Alternativas de porta SFTP para acesso remoto Compartilhamento de arquivos Acesso remoto

SFTP, que muitas vezes é confundido com uma abreviatura de “Secure File Transfer Protocol”, representa verdadeiramente o SSH File Transfer Protocol. SFTP foi desenvolvido nos primórdios da internet e é detalhado neste Especificação SFTP RFC.

The SFTP protocol was known originally as simple FTP (File Transfer Protocol). The FTP protocol supports file transfer over TCP port 21 with TCP port 22 used for SFTP and port 990 used for TLS/SSL Implicit encryption.

SFTP is a basic file transfer protocol and although it can be quite fast due to its simplicity, additional features such a file sharing, collaboration, authentication, and single sign-on are not defined for the protocol.

Com o tempo, o protocolo FTP foi atualizado para adicionar criptografia (SFTP), suportar criptografia TLS/SSL e melhorar problemas de firewall/segurança – por exemplo RFC 1579 (Fevereiro de 1994) habilita FTP Amigável para Firewall (modo passivo), RFC 2228 (Junho de 1997) propõe extensões de segurança, RFC 2428 (Setembro de 1998) adiciona suporte para IPv6 e define um novo tipo de modo passivo.^[8].

Introdução

Secure File Transfer Protocol (SFTP) is a network protocol that enables secure and encrypted file transfers between a client and a server. It is designed to provide a secure alternative to traditional File Transfer Protocol (FTP) by incorporating Secure Shell (SSH) for authentication and data encryption.

In this article, we will delve into the world of SFTP, exploring its basics, port management, server configuration, and more.

Understanding the secure file transfer protocol is crucial for ensuring the safety and integrity of your data during file transfers. Whether you’re dealing with sensitive information or simply need a reliable method for transferring files, SFTP offers a robust solution that leverages the power of secure shell to protect your data.

Understanding SFTP

SFTP is an extension of Secure Shell (SSH) and was introduced in SSH v2 or SSH-2. It is a method for transferring files over SSH, and every SSH server is technically an SFTP server as well.

SFTP uses the same port number as SSH, which is 22 by default. This makes it a popular alternative to the standard File Transfer Protocol (FTP) due to its enhanced security features. These features include public key cryptography, which enables data-in-motion encryption, authentication, digital signing, and data integrity mechanisms.

By using an SFTP server, organizations can ensure that their file transfers are secure and that their data remains protected from unauthorized access. The integration of secure shell into the file transfer process adds an extra layer of security, making SFTP a preferred choice for secure file transfers.

Conteúdo

• Introdução
• Understanding SFTP
• Problemas de passagem de firewall e NAT SFTP
• SFTP Port Management
• SFTP Server Configuration
• SFTP Default Port Remote Access
• Porta SFTP vs HTTP/s
• Why might SFTP fall short as a complete secure file transfer solution as file transfer volumes increase?
• Como um servidor SFTP se autentica com um cliente?
• Alternativa de porta SFTP
• Conclusão

Problemas de passagem de firewall e NAT SFTP

Typically, internet service providers block SFTP Ports to prevent issues with security and malware by preventing file access over SFTP ports. SFTP Requires ports 22 or 990 to be open, which is prone to malware including the likes of infamous offenders like Wannacry, Sasser, Nimda, Petya/NotPetya, and more.

If STFP Ports are open, an infected computer will search its Windows network for Server shares accepting traffic on TCP ports 22 or 990 indicating the system is configured to run SFTP. While modern Web Application Firewalls (WAFS) can be tuned to monitor HTTP traffic, SFTP traffic is not as easily monitored.

O SFTP transfere dados respondendo do servidor para o cliente após o envio de um comando PORT. Este é um problema para firewalls que não permitem conexões da Internet de entrada para hosts internos. Este é um problema específico com o Microsoft IIS, que responde com uma porta aleatória.

As duas abordagens para resolver esse problema são configurar o servidor SFTP para usar o comando PASV ou usar um gateway de nível de aplicativo para alternar os valores de porta.

SFTP Port Management

SFTP uses TCP port 22 as its default port number. However, it is possible to assign a different port number for the SFTP service. Changing the default SFTP port number can be done for security reasons or to reduce the complexity of network maintenance. For instance, using a non-standard port can help obscure the service from potential attackers who scan for default ports.

However, it is essential to note that changing the port number requires updating firewalls, clients, and servers, which can add complexity to network maintenance. Proper port management is crucial for maintaining the security and efficiency of your SFTP connections.

By carefully selecting and managing port numbers, organizations can enhance their security posture while ensuring smooth and reliable file transfers.

SFTP Server Configuration

Configuring an SFTP server involves several steps, including setting up the SSH server configuration file, sshd_config. This file contains settings for the SSH server, including the port number, authentication methods, and encryption algorithms.

To change the SFTP port in Windows, the sshd_config file needs to be modified, and the SSH service needs to be restarted. In Linux, the sshd_config file also needs to be modified, and the SSH service needs to be restarted. Proper configuration of the SFTP server is essential for ensuring secure and efficient file transfers.

By carefully setting up the SSH server configuration file, organizations can customize their SFTP server to meet their specific security and operational requirements.

This includes selecting the appropriate port number, enabling strong authentication methods, and choosing robust encryption algorithms to protect data during transfer.

SFTP Default Port Remote Access

To facilitate remote access to files, businesses have often granted users access using SFTP servers. This provides some level of remote access, however the support costs of training users and deploying SFTP client software is extensive.

In addition, SFTP is not easily integrated into existing file servers and Active Directory to present a unified file sharing experience.

When accessing files remotely user expect to easily access their existing home drives and department shares over a standard mapped drive that fully support file locking, Office, and other applications. STFP was never designed for file sharing or collaboration.

Porta SFTP vs HTTP/s

HTTP a porta 443 é um protocolo atualizado que essencialmente corrige os bugs no SFTP que o tornavam inconveniente de usar para muitas pequenas transferências.

SFTP uses a stateful control connection which maintains a current working directory and each transfer requires a secondary connection through which the actual data is transferred.

In “passive” mode this additional connection is from client to server, whereas in the default “active” mode this connection is from server to client. This SFTP port change when in active mode, and random port numbers for all transfers, is why firewalls and NAT gateways have such a hard time with SFTP.

A configuração de uma conexão de controle SFTP pode ser bastante lenta em comparação com HTTP devido aos atrasos de ida e volta do envio de todos os comandos necessários enquanto aguarda uma resposta, portanto, normalmente a conexão é mantida aberta para várias transferências de arquivos, em vez de descartada e reativada -estabelecido a cada vez.

HTTP em comparação é apátrida e multiplexes controle e dados em uma única conexão do cliente ao servidor em números de porta conhecidos, que passam facilmente pelos gateways NAT e são simples para os firewalls gerenciarem e verificarem vulnerabilidades de segurança.

Why might SFTP fall short as a complete secure file transfer solution as file transfer volumes increase?

As the volume of file transfers grows, the limitations of SFTP as a complete file transfer solution become apparent. The increasing demands for onboarding more partners, scaling infrastructure, and resolving technical issues can push the capabilities of SFTP to their limits, potentially overwhelming IT teams.

Additionally, the need for heightened security measures, strict control over file transactions, and robust visibility to comply with security and governance standards may exceed what SFTP alone can offer.

To address these challenges effectively, organizations may find that managed file transfer (MFT) solutions offer a more comprehensive approach. Utilizing a cloud-based service like Thru, which harnesses various protocols such as SFTP among others, can provide enhanced end-to-end security measures, precise tracking mechanisms, detailed logs, and long-term retention settings.

Moreover, MFT solutions like Thru can offer increased availability to ensure that file transfer operations remain seamless even as volumes continue to increase.

Como um servidor SFTP se autentica com um cliente?

To authenticate with a client, an SFTP server initiates a three-way TCP handshake to establish a connection. This process ensures that the server and client both have access to the correct port (usually 22) in the transport layer.

Following this verification, the server uses SSH key pair authentication to validate the client’s identity. The SSH key pair consists of a public key (shared between the two parties) and a private key (known only to the authorized client). Once the SSH authentication is successfully completed, the file transfer takes place over an encrypted channel, with data packaged into individual packets.

These packets are transmitted and reassembled at the receiving end to reconstruct the original file securely.

Alternativa de porta SFTP

O protocolo SFTP existe desde 1980 como um mecanismo para transferência de arquivos. As empresas permanecerão cautelosas ao permitir ou considerar os custos de suporte do acesso direto à porta SFTP a qualquer recurso interno de redes externas sobre o protocolo FTP/SFTP.

Enquanto isso, o MyWorkDrive já converte compartilhamentos de arquivos baseados em Windows em compartilhamentos de arquivos que pode ser acessado com segurança em qualquer lugar usando a porta TCP https/SSL 443 em protocolos compatíveis com RSA 4096 e TLS 1.2 FIPS altamente criptografados sem as preocupações de segurança ou treinamento do SFTP.

MyWorkDrive SFTP port alternative supports remote workers with our secure Web Brower based access, Windows Mapped Drive, and Mobile clients.

Precisa de ajuda para planejar sua alternativa SFTP? Agende uma ligação e teremos prazer em ajudá-lo a planejar sua implantação.

Conclusão

In conclusion, SFTP is a secure file transfer protocol that uses public key cryptography to enable data-in-motion encryption, authentication, digital signing, and data integrity mechanisms. Understanding SFTP port management and server configuration is essential for secure file transfers.

By following best practices for SFTP usage, including establishing consistent naming conventions and folder structures, optimizing file transfer performance, and monitoring and logging all SFTP activities, organizations can ensure the security and integrity of their data.

Proper management of the secure file transfer protocol, along with careful configuration of the SFTP server, can help organizations achieve reliable and secure file transfers, protecting their data from unauthorized access and ensuring compliance with security standards.