Does or can the configuration disallow ssh sessions or other execution?

[logicallabs-deploy]

Very interesting project.

I am trying to consider security risks and what we can do to mitigate them to allow this to be on our server, in a docker container, in a production environment where currently we block any outside traffic that is not http/https.

If setting up sftp manually from scratch directly on the host or in a container to achieve this, we would configure typical sftp-only type measures to block ssh session usage.

If we spin up the docker image that will run sftpgo and we use a special unique port in our firewall to use for sftp/scp traffic that the container will bind to on the host specifically, will sftpgo's handling (or whatever else is supporting it in the docker container) of ssh be able to be configured (if it is not already) to allow sftp/scp (or other ssh-non-execute-based commands) only and specifically not allow a regular ssh session (or other risky capabilities) over that port from the sftpgo service listening on that port?

If so, is this documented or explainable? If not, is it something that can be added or controlled with additional coding?

Thanks for any input / feedback / guidance.

[drakkan]

Hi,

SFTPGo is an SFTP server, shell access is not supported at all, some SSH commands are supported but they can be disabled within the configuration file.

Please search enabled_ssh_commands here or take a look at the configuration file

[logicallabs-deploy]

Great - that sort of explanation and configurability is exactly what I was hoping to find.

As we dive in, I hope to learn more and think of what other security related protections and measures we will be able to take advantage of in sftpgo. Opening up a new non web based traffic on a server is step that needs to be considered carefully.

Is there such a thing as protection that a WAF gives for HTTP/S traffic (like DDOS protection), but for SSH/SFTP/SCP traffic?

[drakkan]

We have a built-in defender