Server configuration syntax

Server configuration is done in config.yaml file. The file uses YAML format.

keys

Private keys to be used by the server. If only one directory is specified and no keys are found then the server will generate and save the private keys on startup. Note: password-protected keys are not supported (yet).

keys: 
  # Directory where keys are stored
  - keys/ 
  # Private key file
  - /home/my_private_key

bindings

Port and IP address bindings. By default the server will bind to any IP address, listen on port 22 and will serve both SFTP and SCP protocols. You can specify multiple bindings. You can also use hostname instead of IP address - the address(es) will be resolved for you.

bindings:
  - { port: 22, ipAddress: 0.0.0.0, sftp: true, scp: true }
  - { port: 22, ipAddress: test.rebex.net, sftp: true, scp: true }

ipFilter

IP filtering rules. Allow list has priority over deny list. By default all IP addresses are allowed. To block all incoming requests (except for those in 'allow') add 0.0.0.0/0 (all IPv4) and ::/0 (all IPv6) to deny section. Please note that IPv6 addresses must be enclosed in double quotes as required by YAML format.

ipFilter:
  deny:
    # single IP address
    - 192.168.66.12 
    # CIDR notation
    - 192.168.66.12/24
  allow:
    # Address range
    - 192.168.66.0-192.168.66.10
    # IPv6
    - "2001:db8::/48"  # quotes required

logging

No logs will be saved unless you specify log location. Logs are aggregated daily and will be kept forever unless you specify otherwise. Make sure that the user the server service uses has write access to the locations specified.

logging: 
  # Access log (user activity over SSH)
  access:
    # Directory where logs will be kept
    location: D:\buru\logs\access
    
    # keep files forever
    maxFileCount: 0
    
  # Server log (for debugging purposes)
  server:
    location: D:\buru\logs\server
    # Minimal log level to write. Set to warning by default.
    # Supported values are: verbose, debug, information, warning, error and fatal. 
    minLevel: warning
    
    # keep at most 31 files (~1 month)
    maxFileCount: 31

Experienced users can customize the logging using Serilog configuration file config/logging.json. The file must be in JSON format and any library dependencies (including transitive dependencies) must be supplied manually. When custom configuration is enabled then any access or server settings are ignored. Access logs are distinguished by Access Serilog property.

logging:
  useCustomConfig: true

Example of Serilog configuration file:

{
    "Serilog": {
        "Using":  [ "Serilog.Sinks.File" ],
        "MinimumLevel": "Debug",
        "WriteTo": [
            { "Name": "File", "Args": { "path": "D:\\log.txt" }}
        ],
        "Properties": {
            "Application": "burusftp"
        }
    }
}

users

User and password policies

  • passwordHashAlgorithm - supported values are SHA256, SHA384 or SHA512 (default).
  • passwordSaltSize - size of salt in bytes. Allowed range is 8-256 bytes. Default value is 20.
  • usernamePattern - user name regular expression filter. Default: ^[a-zA-Z0-9_\@\-\.]{1,128}$ (any alphanumeric characters and/or any of '_-@.')
users:
  passwordHashAlgorithm: SHA512
  passwordSaltSize: 20
  usernamePattern: "^[a-zA-Z0-9_\\@\\-\\.]{1,128}$"

security.accountLockoutPolicy

Specifies conditions for account lockout

  • threshold - number of unsuccessful login attempts after which account will be locked out. Set to 0 to disable. Default: 10
  • lockoutDurationSeconds - time period in seconds a locked-out account remains locked out before automatically becoming unlocked. Default: 900 (15 minutes)
  • resetCounterPeriodSeconds - time period in seconds following last unsuccessful login after which the lockout counter will be set back to zero. Must be same or greater than lockoutDurationSeconds. If no value is specified then lockoutDurationSeconds value is used.
security:
  accountLockoutPolicy:
    # Lockout account after 10 failed logins for 15 minutes, reset counter after 30 minutes
    threshold: 10
    lockoutDurationSeconds: 900
    resetCounterPeriodSeconds: 1800

ssh

SSH Configuration. We recommend to use only __MODERN suites if possible; for maximum compatibility without compromising too much on security use __INTERMEDIATE.

  • encryptionAlgorithms - encryption algorithms. Default value: ['__MODERN']. Currently supported algorithms are, along with their macros:

    • __MODERN (secure suites): aes256-gcm@openssh.com, aes128-gcm@openssh.com, aes256-ctr, aes256-cbc, aes192-ctr, aes192-cbc, aes128-ctr, aes128-cbc, chacha20-poly1305@openssh.com, twofish256-ctr, twofish192-ctr, twofish128-ctr
    • __INTERMEDIATE (best compatibility): all of the above, plus: twofish256-cbc, twofish192-cbc, twofish128-cbc, twofish-cbc, 3des-ctr, 3des-cbc
    • __ALL (all suites, including insecure - NOT RECOMMENDED): all of the above, plus: arcfour256, arcfour128, arcfour, blowfish-ctr, blowfish-cbc

  • hostKeyAlgorithms - host key algorithms. Default value: [__MODERN]. Currently supported algorithms are, along with their macros:

    • __MODERN (secure suites): ssh-ed25519, ecdsa-sha2-nistp521, ecdsa-sha2-nistp384, ecdsa-sha2-nistp256, rsa-sha2-512, ssh-rsa-sha256@ssh.com, rsa-sha2-256
    • __INTERMEDIATE (best compatiblity): all of the above, plus: ssh-dss, ssh-rsa, x509v3-sign-rsa, x509v3-sign-dss
    • __ALL (all suites, including insecure - NOT RECOMMENDED): all of the above (currently plus nothing extra)

  • kexAlgorithms - key exchange algorithms. Default value: ['__MODERN']. Currently supported algorithms are, along with their macros:

    • __MODERN (secure suites): curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp521, ecdh-sha2-nistp384, ecdh-sha2-nistp256, diffie-hellman-group16-sha512, diffie-hellman-group15-sha512, diffie-hellman-group-exchange-sha256
    • __INTERMEDIATE (best compatibility): all of the above, plus: diffie-hellman-group14-sha256, diffie-hellman-group14-sha1, diffie-hellman-group-exchange-sha1
    • __ALL (all suites, including insecure - NOT RECOMMENDED): all of the above, plus: diffie-hellman-group1-sha1

  • macAlgorithms - MAC algorithms. Default value: ['__MODERN']. Currently supported algorithms are, along with their macros:

    • __MODERN (secure suites): hmac-sha2-512-etm@openssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha2-512, hmac-sha2-256
    • __INTERMEDIATE (best compatiblity): all of the above, plus: hmac-sha1, hmac-sha1-96
    • __ALL (all suites, including insecure - NOT RECOMMENDED): all of the above, plus: hmac-md5, hmac-md5-96

  • shellHostName - server name visible to the clients

  • softwareVersion - use custom software version in SSH protocol version exchange

ssh:
  softwareVersion: MyServer_1.0.0
  
  encryptionAlgorithms: ['__MODERN', '3des-ctr', '3des-cbc']
  hostKeyAlgorithms: ['__MODERN']
  kexAlgorithms: ['__MODERN', 'diffie-hellman-group14-sha1']
  macAlgorithms: ['__INTERMEDIATE']
  
  shellHostName: myserver

SSH shell - EXPERIMENTAL.

Disabled by default. Aliases are defined in aliases file. See also ssh-shell-aliases.

  • enabled - turns on or off SSH shell. Default: false
sshShell:
  enabled: true

SSH tunnelling - EXPERIMENTAL.

Disabled by default, without any implicit bindings.

sshTunnelling:
  enabled: true
  bindings:
    - { port: 22, ipAddress: 0.0.0.0 }