SFTP (SSH File Transfer Protocol) is the industry standard for secure file transfers, leveraging SSH for authentication and encryption. This article examines leading SFTP server implementations, focusing on their technical capabilities, and specific use cases
OpenSSH server
Written in plain C, openSSH is the de facto open source SSH implementation shipping with virtually every Linux distribution and cloud server vendor. Its built-in SFTP subsystem, enabled by default, makes it the most widely deployed SFTP server solution. Key points:
- Prevalence: Installed by default on most servers
- Security: Battle-tested codebase with a strong security track record. Critical vulnerabilities are rare but go on the frontnews and might results in every sys admin around the world being paged at 2hAM
- Performance: Lightweight and efficient, it works fine even in low-resource environments and high-throughput.
- Configuration: Highly configurable via sshd_config, there's ton of control available to control SFTP access, chroot jails, ....
- Limitations: Lacks built-in features like quotas, bandwidth throttling, or GUI - terminal proficiency required
While not flashy, OpenSSH's SFTP server is the benchmark against which all other implementations are measured.
The source code of openssh is avalable on github
SFTPGo
SFTPGo is the most feature-rich SFTP server that exists. Chances are if you're in the market for a cloud SFTP server, it will be what is actually running under the hood. It's highly configurable, supports a range of protocols among which SFTP, and allows for a wide range of storage backends. It has an API, a web GUI, supports virtual folders, telemetry, hooks, and a lot of other stuff making the most advanced SFTP product.
Best of it all, the source code of SFTPGo is avalable on github
AWS Transfer Family
If you're already an AWS shop, you will stumbled upon AWS Transfer Family. It's an SFTP server with a few twists in that it integrates well within the AWS ecosystem with things like Lambda functions for authentication, cloudwatch, etc. Unfortunately, like all other AWS services, it's all closed source. A super important limitation of that service their Marketing department won't brag about is it's the only SFTP in the market that don't support moving things around as under the hood it's all S3 operation and S3 doesn't support moving things around
ProFTPd + mod_sftp
ProFTPD is an awesome solution that reminds me a lot of httpd with its very similar XML-ish syntax for configuration and more importantly a very wide range of modules to do anything you might want, including changing the default protocol from FTP to SFTP via the `mod_sftp` module. Don't be fooled by the not very modern website design which is stamped by a "W3C XHTML 1.0" logo that 15 years ago was a way to brag to your friends your website was cool. Well things have changed but lucky for us, that piece of software was made in C by true wizards who knew enough not to create segfault and the software stood the test of time brilliantly as it is still seeing regular new releases.
Rebex
Rebex is a company that's heavily invested in creating .NET libraries around anything SFTP, from client to server and everything in between. The source code is not open though, and as they only distribute Windows executables and I don't use Windows, I couldn't actually put it on the testbench. If you're a Windows shop running Windows-related workloads and heavily invested in the .NET ecosystem, it might be worth a shot.
They have 2 SFTP server product available:
- Tiny SFTP server: A minimalist SFTP server
- Buru SFTP server: A more complete SFTP server
Test Server
Sometimes you just want to spin up a simple executable to boot up an SFTP server for testing or whatnot. Something you can just execute and kill once your tests are done running, with no setup and no configuration. For those scenarios, this go program available from gist will do great, a single file that you can compile and call it a day for these very simple use cases.
Technical Resources
SFTP Client
An online web client for SFTP you can use from your browser Use the SFTP ClientSFTP Test tool
A Test tool to see public information your SFTP server is exposing Explore the toolSFTP with curl
Curl can be used to download and upload data on your SFTP Read the Cheat SheetSetup openssh
A quick guide to setup a openssh server on ubuntu Explore the FTP CLISFTP Honeypot
A quick guide to run a SFTP Honeypot Use a honeypotSFTP Server FAQ
What is a SFTP server? A SFTP server is a program that implement the SSH File Transfer Protocol. A good starting point to dig onto the spec is this RFC
Are SFTP servers free? While the specs that all servers must follow are 100% free, some SFTP servers are open source, some are closed source. Some closed source solution are free, some are paid, some open source solution made clear invitation to users to contribute back, some not.
Can Filezilla be a SFTP server? No. Filezilla server does not support SFTP, only FTP and FTPS which are completly different than SFTP. However using Filezilla client, you can access an SFTP server.
Example of SFTP server?
Welcome to test.rebex.net! See https://test.rebex.net/ for more information.
(demo@test.rebex.net) Password: password
Connected to test.rebex.net.
sftp> ls
pub readme.txt
How to make an SFTP server? If you're good at golang, there's all the tools you need to create an SFTP server in the standard library, the most popular in JAVA is Apache mina and if you feel like doing some C libssh is your friend.