SFTP server

Manuale Utente (Inglese)

SFTP server

In any Keenetic router able to connect USB drives, you can enable the built-in SFTP server and organize secure remote access to files on the USB drive via the SFTP protocol (SSH File Transfer Protocol, also known as Secure FTP and SSH FTP). You can set up access to the server from both the local network and the Internet.

The SFTP server is supported by KeeneticOS starting from version 3.4.1.

The SFTP is an application layer protocol designed to perform operations with the files over a reliable and secure SSH connection. The SFTP has nothing to do with the usual FTP protocol. It provides improved security for data transmission over the Internet by implementing a fully encrypted transport layer. The SFTP is a separate protocol and should not be mistaken for the FTPS (FTP + SSL), the Simple File Transfer Protocol (has the same abbreviation for SFTP) and FTP via SSH.

Importante

You can directly connect to the SFTP server from the Internet if there is a public IP address on the WAN interface of the Keenetic router used to access the Internet.
If you have a private IP address, you can access the SFTP server through an SSTP VPN or OpenConnect VPN connections.
We recommend obtaining a permanent and easy-to-remember domain name for your Keenetic using the KeenDNS service for more convenient use. When enabling KeenDNS, you can connect to the SFTP server in the Direct access mode. Using the Cloud access mode, you can connect to the SFTP server via an SSTP VPN or OpenConnect VPN.
Some ISPs filter incoming user traffic by standard protocols and ports. For example, filtering by 21 (FTP), 22 (SSH), 23 (Telnet), 25 (SMTP), 1723 (PPTP) and other ports. Therefore it is necessary to know that the SFTP server operates via the port that the provider does not block.
To operate the SFTP server in the Keenetic router, you should install the SFTP server system component. You can do it on the General System Settings page in the Updates and Component Options section by clicking on the Component options.
When the SFTP server component is installed, the SSH server component is automatically installed.

After installing the SFTP server component, go to the Applications page of the router's web interface, find the Personal cloud section and click on the header.

You will see the window, the main server settings, and user management options are presented in the SFTP Settings section.

If you want to access the SFTP server from the external interface, enable the Allow access from the Internet option. You will see the following message: Warning! Enabling internet access for SFTP will enable SSH public access. Click on Confirm.

You can find the port number that uses the built-in SSH server in the SSH port field. The server uses the standard TCP port number 22 for the connection by default. If necessary, you can change the port number (for example, use 2022). We recommend doing this to improve the security, as the standard ports are often exposed to attacks on the Internet.

If the Ignore access control' option is enabled, the connection to the SFTP server will be available to all users without authorization. We recommend not using anonymous access but setting up access rights to the SFTP server with authorization (in this case, when connecting to the SFTP server, the user will have to enter a username and a password).

Importante

When using authentication, you must configure the access rights to the folders of the USB memory device for the client; otherwise, it will not be possible to connect to the SFTP server.

In the 'Users' subsection, select the accounts that will be granted to access the SFTP server. Here you can add new accounts by clicking the 'Add user' button.

Enable the SFTP option for the user you want to allow remote access via the specified protocol. Then click Select directory and indicate a certain folder on the USB disk. For example, you can choose a personal folder for each account. You can set up either read and write or read-only access rights for the user, depending on the task. You can do this by following the instruction Folder permission control on a USB drive.

Importante

There is no need to create port or firewall redirection (forwarding) rules to access the SFTP server. The system will automatically create the necessary rules and allow access.

Go back to the Applications page. By default, the SFTP server is disabled. To enable the server, put the switch in the ON state.

Now, using an account with the rights to access the SFTP server (we use admin in our example), you can access the files of a disk connected to the router's USB port from the Internet.

You need to use an SFTP client or file manager with SFTP protocol support for a secure and encrypted connection to the SFTP server on your mobile device or computer. For example, you can use mobile applications such as Cx Explorer, File Manager+ and others, or computer programs such as FileZilla Client, WinSCP, etc.

Here is an example of a connection to the SFTP server on a Keenetic device.

Importante

In our example, we use the private IP address of the SFTP server. If you configure your access to the server from the Internet, then in the Host field, you need to specify a public IP address on the router's external interface or the router's domain name registered with KeenDNS or DynDNS.

Run the Cx Explorer application on your Android mobile device.

Add a connection on the Network tab.

Go to the Remote tab and select the SFTP protocol.

Specify the router's IP address in the Host field (for access from the Internet, it is a WAN IP address, and for access from the local network, it is a LAN IP), the SSH port number, and the username and password of the router user account.

Importante

To connect to the router via third-party applications, we recommend creating a separate user account, only allowing access to the SFTP server. For security reasons, do not use the router's administrator account; specify a user account with restricted rights.