Security Notes
Overview
This page covers security-related topics for SFTP Gateway 3.x.
Encryption
Files are encrypted in transit and at rest at all stages, beginning with the SFTP client and ending with Blob Storage.
The SFTP protocol is implemented by a Java service. SFTP traffic is encrypted in transit.
Files are not stored on the local Linux file system. Rather, files are stored in memory, and then moved to Blob Storage. For large files, these are broken up into chunks, and uploaded to Blob Storage in parts.
Even though the SFTP files are not stored on disk, the VM disk is encrypted (encryption at-rest with a platform-managed key is the default option in Azure).
The Java service moves the files to Blob Storage using the Azure SDK. The Azure SDK uses an API that is encrypted over HTTPS.
Finally, files are encrypted at rest with Azure Blob Storage's default encryption.
Chroot directories
SFTP users are chrooted. The root of their file system is restricted to a specific path, limiting which directories they can traverse. This is commonly done to prevent SFTP users from seeing each other's files.
SFTP users are chrooted by default into /users/username/ in the default Cloud Connection.
The chroot directory location is configurable.
This article covers chroot directories in more detail.
SFTP Authentication
SFTP users can be configured with key-based authentication or passwords.
SFTP Gateway supports multiple SSH keys per user, which can be helpful for key rotation. A second key can be rotated in, and the first key disabled. This makes it easier to roll back if necessary.
Passwords must adhere to SFTP Gateway's password policy:
- At least 8 characters
- Mixed case
- At least 1 special character
This article discusses how to override the default password policy.
Key exchange algorithms
The OpenSSH protocol uses various key exchange algorithms and encryption ciphers to secure communication with the SFTP client.
Refer to this article to configure the baseline security level for hardening SFTP encryption algorithms.
Ports and protocols
TCP port 22 is open to the world. Under normal circumstances, you want to avoid this
pattern. However, this is by design for SFTP Gateway 3.x.
Java provides an SFTP service on port 22, so SSH connection attempts are denied.
Also, SFTP Gateway 3.x lets you configure an IP range allow-list at the per-user level.
The SSH protocol has been moved to TCP port 2222. This should be locked down to
the IP address range of the system administrator. To connect, remember to use the
port flag:
ssh -i private.key ubuntu@ip-address -p 2222
The web ports TCP 80 and 443 should also be locked down to the IP address
range of the system administrator. SFTP Gateway 3.x has a first-launch web experience
where you can create the first administrator account.
Web admin accounts
The first time you launch SFTP Gateway 3.x, you configure the first administrator account on the web admin portal. Once logged in, you can create SFTP users and manage Cloud Connections.
You can create additional web admin accounts. Each administrator should be provisioned with their own account, so that their access can be revoked if necessary.
Additional web admin accounts are created with a one-time password which must be reset after first login.
Audit logging
SFTP audit logs are recorded in the log file /opt/sftpgw/log/sftp-audit.log.
Refer to this article for more information on logging.
OS updates
Since SFTP Gateway is deployed as a Marketplace image, you alone have access, and are responsible for patching the operating system.
The Image is built from Ubuntu 20.04, so you can patch the OS by running apt updates.