Server configuration

Configuring Rebex Buru SFTP server. Setting IP adresses and ports. Authentication and authorization. SSH Shell. SSH tunneling.

Server configuration is done in config.yaml file. The file uses YAML format.

bindings

Port and IP address bindings. By default the server will bind to any IP address, listen on port 22 and will serve both SFTP and SCP protocols. You can specify multiple bindings. You can also use hostname instead of IP address - the address(es) will be resolved for you.

bindings:
  - { port: 22, ipAddress: 0.0.0.0, sftp: true, scp: true }
  - { port: 22, ipAddress: test.rebex.net, sftp: true, scp: true }

ipFilter

IP filtering rules. Allow list has priority over deny list. By default all IP addresses are allowed. To block all incoming requests (except for those in ‘allow’) add 0.0.0.0/0 (all IPv4) and ::/0 (all IPv6) to deny section. Please note that IPv6 addresses must be enclosed in double quotes as required by YAML format.

ipFilter:
  deny:
    # single IP address
    - 192.168.66.12 
    # CIDR notation
    - 192.168.66.12/24
  allow:
    # Address range
    - 192.168.66.0-192.168.66.10
    # IPv6
    - "2001:db8::/48"  # quotes required

keys

Path(s) to private keys to be used by the server. If no keys are specified then keys will be searched for in the following locations:

Relative file paths use application installation directory as root. Password-protected keys are not supported.

keys: 
  # Directory where keys are stored
  - keys/ 
  # Private key file
  - /home/my_private_key

logging

No logs will be saved unless you specify log location. Logs are aggregated daily and will be kept forever unless you specify otherwise. Make sure that the user the server service uses has write access to the locations specified.

logging: 
  # Access log (user activity over SSH)
  access:
    # Directory where logs will be kept
    location: D:\buru\logs\access
    
    # keep files forever
    maxFileCount: 0
    
  # Server log (for debugging purposes)
  server:
    location: D:\buru\logs\server
    # Minimal log level to write. Set to warning by default.
    # Supported values are: verbose, debug, information, warning, error and fatal. 
    minLevel: warning
    
    # keep at most 31 files (~1 month)
    maxFileCount: 31

Experienced users can enable custom logging using useCustomConfig option. You can find more details on dedicated documentation page. When custom configuration is enabled then any access or server settings (described above) are ignored.

logging:
  useCustomConfig: true

security.accountLockoutPolicy

Specifies conditions for account lockout

  • threshold - number of unsuccessful login attempts after which account will be locked out. Set to 0 to disable. Default: 10
  • lockoutDurationSeconds - time period in seconds a locked-out account remains locked out before automatically becoming unlocked. Default: 900 (15 minutes)
  • resetCounterPeriodSeconds - time period in seconds following last unsuccessful login after which the lockout counter will be set back to zero. Must be same or greater than lockoutDurationSeconds. If no value is specified then lockoutDurationSeconds value is used.
security:
  accountLockoutPolicy:
    # Lockout account after 10 failed logins for 15 minutes, reset counter after 30 minutes
    threshold: 10
    lockoutDurationSeconds: 900
    resetCounterPeriodSeconds: 1800

ssh

SSH Configuration. We recommend to use only __MODERN suites if possible; for maximum compatibility without compromising too much on security use __INTERMEDIATE. See SSH algorithms for more details.

  • encryptionAlgorithms - encryption algorithms. Default value: ['__MODERN']. Currently supported algorithms are, along with their macros:

    • __MODERN (secure suites): aes256-gcm@openssh.com, aes128-gcm@openssh.com, aes256-ctr, aes192-ctr, aes128-ctr, chacha20-poly1305@openssh.com, twofish256-ctr, twofish192-ctr, twofish128-ctr
    • __INTERMEDIATE (best compatibility): all of the above, plus: aes256-cbc, aes192-cbc, aes128-cbc, twofish256-cbc, twofish192-cbc, twofish128-cbc, twofish-cbc, 3des-ctr, 3des-cbc
    • __ALL (all suites, including insecure - NOT RECOMMENDED): all of the above, plus: arcfour256, arcfour128, arcfour, blowfish-ctr, blowfish-cbc

  • hostKeyAlgorithms - host key algorithms. Default value: [__MODERN]. Currently supported algorithms are, along with their macros:

    • __MODERN (secure suites): ssh-ed25519, ecdsa-sha2-nistp521, ecdsa-sha2-nistp384, ecdsa-sha2-nistp256, rsa-sha2-512, ssh-rsa-sha256@ssh.com, rsa-sha2-256
    • __INTERMEDIATE (best compatiblity): all of the above, plus: ssh-dss, ssh-rsa, x509v3-sign-rsa, x509v3-sign-dss
    • __ALL (all suites, including insecure - NOT RECOMMENDED): all of the above (currently plus nothing extra)

  • kexAlgorithms - key exchange algorithms. Default value: ['__MODERN']. Currently supported algorithms are, along with their macros:

    • __MODERN (secure suites): curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp521, ecdh-sha2-nistp384, ecdh-sha2-nistp256, diffie-hellman-group16-sha512, diffie-hellman-group15-sha512, diffie-hellman-group-exchange-sha256
    • __INTERMEDIATE (best compatibility): all of the above, plus: diffie-hellman-group14-sha256, diffie-hellman-group14-sha1, diffie-hellman-group-exchange-sha1
    • __ALL (all suites, including insecure - NOT RECOMMENDED): all of the above, plus: diffie-hellman-group1-sha1

  • macAlgorithms - MAC algorithms. Default value: ['__MODERN']. Currently supported algorithms are, along with their macros:

    • __MODERN (secure suites): hmac-sha2-512-etm@openssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha2-512, hmac-sha2-256
    • __INTERMEDIATE (best compatiblity): all of the above, plus: hmac-sha1, hmac-sha1-96
    • __ALL (all suites, including insecure - NOT RECOMMENDED): all of the above, plus: hmac-md5, hmac-md5-96

  • maxIdleDurationSeconds - maximum session idle duration in seconds. When this duration expires, session is disconnected. Set the value to 0 to disable. Default: 86400 (1 day)

  • maxSessionDurationSeconds - maximum session duration in seconds. When this duration expires, a session renegotiation occurs. Set the value to 0 disable. Default: 86400 (1 day)

  • maxSessionTransferredBytes - maximum number of bytes transferred during a session. When this value is reached, a session renegotiation occurs. Set the value to 0 to disable. Default: 1073741824 (1 GB)

  • shellHostName - server name visible to the clients

  • softwareVersion - use custom software version in SSH protocol version exchange

ssh:
  softwareVersion: MyServer_1.0.0
  
  encryptionAlgorithms: ['__MODERN', '3des-ctr', '3des-cbc']
  hostKeyAlgorithms: ['__MODERN']
  kexAlgorithms: ['__MODERN', 'diffie-hellman-group14-sha1']
  macAlgorithms: ['__INTERMEDIATE']
  
  maxIdleDurationSeconds: 86400
  maxSessionDurationSeconds: 86400
  maxSessionTransferredBytes: 1073741824

  shellHostName: myserver

sshShell

SSH shell behavior configuration. Most of these settings can be overridden per user.

  • allowSystemAccount - Allow system account to spawn terminal and other processes. Default: false
  • defaultShellType - (none|terminal|legacy) Type of shell. Default: none
    • none: No shell (except for minimal shell when SCP is enabled) will be available.
    • terminal: Virtual terminal will be presented. Only available on Windows 10 version 1809 and newer, Windows Server 2019 and newer
    • legacy: Minimal shell will be available, with SSH aliases support.
  • defaultShellPath - Path to default shell executable. Only applicable for terminal shell. Default: cmd.exe
  • defaultHomeDirectory - Path to default home directory. Only applicable for terminal shell. Default: Buru SFTP Server home directory.
sshShell:
  allowSystemAccount: false
  defaultShellType: terminal
  defaultShellPath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  defaultHomeDirectory: C:\

sshTunneling

Disabled by default, without any implicit bindings.

sshTunneling:
  enabled: true
  bindings:
    - { port: 22, ipAddress: 0.0.0.0 }

users

User and password policies

  • passwordHashAlgorithm - supported values are SHA256, SHA384 or SHA512 (default).
  • passwordHashAutoUpdate - auto-update hash on user login when hash is outdated (algorithm or salt size differ from settings). Enabled by default.
  • passwordSaltSize - size of salt in bytes. Allowed range is 8-256 bytes. Default value is 20.
  • usernamePattern - user name regular expression filter. Default: ^[a-zA-Z0-9_\@\-\.]{1,128}$ (any alphanumeric characters and/or any of ‘_-@.’)
users:
  passwordHashAlgorithm: SHA512
  passwordHashAutoUpdate: true
  passwordSaltSize: 20
  usernamePattern: "^[a-zA-Z0-9_\\@\\-\\.]{1,128}$"