above, when you create a new VFS of type DiskAES256 you have to make sure it points to an empty path/directory (that has no files in it). Otherwise it would try to decrypt existing files that are not encrypted in the first place, and fail. Continue reading
SSHFS is a FUSE-based filesystem client for the SSH File Transfer Protocol (SFTP); it’s very common among Linux users to mount SFTP targets as local directories. WebEx is a well-known teamwork collaboration tool by Cisco that uses SSHFS to back-up its data to a remote SFTP server.
Unfortunately, the coupling of SSHFS/WebEx – at the time this article is being written – has at least two problems that can cause serious issues to servers that implement the SFTP protocol and its extensions correctly. Continue reading
Some SFTP servers feature a simple “extension exclusion list” so that administrators can specify certain file extensions that the server should not let users upload. But that’s a pretty weak defense, as a clever attacker could always upload an EXE with a fake extension and then rename it or otherwise find alternative ways to run it on the server, thus compromising its security.
Syncplify.me Server!’s scriptable nature, though, allows you to do a lot more than just disallow certain file extensions. Here’s a sample script that can be attached to the “AfterFileUpload” event handler, to identify EXE files that have been uploaded with fake extensions and delete them right away.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
var FirstBytes, PEBytes: string; begin FirstBytes := FileReadAsHex(ObjectName, 0, 2); PEBytes := FileReadAsHex(ObjectName, 256, 4); if ((FirstBytes = '4D5A') and (PEBytes = '50450000')) then begin // It's an EXE, delete it! AddToLog('Identified '+ObjectName+' as an EXE file. Deleting it.'); if FileDelete(ObjectName) then AddToLog('Deleted: '+ObjectName) else AddToLog('Failed to delete: '+ObjectName); end; end. |
The above script is provided as a mere example to identify Windows EXE files. But it could be easily modified in order to identify other file types.
All Windows EXEs, in fact have stable distinguishing features in their binary code, and more precisely: the first 2 bytes (in hex) will always be 4D5A, and the 4 bytes at offset 256 (0x100) will always be 50450000. So if a file has those byte sequences in those exact locations, it’s safe to say it’s a Windows EXE.
Do you need to identify ZIP files instead? The first 4 bytes are always 04034B50.
And so on… many file types can be identified by specific “signatures” in their binary code, that one can easily read using Syncplify.me Server!’s powerful scripting capabilities.
You can also download this white-paper for offline use by scrolling to the bottom of this article.
File transfer is an important aspect in computing. There is always a need for us to transfer files between a source and a destination. While in the earlier days, certain protocols were used to manage file transfers between the client and server, security was not much of a concern then. But, with the advancements in computing and rise of different kind of intrusions, security gradually became a pressing need. Yes, you guessed right. I am talking about FTP and SFTP. Let’s take a look at the journey from FTP to SFTP.
The standard network protocol File Transfer Protocol (FTP) is used to transfer files between a client system and a server. According to Wikipedia, the FTP ran on NCP specification until 1980. After that the protocol was replaced by a TCP/IP version named RFC 765 and consequently by RFC 959 in October 1985. RFC 959 is the current specification which FTP follows.
According to the latest specification, FTP should fulfill 4 major objectives namely: Continue reading
