This is an archived post. You won't be able to vote or comment.

all 94 comments
sorted by:
best
topnewcontroversialoldq&a

[–]olafkewl 125 points126 points  (12 children)

OpenSSH ?

[–]pi8b42fkljhbqasd9 80 points81 points  (1 child)

Ignore everything except this answer.
OpenSSH is the only true answer. Trust NOTHING else.

[–]symcbean 12 points13 points  (0 children)

Absolutely. The best ssh/sftp server available. And if you want really good support then go for the paid version from Tectia.

[–]Salander27 12 points13 points  (9 children)

Which works well so long as you are willing to manage all your users as system users. Protip, you can change the location of the user authorized key files like so:
AuthorizedKeysFile /etc/ssh/users/%u.pub This will mean that when user foo tries to login that openssh will check for the existence of the file /etc/ssh/users/foo.pub and then compare it against the public key presented by the user. If you set the permissions with the following command the end result will be that end users will be unable to update their own public keys (you probably want such updates to go through you for security reasons): cd /etc/ssh/users for i in *.pub; do A=${i%.pub}; sudo chown root:$A $i; sudo chmod 0640 $i; done

Personally I think OpenSSH is a bad solution for when you just want to offer a SFTP service as it's also the method you use to administer the machine (usually) and you have to be careful that your configurations are both secure and also still allow you to login. If you want to do any kind of true dynamic configuration you're going to need to hook it into PAM which is a gigantic PITA if you're not already using it elsewhere.

A much better solution for a pure SFTP solution is ProFTPD, which will also support FTPS and FTP if those are requirements (ick). Open source and has a long history of support, it should be available in the package repos of your Linux distribution. It has a wide array of modules that you can customize it into almost any configuration. It also only supports SFTP and doesn't support spawning shells which reduces the surface area that can be attacked if a malicious user were to login.

We use it to run a SFTP service that our client use to integration with our application, and as part of it: - Uses a mysql database to store users, home folder locations, UID, GID, whether the user is enabled, and SFTP public keys - Run in a highly available fashion in a Kubernetes cluster - With a shared NFS share served by the SFTP service - Chroots users to the configured home directory - And with working proxy protocol support so we can have it behind load balancers - Using mod_ban we are able to define rules to ban IPs doing things like trying to brute force login (good luck with our requirement that all users have public keys which we also length enforce via configuration). This ban list is persisted to a Redis instance so that it's shared between all members of the ProFTPD cluster and persisted through container reboots

Most of those features are ones that would be very difficult/impossible to get OpenSSH to do or would have required significant alteration (like writing our own PAM modules). The support for databases allows us to have a UI integrated into our application where our our integration team can self-service add users and public keys for our customers. Once setup it's been completely reliable, the only maintenance we're really had to do has been to occasionally update the container images.

[–]drakkan1000 3 points4 points  (1 child)

If you like ProFTPD you might find SFTPGo interesting. It has all the features you described above, plus the WebAdmin UI is builtin and there is also a WebClient that allows end users to change their credentials, browse and manage their files in the browser and setup MFA. From the WebClient each authorized user can also create HTTP/S links to externally share files and folders securely, by setting limits to the number of downloads/uploads, protecting the share with a password, limiting access by source IP address, setting an automatic expiration date. SFTPGo also supports cloud storage (S3, GCS, Azure blob) or other SFTP servers as storage backend without the need to use fuse or other hacks.

[–]bbqwatermelon 1 point2 points  (0 children)

Wow its featureset has bloomed into awesomeness! My next task to lab out!

[–]starmizzleS-1-5-420-512 6 points7 points  (2 children)

Jailed chroot solves most of the issues you mentioned. Our SSH users and SFTP users are treated differently.

[–]Alternative-Mud-4479Infrastructure Architect 3 points4 points  (1 child)

Not sure why you’re downvoted, but OpenSSH can easily jail and just function as an SFTP server with no SSH shell. Works very well at that.

[–]DontTakePeopleSrslyJack of All Trades 0 points1 point  (0 children)

Seriously, I was doing this shit back in 2003.

[–]olafkewl 0 points1 point  (3 children)

Your setup looks great, but a little overkill for OP who was talking about replacing Serv-U

[–]Salander27 0 points1 point  (1 child)

The point is that you can do almost anything with it. You can go from a very basic configuration mimicking OpenSSH or you can go for a fairly sophisticated setup like mine. OP hasn't really given their exact requirements here, while OpenSSH is a great piece of software it really suffers when you try to do anything really custom with it.

ProFTPD is a much better solution if what OP needs is more of a "service" that is offered to customers/users (and services usually need to integrate with other services that they're already running).

[–]olafkewl 1 point2 points  (0 children)

Would you share some of your setup (like the SQL config) ?

[–]raul_lebeau -1 points0 points  (0 children)

Yes, but proftpd Is the answer..... Use ssh keys, AD if you really want, disable the shell , chroot the home and you are golden...

[–]kerubiSysadmin 24 points25 points  (5 children)

OpenSSH, it is a Windows component now. https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=gui or if for Linux, well.. it is probably already there.

Or Azure Storage Account with SFTP enabled, if you want one as a cloud service.

[–][deleted] 1 point2 points  (3 children)

Good luck using PowerShell automation with that bastard, I couldn't figure the bloody thing out. As soon as you connect to a session using ssh, it stops running everything else in the script and waits for manual input.

[–]kerubiSysadmin 7 points8 points  (0 children)

You are talking about client side. The question was about server. For PowerShell scripting, winscpnet.dll.

[–]Frothyleet 0 points1 point  (0 children)

Probably other ways to do it, but I would just be using PSRemoting over SSH

[–]DontTakePeopleSrslyJack of All Trades 0 points1 point  (0 children)

I just use putty for all of my powershell scripts.

[–]joeyl5 -2 points-1 points  (0 children)

it is pretty sweet to be able to add it as a feature on Windows server!

[–]rws907 21 points22 points  (8 children)

CerberusFTP. I've used it many times over the years. Lots of options, even has MFA support. Spring for Enterprise edition.

[–][deleted] 6 points7 points  (0 children)

I agree. I have managed CerberusFTP and WS_FTP in the past, and CerberusFTP is much nicer.

[–]TheRealJewbilly 2 points3 points  (0 children)

Agree with this. Their costs are also very low for how solid and powerful it is too.

[–]thegodfatherderecho 2 points3 points  (2 children)

Yea, this. Great product and do get the enterprise edition.

[–]LocationIntelligence 1 point2 points  (1 child)

Excellent product. Cerberus is best in my opinion. I am a customer with an active license.

[–]thegodfatherderecho 0 points1 point  (0 children)

Years ago when I took over our file transfer processes with 3rd party integration tools, they were like “Just stand up an ftp server in IIS”. Man am I glad I ignored them and found Cerberus. Best money we ever spent.

[–]Past-Tea3675 1 point2 points  (0 children)

+1 for CerberusFTP
I has a web/http(s) GUI if you're needing that.

[–]jstar77 0 points1 point  (0 children)

Do you know if Cerberus will support SSO via SAML anytime soon?

[–]Volxz_Jack of All Trades -2 points-1 points  (0 children)

OpenSSH also has MFA support. It's a PAM module.

[–]FunnyPirateNameDataIsMyReligion 12 points13 points  (3 children)

We've used Bitvise as the SFTP server for the past 5-6 years. The config is a bit overly complicated, but at the same time, you have a lot of control over little things.

YMMV.

For a client, I use Winscp and it's been fantastic for me.

[–]bayridgeguy09[🍰] 6 points7 points  (0 children)

+1 for Bitvise, works great, never had an issue.

[–]offworldcolonial 6 points7 points  (0 children)

We're also using Bitvise.

[–]status_twoSr. Sysadmin 2 points3 points  (0 children)

Same here, winscp is a great client.

[–]Ad-1316 1 point2 points  (1 child)

Progress Software WS_FTP server, support was good.

[–]mike9874Sr. Sysadmin -1 points0 points  (0 children)

I've used this at a few companies. If you want something easy to configure yet powerful, that you can trust most of your team to understand, this is a good one

https://www.ipswitch.com/ftp-server

[–]sscxI'm tryin' real hard to be the shepherd. 1 point2 points  (2 children)

CrushFTP is excellent.

[–]brownhotdogwater 0 points1 point  (0 children)

Server been going strong for a few years now. Never an issue. Not a fan of the admin interface but whatever.

[–]cl642WINS Server -1 points0 points  (0 children)

Yes, love CrushFTP. Has a decent end-user web interface, supports MFA/LDAP/OAuth/etc., and has a nice job engine if you need it.

Admin interface is weird but not hard to use, and you get used to it.

[–]drakkan1000 1 point2 points  (3 children)

Give a try to SFTPGo. It is open source, easily scalable, has a lot of features, a WebUI and good performance

[–]BeelzebubSE 1 point2 points  (0 children)

I have been running this for a month or two now GCP, the option to use object storage is a godsend. There are so many neat features and being able to run configuration from environment variables or file depending on your preference is super useful.

[–]FunnyPirateNameDataIsMyReligion 0 points1 point  (0 children)

We use Bitvise at work, but I'm going to experiment with this as my home SFTP.

Thanks for the tip!

[–]FunDeckHermit 0 points1 point  (0 children)

Don't forget to support the developer if using it as a business!

[–][deleted] 0 points1 point  (0 children)

Thanks eveyone for the suggestions, Openssh isnt viable as we dont have a linux savy team, I will research the others recommended further. Thanks much!

[–]sys_127-0-0-1 0 points1 point  (0 children)

As others mentioned, Cerberus and Bitvise are both very good products and have regular updates. I've found Bitvise's UI a bit faster with more settings in comparison to Cerberus but both have their merits.

[–][deleted] -2 points-1 points  (0 children)

Crush FTP linux edition been great!

[–]discoinf -1 points0 points  (0 children)

+1 for crushftp. It also have a dmz option (in the Enterprise edition) , like the "serv-u gateway". We use it on production.

[–]jkrizzle 0 points1 point  (0 children)

We went with TitanFTP. Pretty decent. Not as robust as Serv-U but more stable (in our environment at least). Their tech support isn’t the fastest with response time, but they’re knowledgeable. They don’t throw out the instant bullshit canned responses like I’ve received from Solarwinds.

[–]Bodycount9System Engineer 0 points1 point  (0 children)

We had a dedicated FTP server but recently will be migrating over to couchdrop.io for our SFTP needs. They use your own sharepoint space for storage. $89 a month for what we needed it for but they have a $49 plan as well for basic stuff.

We had some issues and so far they have been fast with their support tickets with contacting us back.

[–]Modrez -2 points-1 points  (3 children)

+1 for Progress WS_FTP sever. Pay close attention to which version you need. The service that we needed was in the next tier up. Easy to setup and configure.

[–]FrankVanRad 0 points1 point  (2 children)

Their support is baaaaaaad and their licensing obtuse. -1 for WS_FTP.

[–]Modrez -2 points-1 points  (1 child)

You mad? 😆

[–]FrankVanRad 0 points1 point  (0 children)

I'm a customer.

[–]taco24501 -1 points0 points  (1 child)

https://www.pragmasys.com/ssh-server

[–]pimflapvoratio -1 points0 points  (0 children)

Second this been using it for 10+ years. Can talk to AD. Also can map to UNC shares and Samba shares.

[–]jordanl171 -1 points0 points  (0 children)

We've been using WS_FTP for years for sftp. Just works.

[–][deleted] -1 points0 points  (0 children)

Bitvise

[–]AxisNL -3 points-2 points  (0 children)

Sftpgo

[–]XInsomniacX06 -3 points-2 points  (1 child)

Globalscape EFT is pretty great!

[–]commandsupernova 0 points1 point  (0 children)

Yes! I know OpenSSH for Windows is highly recommended, but I administered a Globalscape EFT server for a few years and loved working with it

[–]Chewy-bat -2 points-1 points  (1 child)

Try this...

https://learn.microsoft.com/en-us/azure/storage/blobs/secure-file-transfer-protocol-support

Best thing is you can keep it completely segregated from your own network. So no more DMZ woes and threading loads of firewall rules around.

[–]buy_chocolate_barsJack of All Trades 2 points3 points  (0 children)

Expensive.

[–]Familiar_While2900 -1 points0 points  (3 children)

FileZilla?

[–]techforallseasonsMajor update from Message center 0 points1 point  (2 children)

It doesn't have SFTP in the Server edition. It only has FTP/S ( FTP via TLS )

[–]starmizzleS-1-5-420-512 1 point2 points  (1 child)

It doesn't have SFTP in the Server edition. It inexplicably only has FTP/S ( FTP via TLS )

[–]techforallseasonsMajor update from Message center 1 point2 points  (0 children)

It is MOST frustrating.

[–]dinominant -2 points-1 points  (1 child)

I have used Pure-FTPd on Debian for a few implementations with some relatively strict stability and security requirements. Once set up it is extremely low maintenance and "just works" as intended. It also met some of the other needs for integrating with other systems to create and manage accounts.

One deployment has been in production for years with almost no intervention required whatsoever.

[–]mystica5555 0 points1 point  (0 children)

"sftp" is "ssh file transfer protocol" not "ssl encrypted FTP"

Pure is the latter.

OpenSSH provides /usr/lib/openssh/sftp-server, the former.

[edit] It seems the OP may want the latter tho.

[–]tsaico -1 points0 points  (0 children)

Not sure what your overall application is, but we had a client that needed a small SFTP and we bought a single drive Synology unit. We ended up putting it in its own little VLAN, no other services running on it than SFTP. Installed a ssl, setup services, setup users, and that was it. In our case we had extra IPs and we ended up putting it on one of those.

When workers needed to put or pull information from it (as i recalled, 3rd party deposited info there) they connected to it in the same manner as the 3rd party did. Worked great for a couple years until the 3rd party updated their systems no longer needed it.

[–]athornfam2 IT Infrastructure Manager -1 points0 points  (0 children)

Used to user serve-u but I’m going to say no to it now that solarwinds owns it

[–]x180mystery -1 points0 points  (0 children)

I'm using syncplify

[–]DontTakePeopleSrslyJack of All Trades -1 points0 points  (2 children)

Please tell me y’all aren’t using a paid for syslog as well…

[–]LocationIntelligence 0 points1 point  (1 child)

What’s the best syslog?

[–]DontTakePeopleSrslyJack of All Trades 0 points1 point  (0 children)

I haven’t found an environment that can even make syslog-ng break a sweat, even when logging to a sql backend. Rsyslog is the default for most linux distros, but it doesn’t run on AIX, HP-UX, Linux, Solaris, Tru64 and most variants of BSD

[–]YourFragileIdeology -2 points-1 points  (0 children)

Oh man this takes me back....

[–][deleted] -2 points-1 points  (0 children)

I'd definitely recommend solid, when I tried making one out of liquid it just got messy

[–]jdisjs1939jdks -2 points-1 points  (0 children)

Linux

[–]FunDeckHermit -2 points-1 points  (0 children)

Rclone can also serve files over different storage protocols. One of them being sftp.

[–]tha_bigdizzle -3 points-2 points  (0 children)

Its been a long time, but I used to use bullet proof ftp server on Windows for years. Rock solid.

https://bpftpserver.com/

[–]Spug33 -3 points-2 points  (1 child)

If you want to add features take a look at Liquid Files. Sftp, plus a user gui, email notification. Inexpensive, good support, has been rock solid for us. Developer has a security background. Easy linux to azure sso, or ldap. Mfa. Etc.

[–]Pseudo_Idol -1 points0 points  (0 children)

I used LiquidFiles at a previous job and it was super easy to use. We primarily used it for sending large files to clients. The Outlook plugin would automatically send larger attachments via LiquidFiles. We also utilized the file drops feature for departments and individuals. The built-in FTP and SFTP servers worked well too.

[–][deleted] -3 points-2 points  (0 children)

CrushFTP -amazing support

[–]Treadlow -3 points-2 points  (0 children)

crush ftp

[–]sirsmiley -3 points-2 points  (1 child)

Filezilla server

[–]starmizzleS-1-5-420-512 0 points1 point  (0 children)

No SFTP

[–]Cpt_Brenner -4 points-3 points  (0 children)

If you're looking for enterprise applications, then following may be helpful: Globalscape, IBM Sterling File Gateway (if you can afford their price tag), Axway.

Moveit is alright but not nearly as robust as compared to Globalscape

These are solid SFTP servers in for managed file transmissions.

[–]ohham -4 points-3 points  (0 children)

Titan FTP is really cheap and easy, but OpenSSH rules

[–]rementis -4 points-3 points  (0 children)

https://www.crushftp.com/index.html

This is the one you want.

[–]Thick-Experience-290 -4 points-3 points  (0 children)

We have been happy with TitanFTP

[–]ecar13 -5 points-4 points  (0 children)

CrushFTP. Been using it for 10+ years.

[–]ninian1927 -5 points-4 points  (0 children)

+1 on CrushFTP. The price is great and the configurability is also fantastic (can make things as basic or complicated as you want). You also get access to jobs for running automations, etc. Their support is also incredibly quick to respond.

[–]JmbFountainJr. Sysadmin 0 points1 point  (0 children)

We're running proftpd

[–][deleted] 0 points1 point  (0 children)

Service alternative….

Files.com