How to prevent uploads of EXE files

Syncplify.me Server! version: 4.0.0+

Some SFTP servers feature a simple “extension exclusion list” so that administrators can specify certain file extensions that the server should not let users upload. But that’s a pretty weak defense, as a clever attacker could always upload an EXE with a fake extension and then rename it or otherwise find alternative ways to run it on the server, thus compromising its security.

Syncplify.me Server!’s scriptable nature, though, allows you to do a lot more than just disallow certain file extensions. Here’s a sample script that can be attached to the “AfterFileUpload” event handler, to identify EXE files that have been uploaded with fake extensions and delete them right away.

The above script is provided as a mere example to identify Windows EXE files. But it could be easily modified in order to identify other file types.

All Windows EXEs, in fact have stable distinguishing features in their binary code, and more precisely: the first 2 bytes (in hex) will always be 4D5A, and the 4 bytes at offset 256 (0x100) will always be 50450000. So if a file has those byte sequences in those exact locations, it’s safe to say it’s a Windows EXE.

Do you need to identify ZIP files instead? The first 4 bytes are always 04034B50.

And so on… many file types can be identified by specific “signatures” in their binary code, that one can easily read using Syncplify.me Server!’s powerful scripting capabilities.

The Journey from FTP to SFTP

You can also download this white-paper for offline use by scrolling to the bottom of this article.

File transfer is an important aspect in computing. There is always a need for us to transfer files between a source and a destination. While in the earlier days, certain protocols were used to manage file transfers between the client and server, security was not much of a concern then. But, with the advancements in computing and rise of different kind of intrusions, security gradually became a pressing need. Yes, you guessed right. I am talking about FTP and SFTP. Let’s take a look at the journey from FTP to SFTP.

The standard network protocol File Transfer Protocol (FTP) is used to transfer files between a client system and a server. According to Wikipedia, the FTP ran on NCP specification until 1980. After that the protocol was replaced by a TCP/IP version named RFC 765 and consequently by RFC 959 in October 1985. RFC 959 is the current specification which FTP follows.

According to the latest specification, FTP should fulfill 4 major objectives namely: Continue reading

The new “compound increment percentage”

Syncplify.me Server! version: 4.0.16+

Syncplify.me Server! v4.0.16 introduced a new (yet very important) improvement to the Protector™ technology: the compound increment percentage.

Before this update, the Protector™ would put an attacker’s IP address in the blacklist for a predetermined amount of time, and remove it from the blacklist once said time had past. But attackers often try to connect to the server to attempt further attacks even when they are already blacklisted.

The updated Protector™, instead, features a significant difference: if an attacker tries to connect to the server while already blacklisted, the attacker’s IP address blacklist expiration will be prolonged by an amount of time that is calculated using the above “increment percentage” compound to the “number of identified attack attempts” while such IP was already blacklisted. Logn story short: if an attacker keeps attacking, its IP address may very well never get out of the blacklist even when the blacklist is set to ban attackers IPs only temporarily. Continue reading

Authenticating users against your own DataBase

Syncplify.me Server! version: 4.0.16+

Note: in order to use the code posted in this article you need to be running at least version 4.0.16 or greater of Syncplify.me Server!

As you all know, Syncplify.me Server! already supports its own internal users, as well as Windows and Active Directory users (and groups, depending on the license type). Yet, some of our customers need to implement totally custom authentication methods, often based on their own user databases.

In this article we will show one way to do so. This is clearly just meant to serve as an example, and real-life scenarios require some further customization to the DB and the script posted here. But it’s a fairly decent starting point.

So, the background scenario for this example is:

  • our users’ authentication data are stored in a Microsoft(R) Access database
  • in our DB, each user is associated to a “category” (in this case his/her department: sales, marketing, …)
  • for the sake of this example, all users’ passwords are set to “password” (without quotes)
  • the script is pretty sophisticated, because besides authenticating the user, it will load a user profile that belongs to the “category” of the user from the main Syncplify.me Server! user-base

So let’s start taking a look at our user database: Continue reading

How Syncplify.me Server! prevents SSHPsycho attacks

Syncplify.me Server! version: 4.0.0+

According to the SANS ISC nearly 80% of all SSH-based brute force attacks are caused by SSHPsycho or one of its variations. This seems to be confirmed by the LongTail honeypot real-time report provided by the Marist College. So, yes, SSHPsycho is a big deal, and it’s a problem. And traditional blacklisting mechanisms (simply banning certain “well known” IP addresses and networks) have proved to be inefficient against it.

LongTail shows that Cisco and Level 3’s recent announcement about blocking sshPsycho’s 4 class C IP ranges (also known as “Group 93” and the “Hee Thai Campaign”) has done nothing to stop their brutal attacks. [Source: SANS ISC]

Syncplify.me Server!’s intelligent and automatic blacklist (called “Protector“), though, shows to be extremely effective at preventing such type of attack. Its real-time dynamic attack pattern identification and prevention technology can quickly recognize SSHPsycho attacks (and the like) and proactively stop them as soon as they begin. Even at its “Normal” sensitivity threshold, Protector already identifies and blocks all types of SSHPsycho attacks, in most cases before they even get to try the password authentication. Continue reading

Scripting lesson: using scripting and session info

Syncplify.me Server! version: 4.0.13+

This articles shows how to use scripting, event-handling and session information from within Syncplify.me Server! For the sake of this example we will only log such information in the log file, but in real-life production scenarios you can use these info as you wish (for example you may want to send them via email to someone, or even make decisions based upon them).

Let’s start by preparing the script that – as we said – will log some info in your Syncplify.me Server!’s log file:

We save the above script with the following name/description: “Log several client and connection info”.

Then we add an event-handler to trigger the execution of the script. Since the script contain references to file-transfer-related variables (VirtualObjectName and ObjectName) it seems obvious to trigger its execution upon occurrence of a file-transfer-related event. For the sake of this example we have chosen the AfterFileUpload event, which occurs every time a file is successfully uploaded by a client onto the server. Continue reading

Syncplify.me Server!: VFS with quotas

Syncplify.me Server! version: 4.0.0+

The Virtual File System (VFS) instroduced in Syncplify.me Server! v4.0, comes with a long-awaited feature: quota management.

The Windows OS features a very powerful yet complicated quota management, but it’s only available in Windows Server editions and requires optional features to be installed, therefore we could not rely on that and we built our own quota management system which is cross-compatible with all Windows systems.

Now, the problem with quota management is that calculating the current size of a folder (along with its sub-folders) can be very time-consuming, if the folder contains millions and millions of files. So if we were to re-evaluate the size to enforce quota restrictions at every operation it could totally kill the performances. Our solution the Quota TTL, which is the Time-To-Live (TTL) of the quota cache, expressed in seconds. Basically, when Syncplify.me Server! calculates the current size of a folder structure, it will consider such result valid for QuotaTTL seconds, without re-evaluating it too often. Continue reading

Syncplify.me Server! v4: new format to define groups

Syncplify.me Server! version: 4.0.0+

From Syncplify.me Server! v1 through v3 groups’ usernames used to start with a star/asterisk and then the group name enclosed within square brackets. For example the SFTP Users group would have the following username: *[SFTP Users]

In version 4 we have removed the star/asterisk, because we have introduced the concept of user type. Therefore in version 4 the SFTP Users group will be defined as follows.
Username: [sftp users]
User Type: Windows Group or Active Directory Group Continue reading

HTTPS “connection not private/secure” – what it is?

Syncplify.me Server! version: 4.0.0+

After installing Syncplify.me Server! v4.0 you will be able to manage it securely via web interface over HTTPS.

Now, a very common choice is to use a self-signed certificate, because it saves money and if you know what you’re doing it doesn’t compromise security. This is, in fact, the most common choice among our users (according to our surveys).

But if you use a self-signed certificate, your browser will warn you that your connection may not be private or secure. That’s because self-signed certificates are often used for man-in-the-middle (MitM) attacks. But this is not the case, of course, if you can verify that this particular self-signed certificate was created by you and for you.

To get rid of this annoying message, you basically have 2 options:

  1. Spend some money to buy a trusted X.509 (SSL/TLS) certificate from a Certification Authority like DigiCert, Comodo, Thawte, and the like. It goes without saying that this is the recommended choice, as it takes advantage of the inherent trust chain provided by the Certification Authority.
  2. Verify and accept the self-signed certificate you have just created and add it to the trusted keychain of your browser. In this case you are advised to always verify the certificate’s fingerprint to make sure it’s really the one you created yourself, and that you’re not a victim of a Man-in-the-Middle (MitM) attack.

Continue reading