While SSL/TLS security configuration for the FTPS protocol is entirely self-contained, Syncplify.me Server!’s Web/REST service relies on Windows’ HTTP.SYS subsystem, which is the same subsystem IIS is based on, and therefore its security configuration has to be made at operating system level.
This totally free White Paper discusses secure file transfer regulatory compliance issues for banks and financial institutions, debunks some myths, and explains how to achieve the required levels of security and conformity.
Feel free to download it and use it under the CC BY-NC-ND 4.0 license.
We have just released version 4.1.0 of our Syncplify.me Server! software. This version features the following improvements:
- Added: support for MongoDB authentication and specific utility to configure it (read how to use it here)
- Fixed: small memory leak in one of the password encryption functions
Warning: upgrading to 4.1.0 from any version prior to 4.0.34 will invalidate your license, so please if you are a customer – before you upgrade – contact us to request a license reset.
Note: if after the update you notice any unexpected behavior in the web interface, just hit Ctrl-F5 in your browser; that will force the browser to reload the page as well as all back-end scripts and update the ones that may have been cached from previous versions of the software.
As usual you can download this new release from our website.
The most significant improvement introduced by Syncplify.me Server! v4.1 is the ability to use MongoDB’s authentication. As explained in a previous KB article, our deployment of MongoDB was secure even without authentication, but keeping in mind all possible scenarios our development team has worked hard to add direct support to MongoDB’s native authentication into our software. This article explains how to use the new MongoDB Authentication Utility (installed along with Syncplify.me Server! v4.1+) to enable/disable this feature as needed.
The procedures outlined in this article are suitable for all single-node Syncplify.me Server! deployments. High-Availability (HA) deployments will require a little more work. Continue reading
According to the SANS ISC nearly 80% of all SSH-based brute force attacks are caused by SSHPsycho or one of its variations. This seems to be confirmed by the LongTail honeypot real-time report provided by the Marist College. So, yes, SSHPsycho is a big deal, and it’s a problem. And traditional blacklisting mechanisms (simply banning certain “well known” IP addresses and networks) have proved to be inefficient against it.
LongTail shows that Cisco and Level 3’s recent announcement about blocking sshPsycho’s 4 class C IP ranges (also known as “Group 93” and the “Hee Thai Campaign”) has done nothing to stop their brutal attacks. [Source: SANS ISC]
Syncplify.me Server!’s intelligent and automatic blacklist (called “Protector“), though, shows to be extremely effective at preventing such type of attack. Its real-time dynamic attack pattern identification and prevention technology can quickly recognize SSHPsycho attacks (and the like) and proactively stop them as soon as they begin. Even at its “Normal” sensitivity threshold, Protector already identifies and blocks all types of SSHPsycho attacks, in most cases before they even get to try the password authentication. Continue reading
After installing Syncplify.me Server! v4.0 you will be able to manage it securely via web interface over HTTPS.
Now, a very common choice is to use a self-signed certificate, because it saves money and if you know what you’re doing it doesn’t compromise security. This is, in fact, the most common choice among our users (according to our surveys).
But if you use a self-signed certificate, your browser will warn you that your connection may not be private or secure. That’s because self-signed certificates are often used for man-in-the-middle (MitM) attacks. But this is not the case, of course, if you can verify that this particular self-signed certificate was created by you and for you.
To get rid of this annoying message, you basically have 2 options:
- Spend some money to buy a trusted X.509 (SSL/TLS) certificate from a Certification Authority like DigiCert, Comodo, Thawte, and the like. It goes without saying that this is the recommended choice, as it takes advantage of the inherent trust chain provided by the Certification Authority.
- Verify and accept the self-signed certificate you have just created and add it to the trusted keychain of your browser. In this case you are advised to always verify the certificate’s fingerprint to make sure it’s really the one you created yourself, and that you’re not a victim of a Man-in-the-Middle (MitM) attack.
In the new Syncplify.me Server! v4.0, there’s a quite handy feature that allows a one-click configuration of many security settings at once, depending on the virtual server’s intended usage scenario.
Here’s a brief explanation of what each preset configuration means and what to expect when you apply it: Continue reading
Quite often our Syncplify.me Server! customers and users contact us asking for recommendations regarding the choice of an SFTP client for MacOSX.
Of course there are several options out there. And then there’s Commander One by Eltima Software, the two-pane file manager for MacOSX that will make you forget anything else you’ve tried before on the Apple platform.
Not only it supports FTP, FTPS and SFTP, but also provides some highly desirable features like dual-pane tabbed browsing, support for compressed archives, regular-expression file searches, and even server-to-server file copies.
Our developers here at Syncplify have downloaded it and tested it thoroughly, and Commander One turned out to be an excellent software product, well designed, feature rich, and easy to use. For such reasons we feel comfortable recommending it to our users and customers as a great Mac client to connect to our Syncplify.me Server!
Our users are aware that old Syncplify.me Server! versions (from 1.0 to 3.x) used to support only a single host key, and it had to be an RSA key.
As of version 4.0, though, Syncplify.me Server! supports RSA, DSA, and ECDSA host keys, and it support multiple (unlimited) host keys per virtual server.
The addition of DSA keys was mostly driven by the fact that some of our customers possess legacy DSA host/server keys that they are required to use, in order for certain client applications to work properly. The addition of ECDSA host keys instead is a truly remarkable new feature, and to understand why just check out the comparison table here below: Continue reading
Upon installation, Syncplify.me Server! auto-generates a self-signed X.509 (SSL/TLS) Server Certificate to be used for implicit and explicit FTP (aka FTPS and FTPES). However, such certificate carries the name of “Syncplify” in the organization field, and the common name (CN) field is only suitable for localhost (127.0.0.1). Therefore you may want to generate your own certificate, or buy one from a trusted Certification Authority (CA).
If a self-signed certificate is enough for you (and for all clients that will connect to your server), then you can simply use Syncplify.me Server!’s internal certificate generator as follows. Simply click the “gear” button on the FTP(S) tab of the Configuration manager. Continue reading