Server configuration syntax
Server configuration is done in config.yaml
file. The file uses YAML format.
keys
Private keys to be used by the server. If only one directory is specified and no keys are found then the server will generate and save the private keys on startup. Note: password-protected keys are not supported (yet).
keys:
# Directory where keys are stored
- keys/
# Private key file
- /home/my_private_key
bindings
Port and IP address bindings. By default the server will bind to any IP address, listen on port 22 and will serve both SFTP and SCP protocols. You can specify multiple bindings. You can also use hostname instead of IP address - the address(es) will be resolved for you.
bindings:
- { port: 22, ipAddress: 0.0.0.0, sftp: true, scp: true }
- { port: 22, ipAddress: test.rebex.net, sftp: true, scp: true }
ipFilter
IP filtering rules. Allow list has priority over deny list. By default all IP addresses are allowed. To block all incoming requests (except for those in 'allow') add 0.0.0.0/0
(all IPv4) and ::/0
(all IPv6) to deny section.
Please note that IPv6 addresses must be enclosed in double quotes as required by YAML format.
ipFilter:
deny:
# single IP address
- 192.168.66.12
# CIDR notation
- 192.168.66.12/24
allow:
# Address range
- 192.168.66.0-192.168.66.10
# IPv6
- "2001:db8::/48" # quotes required
logging
No logs will be saved unless you specify log location. Logs are aggregated daily and will be kept forever unless you specify otherwise. Make sure that the user the server service uses has write access to the locations specified.
logging:
# Access log (user activity over SSH)
access:
# Directory where logs will be kept
location: D:\buru\logs\access
# keep files forever
maxFileCount: 0
# Server log (for debugging purposes)
server:
location: D:\buru\logs\server
# Minimal log level to write. Set to warning by default.
# Supported values are: verbose, debug, information, warning, error and fatal.
minLevel: warning
# keep at most 31 files (~1 month)
maxFileCount: 31
Experienced users can customize the logging using Serilog configuration file config/logging.json
.
The file must be in JSON format and any library dependencies (including transitive dependencies) must be supplied manually. When custom configuration is enabled then any access
or server
settings are ignored.
Access logs are distinguished by Access
Serilog property.
logging:
useCustomConfig: true
Example of Serilog configuration file:
{
"Serilog": {
"Using": [ "Serilog.Sinks.File" ],
"MinimumLevel": "Debug",
"WriteTo": [
{ "Name": "File", "Args": { "path": "D:\\log.txt" }}
],
"Properties": {
"Application": "burusftp"
}
}
}
users
User and password policies
passwordHashAlgorithm
- supported values are SHA256, SHA384 or SHA512 (default).passwordHashAutoUpdate
- auto-update hash on user login when hash is outdated (algorithm or salt size differ from settings). Enabled by default.passwordSaltSize
- size of salt in bytes. Allowed range is 8-256 bytes. Default value is 20.usernamePattern
- user name regular expression filter. Default:^[a-zA-Z0-9_\@\-\.]{1,128}$
(any alphanumeric characters and/or any of '_-@.')
users:
passwordHashAlgorithm: SHA512
passwordHashAutoUpdate: true
passwordSaltSize: 20
usernamePattern: "^[a-zA-Z0-9_\\@\\-\\.]{1,128}$"
security.accountLockoutPolicy
Specifies conditions for account lockout
threshold
- number of unsuccessful login attempts after which account will be locked out. Set to 0 to disable. Default: 10lockoutDurationSeconds
- time period in seconds a locked-out account remains locked out before automatically becoming unlocked. Default: 900 (15 minutes)resetCounterPeriodSeconds
- time period in seconds following last unsuccessful login after which the lockout counter will be set back to zero. Must be same or greater thanlockoutDurationSeconds
. If no value is specified thenlockoutDurationSeconds
value is used.
security:
accountLockoutPolicy:
# Lockout account after 10 failed logins for 15 minutes, reset counter after 30 minutes
threshold: 10
lockoutDurationSeconds: 900
resetCounterPeriodSeconds: 1800
ssh
SSH Configuration. We recommend to use only __MODERN
suites if possible; for maximum compatibility without compromising too much on security use __INTERMEDIATE
.
encryptionAlgorithms
- encryption algorithms. Default value:['__MODERN']
. Currently supported algorithms are, along with their macros:__MODERN
(secure suites):aes256-gcm@openssh.com
,aes128-gcm@openssh.com
,aes256-ctr
,aes256-cbc
,aes192-ctr
,aes192-cbc
,aes128-ctr
,aes128-cbc
,chacha20-poly1305@openssh.com
,twofish256-ctr
,twofish192-ctr
,twofish128-ctr
__INTERMEDIATE
(best compatibility): all of the above, plus:twofish256-cbc
,twofish192-cbc
,twofish128-cbc
,twofish-cbc
,3des-ctr
,3des-cbc
__ALL
(all suites, including insecure - NOT RECOMMENDED): all of the above, plus:arcfour256
,arcfour128
,arcfour
,blowfish-ctr
,blowfish-cbc
hostKeyAlgorithms
- host key algorithms. Default value:[
__MODERN]
. Currently supported algorithms are, along with their macros:__MODERN
(secure suites):ssh-ed25519
,ecdsa-sha2-nistp521
,ecdsa-sha2-nistp384
,ecdsa-sha2-nistp256
,rsa-sha2-512
,ssh-rsa-sha256@ssh.com
,rsa-sha2-256
__INTERMEDIATE
(best compatiblity): all of the above, plus:ssh-dss
,ssh-rsa
,x509v3-sign-rsa
,x509v3-sign-dss
__ALL
(all suites, including insecure - NOT RECOMMENDED): all of the above (currently plus nothing extra)
kexAlgorithms
- key exchange algorithms. Default value:['__MODERN']
. Currently supported algorithms are, along with their macros:__MODERN
(secure suites):curve25519-sha256
,curve25519-sha256@libssh.org
,ecdh-sha2-nistp521
,ecdh-sha2-nistp384
,ecdh-sha2-nistp256
,diffie-hellman-group16-sha512
,diffie-hellman-group15-sha512
,diffie-hellman-group-exchange-sha256
__INTERMEDIATE
(best compatibility): all of the above, plus:diffie-hellman-group14-sha256
,diffie-hellman-group14-sha1
,diffie-hellman-group-exchange-sha1
__ALL
(all suites, including insecure - NOT RECOMMENDED): all of the above, plus:diffie-hellman-group1-sha1
macAlgorithms
- MAC algorithms. Default value:['__MODERN']
. Currently supported algorithms are, along with their macros:__MODERN
(secure suites):hmac-sha2-512-etm@openssh.com
,hmac-sha2-256-etm@openssh.com
,hmac-sha2-512
,hmac-sha2-256
__INTERMEDIATE
(best compatiblity): all of the above, plus:hmac-sha1
,hmac-sha1-96
__ALL
(all suites, including insecure - NOT RECOMMENDED): all of the above, plus:hmac-md5
,hmac-md5-96
shellHostName
- server name visible to the clientssoftwareVersion
- use custom software version in SSH protocol version exchange
ssh:
softwareVersion: MyServer_1.0.0
encryptionAlgorithms: ['__MODERN', '3des-ctr', '3des-cbc']
hostKeyAlgorithms: ['__MODERN']
kexAlgorithms: ['__MODERN', 'diffie-hellman-group14-sha1']
macAlgorithms: ['__INTERMEDIATE']
shellHostName: myserver
SSH shell - EXPERIMENTAL.
Disabled by default. Aliases are defined in aliases
file. See also ssh-shell-aliases.
enabled
- turns on or off SSH shell. Default: false
sshShell:
enabled: true
SSH tunnelling - EXPERIMENTAL.
Disabled by default, without any implicit bindings.
sshTunnelling:
enabled: true
bindings:
- { port: 22, ipAddress: 0.0.0.0 }