How to: SFTP authentication via one-time passwords (OTP)

Syncplify.me Server! version: 5.0.0+

Occasionally our customers ask if it’s possible to implement some form of one-time password (OTP) authentication for their SFTP users. Considering the complexity of the SSH authentication scheme, such task is definitely not trivial. To ease the process, Syncplify.me Server! V5 adds two new event-handlers and several functions to the scripting framework. This article explains how to use them to accomplish OTP authentication over SFTP. Continue reading

How to use VFS.ImportFile and VFS.ExportFile

Syncplify.me Server! version: 4.1.6+

As of version 4.1.6, Syncplify.me Server! added 2 new functions to the VFS object for you to use inside your event-handling scripts (requires the Ultimate edition of the software).

Say, for example, that you have an encrypted VFS, like a VFS of type DiskAES256 as shown in the picture here below: Continue reading

How to: use a CA-issued certificate (the long way)

Syncplify.me Server! version: 4.0.0+

If you already own an X.509 (SSL/TLS) digital certificate in PFX format, you know how simple it is to import it into your Syncplify.me Server! and use it.

But many of our customers asked for a tutorial on the longer procedure of requesting a digital certificate to a certification authority (CA) via a certificate signing request (CSR). So here’s the fully documented procedure for you.

First of all you have to generate the CSR, and to do that you will simply go to the Security->FTP(E/S) menu and select the option in the picture below from the certificate drop-down menu: Continue reading

Hiding certain files from a directory listing

Syncplify.me Server! version: 4.0.24+

As of version 4.0.24, Syncplify.me Server! has introduced two new features:

  • the BeforeSendDirListToClient event handler
  • the RemoveFromDirList method in the scripting framework

These features can be used together to hide certain files from a directory listing. This is useful, for example, when you don’t want certain users to see certain file types when they connect to your SFTP server, but you still want to show such files to other users.

The first thing to do is creating a script. Let’s assume, for the sake of this example, that you want to hide some AutoCAD® files, and specifically all DWG and DXF files. Then you will need a script like this:

Once the script is ready, you will have to open the user profile you want to apply the rule to, and add an event handler to it, like this: Continue reading

How to prevent uploads of EXE files

Syncplify.me Server! version: 4.0.0+

Some SFTP servers feature a simple “extension exclusion list” so that administrators can specify certain file extensions that the server should not let users upload. But that’s a pretty weak defense, as a clever attacker could always upload an EXE with a fake extension and then rename it or otherwise find alternative ways to run it on the server, thus compromising its security.

Syncplify.me Server!’s scriptable nature, though, allows you to do a lot more than just disallow certain file extensions. Here’s a sample script that can be attached to the “AfterFileUpload” event handler, to identify EXE files that have been uploaded with fake extensions and delete them right away.

The above script is provided as a mere example to identify Windows EXE files. But it could be easily modified in order to identify other file types.

All Windows EXEs, in fact have stable distinguishing features in their binary code, and more precisely: the first 2 bytes (in hex) will always be 4D5A, and the 4 bytes at offset 256 (0x100) will always be 50450000. So if a file has those byte sequences in those exact locations, it’s safe to say it’s a Windows EXE.

Do you need to identify ZIP files instead? The first 4 bytes are always 04034B50.

And so on… many file types can be identified by specific “signatures” in their binary code, that one can easily read using Syncplify.me Server!’s powerful scripting capabilities.

Authenticating users against your own DataBase

Syncplify.me Server! version: 4.0.16+

Note: in order to use the code posted in this article you need to be running at least version 4.0.16 or greater of Syncplify.me Server!

As you all know, Syncplify.me Server! already supports its own internal users, as well as Windows and Active Directory users (and groups, depending on the license type). Yet, some of our customers need to implement totally custom authentication methods, often based on their own user databases.

In this article we will show one way to do so. This is clearly just meant to serve as an example, and real-life scenarios require some further customization to the DB and the script posted here. But it’s a fairly decent starting point.

So, the background scenario for this example is:

  • our users’ authentication data are stored in a Microsoft(R) Access database
  • in our DB, each user is associated to a “category” (in this case his/her department: sales, marketing, …)
  • for the sake of this example, all users’ passwords are set to “password” (without quotes)
  • the script is pretty sophisticated, because besides authenticating the user, it will load a user profile that belongs to the “category” of the user from the main Syncplify.me Server! user-base

So let’s start taking a look at our user database: Continue reading

Scripting lesson: using scripting and session info

Syncplify.me Server! version: 4.0.13+

This articles shows how to use scripting, event-handling and session information from within Syncplify.me Server! For the sake of this example we will only log such information in the log file, but in real-life production scenarios you can use these info as you wish (for example you may want to send them via email to someone, or even make decisions based upon them).

Let’s start by preparing the script that – as we said – will log some info in your Syncplify.me Server!’s log file:

We save the above script with the following name/description: “Log several client and connection info”.

Then we add an event-handler to trigger the execution of the script. Since the script contain references to file-transfer-related variables (VirtualObjectName and ObjectName) it seems obvious to trigger its execution upon occurrence of a file-transfer-related event. For the sake of this example we have chosen the AfterFileUpload event, which occurs every time a file is successfully uploaded by a client onto the server. Continue reading

FTP Script! lesson: using the new features in v3.1

Syncplify.me FTP Script! version: 3.1.0+

FTP Script! v3.1.0.50, released earlier today, comes with a bunch of new features and functions to simplify some tasks related to the management of local files. In fact, it’s not just about transferring files to/from FTP servers… what you do with those files after/before you upload/download them to your local disk also matters!

In earlier versions of FTP Script! the FileCopy function, for example, was very limited. It could copy only one file at a time, and it had no support for wildcard file masks. In v3.1 we greatly improved it, and you can now use it this way:

The third parameter (set to true in the example here above) determines whether the function should overwrite the destination file(s) if it/they already exist.

Continue reading

Scripting lesson: email a list of all uploaded files

Syncplify.me Server! version: 3.1.21+

One of the ready-made script examples that is installed along with Syncplify.me Server! shows how to notify someone via email each time a file is uploaded. But what if you wanted to send only one email, at the end of the file transfer session, with the list of all files that were uploaded in such session?

You can easily do that with 2 simple scripts bound to 2 different event handlers.

First of all you will need a script bound to the “AfterFileUpload” event handler, to keep the list up to date:

Continue reading

Extending your SFTP Server: Lesson #1

This is the first of a series of video lessons to help our users learn how to unleash the full power of Syncplify.me Server! by writing scripts that are executed automatically upon occurrence of certain events.

This first script is kind of a “hello world”, but it’s meant to give our users a glimpse of the features Syncplify.me Server! puts at their disposal.

Once you’ve watched the video, if you don’t want to re-type the script by hand, here’s the source code for you, ready to copy and paste.