config.yaml

config.yaml is the primary configuration file. The file uses YAML format.

# Rebex Buru SFTP Server configuration file - EXAMPLE # This file is in YAML (https://en.wikipedia.org/wiki/YAML#Syntax) - note that leading whitespace IS SIGNIFICANT, unlike in XML # Visit https://rebex.net/buru-sftp-server/doc/configuration for more details # ************************************************************ # Local SSH/SFTP endpoint bindings. # Specify the addresses and ports that the server should listen on. # IP addresses and host names are supported. Host names will be resolved to IP addresses when the server starts. # Use 0.0.0.0 and '::' if you wish the server to bind to any IPv4 or IPv6 address, respectively. # Port 22 is the default port for SSH / SFTP. # By default, the server will bind to any IP address, listen on port 22 and will have both SFTP and Shell/SCP subsystems enabled. # IPv6 addresses must be enclosed in quotes (required by YAML format). # ************************************************************ bindings: - { port: 22, ipAddress: 0.0.0.0, scp: true, sftp: true } - { port: 22, ipAddress: '::', scp: true, sftp: true } - ipAddress: test.rebex.net # ************************************************************ # Paths to SSH server private keys and certificates. # If no keys are specified then keys will be searched for in the following locations: # - <config root>/keys # - <application root>/keys # # Relative file paths use application installation directory as root. # See https://www.rebex.net/doc/buru-sftp-server/configuration/config/keys/ for more details # ************************************************************ keys: - config/keys/ # ************************************************************ # Remote IP filtering rules. # Specify remote IP addresses or network ranges that are allowed or denied to connect to the server. # You can specify the addresses as: # - single address, such as 192.168.1.1 or 2001:db8::1, # - address range, such as 192.168.1.1-192.168.1.255, # - or CIDR notation, such as 192.168.66.12/24. # Allow list has priority over deny list. # Usually you want to blacklist all addresses (0.0.0.0/0 and "::/0") in deny list and add trusted address ranges to allow list. # By default all IP addresses are allowed. # IPv6 addresses must be enclosed in double quotes. # ************************************************************ ipFilter: allow: # single IP address - 192.168.66.1 # address range - 192.168.67.0-192.168.67.10 # CIDR notation - 192.168.68.0/24 # IPv6 (quotes required) - "2001:db8::/48" deny: - 0.0.0.0/0 - "::/0" # ************************************************************ # Logging. # No logs will be saved unless you specify log location. Logs are aggregated daily. # For the server log you can also specify minimum log level - supported values are: verbose, debug, information, warning, error, fatal. # Default is 'warning' for server log. # ************************************************************ logging: access: location: D:\burusftp\logs\access # keep files forever maxFileCount: 0 server: location: D:\burusftp\logs\server minLevel: warning # keep 31 days (1 month) maxFileCount: 31 # Or use custom configuration 'config/logging.json' (see documentation for details): # logging: # useCustomConfig: true # ************************************************************ # Security settings # ************************************************************ security: # Specifies conditions for account lockout accountLockoutPolicy: # Lockout account after 10 failed logins. Set to 0 to disable. Default: 10. threshold: 10 # Time in seconds a locked-out account remains locked out before automatically becoming unlocked. Default: 900 (15 minutes) lockoutDurationSeconds: 900 # Time period in seconds following last unsuccessful login after which the lockout counter will be set back to zero. Must be same or greater than lockoutDurationSeconds. # If no value is specified lockoutDurationSeconds value is used. resetCounterPeriodSeconds: 900 # ************************************************************ # SSH configuration # # encryptionAlgorithms - encryption algorithms. Default value: ['__INTERMEDIATE']. Currently supported algorithms are, along with their macros: # __MODERN (secure suites): # aes256-gcm@openssh.com, aes128-gcm@openssh.com, aes256-ctr, aes192-ctr, aes128-ctr, # chacha20-poly1305@openssh.com, twofish256-ctr, twofish192-ctr, twofish128-ctr # __INTERMEDIATE (best compatibility): all of the above, plus: # aes256-cbc, aes192-cbc, aes128-cbc, twofish256-cbc, twofish192-cbc, twofish128-cbc, twofish-cbc, # 3des-ctr, 3des-cbc # __ALL (all suites, including insecure - NOT RECOMMENDED): all of the above, plus: arcfour256, arcfour128, arcfour, blowfish-ctr, blowfish-cbc # # hostKeyAlgorithms - host key algorithms. Default value: ['__INTERMEDIATE']. Currently supported algorithms are, along with their macros: # __MODERN (secure suites): # ssh-ed25519, ecdsa-sha2-nistp521, ecdsa-sha2-nistp384, ecdsa-sha2-nistp256, ecdsa-sha2-1.3.132.0.10, # rsa-sha2-512, ssh-rsa-sha256@ssh.com, rsa-sha2-256, # x509v3-ecdsa-sha2-nistp521,x509v3-ecdsa-sha2-nistp384, x509v3-ecdsa-sha2-nistp256, x509v3-rsa2048-sha256, x509v3-sign-rsa-sha256@ssh.com # __INTERMEDIATE (best compatiblity): + ssh-dss, ssh-rsa, x509v3-sign-rsa, x509v3-sign-dss # __ALL (all suites, including insecure - NOT RECOMMENDED): N/A # # kexAlgorithms - key exchange algorithms. Default value: ['__INTERMEDIATE']. Currently supported algorithms are, along with their macros: # __MODERN (secure suites): # curve25519-sha256, curve25519-sha256@libssh.org, # ecdh-sha2-nistp521, ecdh-sha2-nistp384, ecdh-sha2-nistp256, ecdh-sha2-1.3.132.0.10, # diffie-hellman-group16-sha512, diffie-hellman-group15-sha512, diffie-hellman-group-exchange-sha256 # __INTERMEDIATE (best compatibility): + diffie-hellman-group14-sha256, diffie-hellman-group14-sha1, diffie-hellman-group-exchange-sha1 # __ALL (all suites, including insecure - NOT RECOMMENDED): + diffie-hellman-group1-sha1 # # macAlgorithms - MAC algorithms. Default value: ['__INTERMEDIATE']. Currently supported algorithms are, along with their macros: # __MODERN (secure suites): hmac-sha2-512-etm@openssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha2-512, hmac-sha2-256 # __INTERMEDIATE (best compatiblity): + hmac-sha1, hmac-sha1-96 # __ALL (all suites, including insecure - NOT RECOMMENDED): + hmac-md5, hmac-md5-96 # # banner - banner message displayed to clients before authentication # softwareVersion - use custom software version sent during SSH protocol version exchange # shellHostName - server name visible to clients # maxIdleDurationSeconds - maximum session idle duration in seconds. When this duration expires, session is disconnected. # Set the value to 0 to disable. Default: 86400 (1 day) # maxSessionDurationSeconds - maximum session duration in seconds. When this duration expires, a session renegotiation occurs. # Set the value to 0 to disable. Default: 86400 (1 day) # maxSessionTransferredBytes - maximum number of bytes transferred during a session. When this value is reached, a session renegotiation occurs. # Set the value to 0 to disable. Default: 1073741824 (1 GB) # ************************************************************ ssh: encryptionAlgorithms: ['__ALL'] hostKeyAlgorithms: ['__INTERMEDIATE'] kexAlgorithms: ['__INTERMEDIATE', 'diffie-hellman-group1-sha1'] macAlgorithms: ['__INTERMEDIATE'] banner: "Welcome!" shellHostName: myServer softwareVersion: MyServer_1.0.0 maxIdleDurationSeconds: 86400 # 1 day maxSessionDurationSeconds: 86400 # 1 day maxSessionTransferredBytes: 1073741824 # 1 GB # ************************************************************ # SSH shell # # Only applies to SSH bindings with Shell/SCP subsystem enabled. # # allowSystemAccount - allow system account to spawn terminal and other processes. Disabled by default. # defaultShellType - (none|terminal|legacy) Type of shell. Default is 'none'. # none: No shell (except for minimal shell when SCP is enabled) will be available. # terminal: Virtual terminal will be presented. Only available on Windows 10 version 1809 and newer, Windows Server 2019 and newer # legacy: Minimal shell will be available, with [SSH aliases](/docs/ssh-shell-aliases) support. # defaultShellPath - Path to default shell executable. Only applicable for 'terminal' shell. Default: 'cmd.exe' # defaultHomeDirectory - Path to default home directory. Only applicable for 'terminal' shell. Default: Buru SFTP Server home directory. # ************************************************************ sshShell: allowSystemAccount: false defaultShellType: terminal defaultShellPath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe defaultHomeDirectory: C:\ # ************************************************************ # SSH tunneling - experimental. Disabled by default. Does not have any implicit bindings. # ************************************************************ sshTunneling: enabled: true bindings: - { port: 22, ipAddress: 0.0.0.0 } # ************************************************************ # User database settings # # passwordHashAlgorithm - password hashing algorithm - supported values are SHA256, SHA384 or SHA512 (default). # passwordHashAutoUpdate - auto-update hash on user login when hash is outdated (algorithm or salt size differ from settings). Enabled by default. # passwordSaltSize - size of password hash salt in bytes. Allowed range is 8-256 bytes. Default value is 20. # usernamePattern - user name regular expression filter. Default: ^[a-zA-Z0-9_\@\-\.]{1,128}$ # ************************************************************ users: passwordHashAlgorithm: SHA512 passwordHashAutoUpdate: true passwordSaltSize: 20 usernamePattern: "^[a-zA-Z0-9_\\@\\-\\.]{1,128}$" # ************************************************************ # FTP server settings. # ************************************************************ ftp: # ************************************************************ # FTP endpoint bindings. # Port 21 is the default port for FTP (explicit mode). # Port 990 is the default port for FTP over TLS (implicit mode). # Supported modes are: explicit (FTP or FTPS), explicitPlain (FTP), explicitTls (FTPS), implicit (FTPS). # ************************************************************ bindings: - { port: 21, ipAddress: 0.0.0.0, mode: explicit } - { port: 21, ipAddress: '::', mode: explicit } - { port: 990, ipAddress: 0.0.0.0, mode: implicit } - { port: 990, ipAddress: '::', mode: implicit } - port: 9901 ipAddress: 'test.rebex.net' mode: implicit certificateGroup: 'rebexnet' externalAddress: 'test.rebex.net' dataPortRange: '49152-65535' certificateGroups: - certificates: - '%ProgramData%\Rebex\BuruSftp\ftp\certificates\cert.pfx' - name: rebexnet certificates: - '%ProgramData%\Rebex\BuruSftp\ftp\certificates\rebexnet.pfx' # FTP is disabled for all users by default (can be enabled per user) enabledForUsersByDefault: false