config.yaml
The config.yaml file is the primary configuration file for the Buru SFTP Server engine. It uses YAML format, where leading whitespace is significant.
The server resolves the configuration directory at startup by checking in order:
configsubfolder in the installation directory (e.g.D:\burusftp\config) — the default for portable installationsC:\ProgramData\Rebex\BuruSftp— the default for installer-based installations
Enclose strings containing colons (:) or spaces in single quotes to avoid YAML parsing errors, for example: 'C:\Program Files\Rebex Buru SFTP Server'.
Sections
| Section | Description |
|---|---|
bindings | SSH endpoints (SFTP, SCP, SSH tunnelling) |
ftp | 2.15.0+ Global FTP/FTPS settings |
ftp.bindings | 2.15.0+ FTP/FTPS endpoints |
ftp.certificateGroups | 2.15.0+ X.509 certificate groups for FTPS |
ipFilter | IP address allow/deny filtering |
keys | SSH server host keys and certificates |
logging | Access and server event log configuration |
security | Account lockout policy |
ssh | SSH protocol settings (algorithms, session limits, banner) |
sshShell | Shell/SCP subsystem behavior |
sshTunneling | Legacy SSH tunnel configuration (deprecated since 2.17.0) |
users | Password hashing and username policies |
Example
# Rebex Buru SFTP Server configuration file - EXAMPLE
# This file is in YAML (https://en.wikipedia.org/wiki/YAML#Syntax) - note that leading whitespace IS SIGNIFICANT, unlike in XML
# Visit https://rebex.net/buru-sftp-server/doc/configuration for more details
# ************************************************************
# Local SSH/SFTP endpoint bindings.
# Specify the addresses and ports that the server should listen on.
# IP addresses and host names are supported; host names will be resolved to IP addresses when the server starts.
# Use 0.0.0.0 and '::' if you wish the server to bind to any IPv4 or IPv6 address, respectively.
# Port 22 is the default port for SSH / SFTP.
# By default, the server will bind to any IP address, listen on port 22, and will have both SFTP and Shell/SCP subsystems enabled.
# IPv6 addresses must be enclosed in quotes (required by YAML format).
# ************************************************************
bindings:
- { port: 22, ipAddress: 0.0.0.0, scp: true, sftp: true }
- { port: 22, ipAddress: '::', scp: true, sftp: true }
- { port: 2202, ipAddress: 'tunnel.rebex', scp: false, sftp: false, sshTunnel: true }
# ************************************************************
# Paths to SSH server private keys and certificates.
# If no keys are specified, keys will be searched for in the following locations:
# - <config root>/keys
# - <application root>/keys
#
# Relative file paths use the application installation directory as root.
# See https://www.rebex.net/doc/buru-sftp-server/configuration/config/keys/ for more details
# ************************************************************
keys:
- config/keys/
# ************************************************************
# Remote IP filtering rules.
# Specify remote IP addresses or network ranges that are allowed or denied to connect to the server.
# You can specify the addresses as:
# - single address, such as 192.168.1.1 or 2001:db8::1,
# - address range, such as 192.168.1.1-192.168.1.255,
# - or CIDR notation, such as 192.168.66.12/24.
# The allow list has priority over the deny list.
# Usually you want to blacklist all addresses (0.0.0.0/0 and "::/0") in the deny list and add trusted address ranges to the allow list.
# By default, all IP addresses are allowed.
# IPv6 addresses must be enclosed in double quotes.
# ************************************************************
ipFilter:
allow:
# single IP address
- 192.168.66.1
# address range
- 192.168.67.0-192.168.67.10
# CIDR notation
- 192.168.68.0/24
# IPv6 (quotes required)
- "2001:db8::/48"
deny:
- 0.0.0.0/0
- "::/0"
# ************************************************************
# Logging.
# No logs will be saved unless you specify log location. Logs are aggregated daily.
# For the server log you can also specify minimum log level - supported values are: verbose, debug, information, warning, error, fatal.
# Default is 'warning' for server log.
# ************************************************************
logging:
access:
location: D:\burusftp\logs\access
# keep files forever
maxFileCount: 0
server:
location: D:\burusftp\logs\server
minLevel: warning
# keep 31 days (1 month)
maxFileCount: 31
# Or use custom configuration 'config/logging.json' (see documentation for details):
# logging:
# useCustomConfig: true
# ************************************************************
# Security settings
# ************************************************************
security:
# Specifies conditions for account lockout
accountLockoutPolicy:
# Lockout the account after 10 failed logins. Set to 0 to disable. Default: 10.
threshold: 10
# Time in seconds a locked-out account remains locked out before automatically becoming unlocked. Default: 900 (15 minutes)
lockoutDurationSeconds: 900
# Time period in seconds following the last unsuccessful login after which the lockout counter will be set back to zero. Must be the same or greater than lockoutDurationSeconds.
# If no value is specified, the lockoutDurationSeconds value is used.
resetCounterPeriodSeconds: 900
# ************************************************************
# SSH configuration
#
# encryptionAlgorithms - encryption algorithms. Default value: ['__INTERMEDIATE']. Currently supported algorithms are, along with their macros:
# __MODERN (secure suites):
# aes256-gcm@openssh.com, aes128-gcm@openssh.com, aes256-ctr, aes192-ctr, aes128-ctr,
# chacha20-poly1305@openssh.com, twofish256-ctr, twofish192-ctr, twofish128-ctr
# __INTERMEDIATE (best compatibility): all of the above, plus:
# aes256-cbc, aes192-cbc, aes128-cbc, twofish256-cbc, twofish192-cbc, twofish128-cbc, twofish-cbc,
# 3des-ctr, 3des-cbc
# __ALL (all suites, including insecure - NOT RECOMMENDED): all of the above, plus: arcfour256, arcfour128, arcfour, blowfish-ctr, blowfish-cbc
#
# hostKeyAlgorithms - host key algorithms. Default value: ['__INTERMEDIATE']. Currently supported algorithms are, along with their macros:
# __MODERN (secure suites):
# ssh-ed25519, ecdsa-sha2-nistp521, ecdsa-sha2-nistp384, ecdsa-sha2-nistp256, ecdsa-sha2-1.3.132.0.10,
# rsa-sha2-512, ssh-rsa-sha256@ssh.com, rsa-sha2-256,
# x509v3-ecdsa-sha2-nistp521,x509v3-ecdsa-sha2-nistp384, x509v3-ecdsa-sha2-nistp256, x509v3-rsa2048-sha256, x509v3-sign-rsa-sha256@ssh.com
# __INTERMEDIATE (best compatiblity): + ssh-dss, ssh-rsa, x509v3-sign-rsa, x509v3-sign-dss
# __ALL (all suites, including insecure - NOT RECOMMENDED): N/A
#
# kexAlgorithms - key exchange algorithms. Default value: ['__INTERMEDIATE']. Currently supported algorithms are, along with their macros:
# __MODERN (secure suites):
# mlkem768x25519-sha256, mlkem768nistp256-sha256, mlkem1024nistp384-sha384,
# curve25519-sha256, curve25519-sha256@libssh.org,
# ecdh-sha2-nistp521, ecdh-sha2-nistp384, ecdh-sha2-nistp256, ecdh-sha2-1.3.132.0.10,
# diffie-hellman-group18-sha512, diffie-hellman-group17-sha512,
# diffie-hellman-group16-sha512, diffie-hellman-group15-sha512,
# diffie-hellman-group-exchange-sha256
# __INTERMEDIATE (best compatibility): + diffie-hellman-group14-sha256, diffie-hellman-group14-sha1, diffie-hellman-group-exchange-sha1
# __ALL (all suites, including insecure - NOT RECOMMENDED): + diffie-hellman-group1-sha1
#
# macAlgorithms - MAC algorithms. Default value: ['__INTERMEDIATE']. Currently supported algorithms are, along with their macros:
# __MODERN (secure suites): hmac-sha2-512-etm@openssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha2-512, hmac-sha2-256
# __INTERMEDIATE (best compatiblity): + hmac-sha1, hmac-sha1-96
# __ALL (all suites, including insecure - NOT RECOMMENDED): + hmac-md5, hmac-md5-96
#
# banner - banner message displayed to clients before authentication
# softwareVersion - use a custom software version sent during SSH protocol version exchange
# shellHostName - server name visible to clients
# maxIdleDurationSeconds - maximum session idle duration in seconds. When this duration expires, the session is disconnected.
# Set the value to 0 to disable. Default: 86400 (1 day)
# maxSessionDurationSeconds - maximum session duration in seconds. When this duration expires, a session renegotiation occurs.
# Set the value to 0 to disable. Default: 86400 (1 day)
# maxSessionTransferredBytes - maximum number of bytes transferred during a session. When this value is reached, a session renegotiation occurs.
# Set the value to 0 to disable. Default: 1073741824 (1 GB)
# ************************************************************
ssh:
encryptionAlgorithms: ['__ALL']
hostKeyAlgorithms: ['__INTERMEDIATE']
kexAlgorithms: ['__INTERMEDIATE', 'diffie-hellman-group1-sha1']
macAlgorithms: ['__INTERMEDIATE']
banner: "Welcome!"
shellHostName: myServer
softwareVersion: MyServer_1.0.0
maxIdleDurationSeconds: 86400 # 1 day
maxSessionDurationSeconds: 86400 # 1 day
maxSessionTransferredBytes: 1073741824 # 1 GB
# ************************************************************
# SSH shell
#
# Only applies to SSH bindings with Shell/SCP subsystem enabled.
#
# allowSystemAccount - allow the system account to spawn terminal and other processes. Disabled by default.
# defaultShellType - (none|terminal|legacy) Type of shell. Default is 'none'.
# none: No shell (except for minimal shell when SCP is enabled) will be available.
# terminal: Virtual terminal will be presented. Only available on Windows 10 version 1809 and newer, Windows Server 2019 and newer
# legacy: Minimal shell will be available, with [SSH aliases](/docs/ssh-shell-aliases) support.
# defaultShellPath - Path to the default shell executable. Only applicable for 'terminal' shell. Default: 'cmd.exe'
# defaultHomeDirectory - Path to the default home directory. Only applicable for 'terminal' shell. Default: Buru SFTP Server home directory.
# ************************************************************
sshShell:
allowSystemAccount: false
defaultShellType: terminal
defaultShellPath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
defaultHomeDirectory: C:\
# ************************************************************
# User database settings
#
# passwordHashAlgorithm - password hashing algorithm - supported values are SHA256, SHA384 or SHA512 (default).
# passwordHashAutoUpdate - auto-update hash on user login when hash is outdated (algorithm or salt size differ from settings). Enabled by default.
# passwordSaltSize - size of the password hash salt in bytes. Allowed range is 8-256 bytes. Default value is 20.
# usernamePattern - user name regular expression filter. Default: ^[a-zA-Z0-9_\@\-\.]{1,128}$
# ************************************************************
users:
passwordHashAlgorithm: SHA512
passwordHashAutoUpdate: true
passwordSaltSize: 20
usernamePattern: "^[a-zA-Z0-9_\\@\\-\\.]{1,128}$"
# ************************************************************
# FTP server settings.
# ************************************************************
ftp:
# ************************************************************
# FTP endpoint bindings.
# Port 21 is the default port for FTP (explicit mode).
# Port 990 is the default port for FTP over TLS (implicit mode).
# Supported modes are: explicit (FTP or FTPS), explicitPlain (FTP), explicitTls (FTPS), implicit (FTPS).
# ************************************************************
bindings:
- { port: 21, ipAddress: 0.0.0.0, mode: explicit }
- { port: 21, ipAddress: '::', mode: explicit }
- { port: 990, ipAddress: 0.0.0.0, mode: implicit }
- { port: 990, ipAddress: '::', mode: implicit }
- port: 9901
ipAddress: 'test.rebex.net'
mode: implicit
certificateGroup: 'rebexnet'
externalAddress: 'test.rebex.net'
dataPortRange: '49152-65535'
certificateGroups:
- certificates:
- '%ProgramData%\Rebex\BuruSftp\ftp\certificates\cert.pfx'
- name: rebexnet
certificates:
- '%ProgramData%\Rebex\BuruSftp\ftp\certificates\rebexnet.pfx'
# FTP is disabled for all users by default (can be enabled per user)
enabledForUsersByDefault: false```