config.yaml
config.yaml
is the primary configuration file. The file uses YAML format.
Enclose strings containing backslashes (
\
) or whitespace (
), such as Windows paths, in single quotes to avoid YAML parsing errors, for example: 'C:\Program Files\Rebex Buru SFTP Server'
.
Enclose strings containing colons (
:
), such as IPv6 addresses, in single quotes to avoid YAML parsing errors, for example: '2001:db8::1'
.
# Rebex Buru SFTP Server configuration file - EXAMPLE
# This file is in YAML (https://en.wikipedia.org/wiki/YAML#Syntax) - note that leading whitespace IS SIGNIFICANT, unlike in XML
# Visit https://rebex.net/buru-sftp-server/doc/configuration for more details
# ************************************************************
# Local SSH/SFTP endpoint bindings.
# Specify the addresses and ports that the server should listen on.
# IP addresses and host names are supported. Host names will be resolved to IP addresses when the server starts.
# Use 0.0.0.0 and '::' if you wish the server to bind to any IPv4 or IPv6 address, respectively.
# Port 22 is the default port for SSH / SFTP.
# By default, the server will bind to any IP address, listen on port 22 and will serve both SFTP and SCP protocols.
# ************************************************************
bindings:
- { port: 22, ipAddress: 0.0.0.0, scp: true, sftp: true }
- { port: 22, ipAddress: '::', scp: true, sftp: true }
- ipAddress: test.rebex.net
# ************************************************************
# Paths to SSH server private keys and certificates.
# If no keys are specified then keys will be searched for in the following locations:
# - <config root>/keys
# - <application root>/keys
#
# Relative file paths use application installation directory as root.
# See https://www.rebex.net/doc/buru-sftp-server/configuration/config/keys/ for more details
# ************************************************************
keys:
- config/keys/
# ************************************************************
# Remote IP filtering rules.
# Specify remote IP addresses or network ranges that are allowed or denied to connect to the server.
# You can specify the addresses as:
# - single address, such as 192.168.1.1 or 2001:db8::1,
# - address range, such as 192.168.1.1-192.168.1.255,
# - or CIDR notation, such as 192.168.66.12/24.
# Allow list has priority over deny list.
# Usually you want to blacklist all addresses (0.0.0.0/0 and "::/0") in deny list and add trusted address ranges to allow list.
# By default all IP addresses are allowed.
# IPv6 addresses must be enclosed in double quotes.
# ************************************************************
ipFilter:
allow:
# single IP address
- 192.168.66.1
# address range
- 192.168.67.0-192.168.67.10
# CIDR notation
- 192.168.68.0/24
# IPv6 (quotes required)
- "2001:db8::/48"
deny:
- 0.0.0.0/0
- "::/0"
# ************************************************************
# Logging.
# No logs will be saved unless you specify log location. Logs are aggregated daily.
# For the server log you can also specify minimal log level - supported values are: verbose, debug, information, warning, error, fatal.
# Default is 'warning' for server log.
# ************************************************************
logging:
access:
location: D:\burusftp\logs\access
# keep files forever
maxFileCount: 0
server:
location: D:\burusftp\logs\server
minLevel: warning
# keep 31 days (1 month)
maxFileCount: 31
# Or use custom configuration 'config/logging.json' (see documentation for details):
# logging:
# useCustomConfig: true
# ************************************************************
# Security settings
# ************************************************************
security:
# Specifies conditions for account lockout
accountLockoutPolicy:
# Lockout account after 10 failed logins. Set to 0 to disable. Default: 10.
threshold: 10
# Time in seconds a locked-out account remains locked out before automatically becoming unlocked. Default: 900 (15 minutes)
lockoutDurationSeconds: 900
# Time period in seconds following last unsuccessful login after which the lockout counter will be set back to zero. Must be same or greater than lockoutDurationSeconds.
# If no value is specified lockoutDurationSeconds value is used.
resetCounterPeriodSeconds: 900
# ************************************************************
# SSH configuration
#
# encryptionAlgorithms - encryption algorithms. Default value: ['__INTERMEDIATE']. Currently supported algorithms are, along with their macros:
# __MODERN (secure suites):
# aes256-gcm@openssh.com, aes128-gcm@openssh.com, aes256-ctr, aes192-ctr, aes128-ctr,
# chacha20-poly1305@openssh.com, twofish256-ctr, twofish192-ctr, twofish128-ctr
# __INTERMEDIATE (best compatibility): all of the above, plus:
# aes256-cbc, aes192-cbc, aes128-cbc, twofish256-cbc, twofish192-cbc, twofish128-cbc, twofish-cbc,
# 3des-ctr, 3des-cbc
# __ALL (all suites, including insecure - NOT RECOMMENDED): all of the above, plus: arcfour256, arcfour128, arcfour, blowfish-ctr, blowfish-cbc
#
# hostKeyAlgorithms - host key algorithms. Default value: ['__INTERMEDIATE']. Currently supported algorithms are, along with their macros:
# __MODERN (secure suites):
# ssh-ed25519, ecdsa-sha2-nistp521, ecdsa-sha2-nistp384, ecdsa-sha2-nistp256, ecdsa-sha2-1.3.132.0.10,
# rsa-sha2-512, ssh-rsa-sha256@ssh.com, rsa-sha2-256,
# x509v3-ecdsa-sha2-nistp521,x509v3-ecdsa-sha2-nistp384, x509v3-ecdsa-sha2-nistp256, x509v3-rsa2048-sha256, x509v3-sign-rsa-sha256@ssh.com
# __INTERMEDIATE (best compatiblity): + ssh-dss, ssh-rsa, x509v3-sign-rsa, x509v3-sign-dss
# __ALL (all suites, including insecure - NOT RECOMMENDED): N/A
#
# kexAlgorithms - key exchange algorithms. Default value: ['__INTERMEDIATE']. Currently supported algorithms are, along with their macros:
# __MODERN (secure suites):
# curve25519-sha256, curve25519-sha256@libssh.org,
# ecdh-sha2-nistp521, ecdh-sha2-nistp384, ecdh-sha2-nistp256, ecdh-sha2-1.3.132.0.10,
# diffie-hellman-group16-sha512, diffie-hellman-group15-sha512, diffie-hellman-group-exchange-sha256
# __INTERMEDIATE (best compatibility): + diffie-hellman-group14-sha256, diffie-hellman-group14-sha1, diffie-hellman-group-exchange-sha1
# __ALL (all suites, including insecure - NOT RECOMMENDED): + diffie-hellman-group1-sha1
#
# macAlgorithms - MAC algorithms. Default value: ['__INTERMEDIATE']. Currently supported algorithms are, along with their macros:
# __MODERN (secure suites): hmac-sha2-512-etm@openssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha2-512, hmac-sha2-256
# __INTERMEDIATE (best compatiblity): + hmac-sha1, hmac-sha1-96
# __ALL (all suites, including insecure - NOT RECOMMENDED): + hmac-md5, hmac-md5-96
#
# banner - banner message displayed to clients before authentication
# softwareVersion - use custom software version sent during SSH protocol version exchange
# shellHostName - server name visible to clients
# maxIdleDurationSeconds - maximum session idle duration in seconds. When this duration expires, session is disconnected.
# Set the value to 0 to disable. Default: 86400 (1 day)
# maxSessionDurationSeconds - maximum session duration in seconds. When this duration expires, a session renegotiation occurs.
# Set the value to 0 to disable. Default: 86400 (1 day)
# maxSessionTransferredBytes - maximum number of bytes transferred during a session. When this value is reached, a session renegotiation occurs.
# Set the value to 0 to disable. Default: 1073741824 (1 GB)
# ************************************************************
ssh:
encryptionAlgorithms: ['__ALL']
hostKeyAlgorithms: ['__INTERMEDIATE']
kexAlgorithms: ['__INTERMEDIATE', 'diffie-hellman-group1-sha1']
macAlgorithms: ['__INTERMEDIATE']
banner: "Welcome!"
shellHostName: myServer
softwareVersion: MyServer_1.0.0
maxIdleDurationSeconds: 86400 # 1 day
maxSessionDurationSeconds: 86400 # 1 day
maxSessionTransferredBytes: 1073741824 # 1 GB
# ************************************************************
# SSH shell
#
# allowSystemAccount - allow system account to spawn terminal and other processes. Disabled by default.
# defaultShellType - (none|terminal|legacy) Type of shell. Default is 'none'.
# none: No shell (except for minimal shell when SCP is enabled) will be available.
# terminal: Virtual terminal will be presented. Only available on Windows 10 version 1809 and newer, Windows Server 2019 and newer
# legacy: Minimal shell will be available, with [SSH aliases](/docs/ssh-shell-aliases) support.
# defaultShellPath - Path to default shell executable. Only applicable for 'terminal' shell. Default: 'cmd.exe'
# defaultHomeDirectory - Path to default home directory. Only applicable for 'terminal' shell. Default: Buru SFTP Server home directory.
# ************************************************************
sshShell:
allowSystemAccount: false
defaultShellType: terminal
defaultShellPath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
defaultHomeDirectory: C:\
# ************************************************************
# SSH tunneling - experimental. Disabled by default. Does not have any implicit bindings.
# ************************************************************
sshTunneling:
enabled: true
bindings:
- { port: 22, ipAddress: 0.0.0.0 }
# ************************************************************
# User database settings
#
# passwordHashAlgorithm - password hashing algorithm - supported values are SHA256, SHA384 or SHA512 (default).
# passwordHashAutoUpdate - auto-update hash on user login when hash is outdated (algorithm or salt size differ from settings). Enabled by default.
# passwordSaltSize - size of password hash salt in bytes. Allowed range is 8-256 bytes. Default value is 20.
# usernamePattern - user name regular expression filter. Default: ^[a-zA-Z0-9_\@\-\.]{1,128}$
# ************************************************************
users:
passwordHashAlgorithm: SHA512
passwordHashAutoUpdate: true
passwordSaltSize: 20
usernamePattern: "^[a-zA-Z0-9_\\@\\-\\.]{1,128}$"
# ************************************************************
# FTP server settings.
# ************************************************************
ftp:
# ************************************************************
# FTP endpoint bindings.
# Port 21 is the default port for FTP (explicit mode).
# Port 990 is the default port for FTP over TLS (implicit mode).
# Supported modes are: explicit (FTP or FTPS), explicitPlain (FTP), explicitTls (FTPS), implicit (FTPS).
# ************************************************************
bindings:
- { port: 21, ipAddress: 0.0.0.0, mode: explicit }
- { port: 21, ipAddress: '::', mode: explicit }
- { port: 990, ipAddress: 0.0.0.0, mode: implicit }
- { port: 990, ipAddress: '::', mode: implicit }
- { port: 9901, ipAddress: 'test.rebex.net', mode: implicit, certificateGroup: rebexnet }
certificateGroups:
- certificates:
- '%ProgramData%\Rebex\BuruSftp\ftp\certificates\cert.pfx'
- name: rebexnet
certificates:
- '%ProgramData%\Rebex\BuruSftp\ftp\certificates\rebexnet.pfx'
# FTP is disabled for all users by default (can be enabled per user)
enabledForUsersByDefault: false
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.