config.yaml

config.yaml is the primary configuration file. The file uses YAML format.

# Rebex Buru SFTP Server configuration file - EXAMPLE
# This file is in YAML (https://en.wikipedia.org/wiki/YAML#Syntax) - note that leading whitespace IS SIGNIFICANT, unlike in XML
# Visit https://rebex.net/buru-sftp-server/doc/configuration for more details

# ************************************************************
# Local SSH/SFTP endpoint bindings.
# Specify the addresses and ports that the server should listen on.
# IP addresses and host names are supported. Host names will be resolved to IP addresses when the server starts.
# Use 0.0.0.0 and '::' if you wish the server to bind to any IPv4 or IPv6 address, respectively.
# Port 22 is the default port for SSH / SFTP.
# By default, the server will bind to any IP address, listen on port 22 and will serve both SFTP and SCP protocols.
# ************************************************************

bindings:
  - { port: 22, ipAddress: 0.0.0.0, scp: true, sftp: true }
  - { port: 22, ipAddress: '::', scp: true, sftp: true }
  - ipAddress: test.rebex.net

# ************************************************************
# Paths to SSH server private keys and certificates.
# If no keys are specified then keys will be searched for in the following locations:
#   - <config root>/keys
#   - <application root>/keys
#
# Relative file paths use application installation directory as root.
# See https://www.rebex.net/doc/buru-sftp-server/configuration/config/keys/ for more details
# ************************************************************

keys: 
  - config/keys/

# ************************************************************
# Remote IP filtering rules.
# Specify remote IP addresses or network ranges that are allowed or denied to connect to the server.
# You can specify the addresses as:
# - single address, such as 192.168.1.1 or 2001:db8::1,
# - address range, such as 192.168.1.1-192.168.1.255,
# - or CIDR notation, such as 192.168.66.12/24.
# Allow list has priority over deny list.
# Usually you want to blacklist all addresses (0.0.0.0/0 and "::/0") in deny list and add trusted address ranges to allow list.
# By default all IP addresses are allowed.
# IPv6 addresses must be enclosed in double quotes.
# ************************************************************

ipFilter:
  allow:
    # single IP address
    - 192.168.66.1
    # address range
    - 192.168.67.0-192.168.67.10
    # CIDR notation
    - 192.168.68.0/24
    # IPv6 (quotes required)
    - "2001:db8::/48"
  deny:
    - 0.0.0.0/0
    - "::/0"


# ************************************************************
# Logging. 
# No logs will be saved unless you specify log location. Logs are aggregated daily.  
# For the server log you can also specify minimal log level - supported values are: verbose, debug, information, warning, error, fatal. 
# Default is 'warning' for server log.
# ************************************************************

logging: 
  access: 
    location: D:\burusftp\logs\access
    
    # keep files forever
    maxFileCount: 0
  server:
    location: D:\burusftp\logs\server
    minLevel: warning

    # keep 31 days (1 month)
    maxFileCount: 31

# Or use custom configuration 'config/logging.json' (see documentation for details):

# logging:
#   useCustomConfig: true


# ************************************************************
# Security settings
# ************************************************************
security:
  # Specifies conditions for account lockout
  accountLockoutPolicy:
    # Lockout account after 10 failed logins. Set to 0 to disable. Default: 10. 
    threshold: 10
    # Time in seconds a locked-out account remains locked out before automatically becoming unlocked. Default: 900 (15 minutes)
    lockoutDurationSeconds: 900
    # Time period in seconds following last unsuccessful login after which the lockout counter will be set back to zero. Must be same or greater than lockoutDurationSeconds. 
    # If no value is specified lockoutDurationSeconds value is used.
    resetCounterPeriodSeconds: 900

# ************************************************************
# SSH configuration
#
# encryptionAlgorithms - encryption algorithms. Default value: ['__INTERMEDIATE']. Currently supported algorithms are, along with their macros:
# __MODERN (secure suites):
#     aes256-gcm@openssh.com, aes128-gcm@openssh.com, aes256-ctr, aes192-ctr, aes128-ctr,
#     chacha20-poly1305@openssh.com, twofish256-ctr, twofish192-ctr, twofish128-ctr
# __INTERMEDIATE (best compatibility): all of the above, plus:
#     aes256-cbc, aes192-cbc, aes128-cbc, twofish256-cbc, twofish192-cbc, twofish128-cbc, twofish-cbc,
#     3des-ctr, 3des-cbc
# __ALL (all suites, including insecure - NOT RECOMMENDED): all of the above, plus: arcfour256, arcfour128, arcfour, blowfish-ctr, blowfish-cbc
#
# hostKeyAlgorithms - host key algorithms. Default value: ['__INTERMEDIATE']. Currently supported algorithms are, along with their macros:
# __MODERN (secure suites):
#     ssh-ed25519, ecdsa-sha2-nistp521, ecdsa-sha2-nistp384, ecdsa-sha2-nistp256, ecdsa-sha2-1.3.132.0.10,
#     rsa-sha2-512, ssh-rsa-sha256@ssh.com, rsa-sha2-256,
#     x509v3-ecdsa-sha2-nistp521,x509v3-ecdsa-sha2-nistp384, x509v3-ecdsa-sha2-nistp256, x509v3-rsa2048-sha256, x509v3-sign-rsa-sha256@ssh.com
# __INTERMEDIATE (best compatiblity): + ssh-dss, ssh-rsa, x509v3-sign-rsa, x509v3-sign-dss
# __ALL (all suites, including insecure - NOT RECOMMENDED): N/A
#
# kexAlgorithms - key exchange algorithms. Default value: ['__INTERMEDIATE']. Currently supported algorithms are, along with their macros:
# __MODERN (secure suites): 
#     curve25519-sha256, curve25519-sha256@libssh.org, 
#     ecdh-sha2-nistp521, ecdh-sha2-nistp384, ecdh-sha2-nistp256, ecdh-sha2-1.3.132.0.10,
#     diffie-hellman-group16-sha512, diffie-hellman-group15-sha512, diffie-hellman-group-exchange-sha256
# __INTERMEDIATE (best compatibility): + diffie-hellman-group14-sha256, diffie-hellman-group14-sha1, diffie-hellman-group-exchange-sha1
# __ALL (all suites, including insecure - NOT RECOMMENDED): + diffie-hellman-group1-sha1
#
# macAlgorithms - MAC algorithms. Default value: ['__INTERMEDIATE']. Currently supported algorithms are, along with their macros:
# __MODERN (secure suites): hmac-sha2-512-etm@openssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha2-512, hmac-sha2-256
# __INTERMEDIATE (best compatiblity): + hmac-sha1, hmac-sha1-96
# __ALL (all suites, including insecure - NOT RECOMMENDED): + hmac-md5, hmac-md5-96
#
# banner                     - banner message displayed to clients before authentication
# softwareVersion            - use custom software version sent during SSH protocol version exchange
# shellHostName              - server name visible to clients
# maxIdleDurationSeconds     - maximum session idle duration in seconds. When this duration expires, session is disconnected.
#                              Set the value to 0 to disable. Default: 86400 (1 day)
# maxSessionDurationSeconds  - maximum session duration in seconds. When this duration expires, a session renegotiation occurs.
#                              Set the value to 0 to disable. Default: 86400 (1 day)
# maxSessionTransferredBytes - maximum number of bytes transferred during a session. When this value is reached, a session renegotiation occurs.
#                              Set the value to 0 to disable. Default: 1073741824 (1 GB)
# ************************************************************

ssh:
  encryptionAlgorithms: ['__ALL']
  hostKeyAlgorithms: ['__INTERMEDIATE']
  kexAlgorithms: ['__INTERMEDIATE', 'diffie-hellman-group1-sha1']
  macAlgorithms: ['__INTERMEDIATE']
  banner: "Welcome!"
  shellHostName: myServer
  softwareVersion: MyServer_1.0.0
  maxIdleDurationSeconds: 86400           # 1 day
  maxSessionDurationSeconds: 86400        # 1 day
  maxSessionTransferredBytes: 1073741824  # 1 GB


# ************************************************************
# SSH shell
#
# allowSystemAccount    - allow system account to spawn terminal and other processes. Disabled by default.
# defaultShellType      - (none|terminal|legacy) Type of shell. Default is 'none'.
#                           none: No shell (except for minimal shell when SCP is enabled) will be available.
#                           terminal: Virtual terminal will be presented. Only available on Windows 10 version 1809 and newer, Windows Server 2019 and newer
#                           legacy: Minimal shell will be available, with [SSH aliases](/docs/ssh-shell-aliases) support.
# defaultShellPath      - Path to default shell executable. Only applicable for 'terminal' shell. Default: 'cmd.exe'
# defaultHomeDirectory  - Path to default home directory. Only applicable for 'terminal' shell. Default: Buru SFTP Server home directory.
# ************************************************************

sshShell:
  allowSystemAccount: false
  defaultShellType: terminal
  defaultShellPath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  defaultHomeDirectory: C:\


# ************************************************************
# SSH tunneling - experimental. Disabled by default. Does not have any implicit bindings.
# ************************************************************

sshTunneling:
  enabled: true
  bindings:
    - { port: 22, ipAddress: 0.0.0.0 }  

# ************************************************************
# User database settings
#
# passwordHashAlgorithm  - password hashing algorithm - supported values are SHA256, SHA384 or SHA512 (default). 
# passwordHashAutoUpdate - auto-update hash on user login when hash is outdated (algorithm or salt size differ from settings). Enabled by default.
# passwordSaltSize       - size of password hash salt in bytes. Allowed range is 8-256 bytes. Default value is 20.
# usernamePattern        - user name regular expression filter. Default: ^[a-zA-Z0-9_\@\-\.]{1,128}$
# ************************************************************

users:
  passwordHashAlgorithm: SHA512
  passwordHashAutoUpdate: true
  passwordSaltSize: 20
  usernamePattern: "^[a-zA-Z0-9_\\@\\-\\.]{1,128}$"

# ************************************************************
# FTP server settings.
# ************************************************************
ftp:
  # ************************************************************
  # FTP endpoint bindings.
  # Port 21 is the default port for FTP (explicit mode).
  # Port 990 is the default port for FTP over TLS (implicit mode).
  # Supported modes are: explicit (FTP or FTPS), explicitPlain (FTP), explicitTls (FTPS), implicit (FTPS).
  # ************************************************************

  bindings:
    - { port: 21, ipAddress: 0.0.0.0, mode: explicit }
    - { port: 21, ipAddress: '::', mode: explicit }
    - { port: 990, ipAddress: 0.0.0.0, mode: implicit }
    - { port: 990, ipAddress: '::', mode: implicit }
    - port: 9901
      ipAddress: 'test.rebex.net'
      mode: implicit
      certificateGroup: 'rebexnet'
      externalAddress: 'test.rebex.net'
      dataPortRange: '49152-65535'

  certificateGroups:
    - certificates:
        - '%ProgramData%\Rebex\BuruSftp\ftp\certificates\cert.pfx'
    - name: rebexnet
      certificates:
        - '%ProgramData%\Rebex\BuruSftp\ftp\certificates\rebexnet.pfx'

  # FTP is disabled for all users by default (can be enabled per user)
  enabledForUsersByDefault: false