Which Windows SFTP Server Should I Use For My Cisco UC Appliance? How about copSSH?

Author
William Bell
Vice President, Solutions and Products

Why Do I Need SFTP?

Secure File Transfer Protocol (SFTP) is used by more and more Cisco Unified Communications (UC) applications for moving files to/from the UC host.  The Cisco Disaster Recovery Service (previously known as BARS), CDR management, CLI “file get” commands, software upgrade interfaces, etc. can all use SFTP.  Some of these can also use standard FTP for moving files from the Cisco UC appliance to an offbox location.  NetCraftsmen recommends not using FTP as it sends passwords in clear text and may also pose problems with existing firewall/ACL configurations.  Basically, if you have an option to provide better security, why not take it?

What SFTP Solution Does Cisco Recommend?

Good question, you will find various recommendations from Cisco but they generally do not provide support for your SFTP server/service.  So, keep that in mind.  Typically, you will find the following products listed in Cisco installation guides:

I haven’t messed around with Open SSH for windows myself, but I have used/tested Cygwin, Titan, freeFTPd, and fileZilla.  Titan was fine but it isn’t a free software application.  The freeFTPd application worked as well, but I had issues with stability on my laptop so I stopped using it.  I personally find Cygwin a tad annoying but it works OK.  In fact, copSSH (the topic of this blog) is a port of openSSH compiled for Cygwin.  So, you could say copSSH falls in the list of recommended solutions from Cisco.

Using copSSH

You can get copSSH from ITeF!x (http://www.itefix.no/i2/software).  I have tested with the copSSH installer version 2.0.1 and 2.1.1 (the latest at the time of this writing).  I have used the tool on Windows XP and Windows Server 2003.  I have not had too many issues with the utility.  At one point in time I had a problem uninstalling the application and had to go into the registery to clean up a few things.  But I have found the user forums on the ITeF!x site to be pretty helpful.

The copSSH application installs as a service (copSSHd) on Windows , which gives it a distinct advantage over a lot of other freeware SFTP solutions.  It is also very easy to provision the service.  After installing the copSSH application, you can go to Start>copSSH>Activate a User to select a local Windows or Domain user account to activate for copSSH access.  Local user accounts are provided in a handy drop down list.  For Domain user accounts, you will need to use the convention to add the user.

When a user is activated, they can connect to your “SFTP” server user their local Windows or AD Domain credentials.

One thing you need to keep in mind is the directory structure.  If you install copSSH in the “c:/program files/copssh/ICW” directory, then the root of your cygwin shell will start from the install point.  Meaning the cygwin root (“/”) is actually “c:program files/copssh/ICW”

Configuring copSSH

We all have preferences, and I am a member of the “we all” group.  The following is how I like to configure my copSSH deployments:

Directory Structure

  • I like to install copSSH in a directory off of the root of my data partition.  So, if my data drive is D:, I like to install copSSH in the d:copssh folder.
  • Often, I like to keep installation files in a different directory structure than the copSSH installation path.  Therefore, I will create a symbolic link in the cygwin shell:
    • Click on Start..Program Files..Copssh..Start Bash Shell
    • In the bash shell, enter the command: “cd /”
    • Create the symbolic link: “ln -s  “/cygdrive/d/data/installfiles/” “installfiles”
  • I also like to store backups and CDRs from the CUCM/Unity/CUPS/etc. servers in a separate folder structure.  To do this, you can create more symbolic links.

The symbolic link syntax is straight forward.  The /cygdrive/d/ in the examples points to the actual root of the D: drive in Windows.  Just like /cygdrive/c/ points to the C: drive and /cygdrive/e/ points to the E: drive, etc.

Security Considerations

To lockdown things on the system, I first recommend using SSH version 2.  You can accomplish this by configuring the sshd_config file (i.e. “c:/copssh/etc/sshd_config”).  I would use a program like notepad++ to do the edit myself.  You can use wordpad as well.

In the sshd_config file, add the line: Protocol 2 in the config file.  This will force protocol version 2.  You can also modify other parameters:

PermitRootLogin no
PasswordAuthentication no /*this disables tunneling clear text passwords*/
PermitEmptyPasswords no
DenyUsers Administrator Guest Root
MaxStartups 3

A decent recommendation on configuring the sshd_config file is available here.

In addition to configuring the sshd_config file, you should also make sure that you apply appropriate NTFS permissions on your Windows system to restrict access.  From an ITeF!x FAQ:

  1. Create a local Windows permissions group (example copsshdUsers)
  2. Deny access to all folders for the copsshdUsers:

    c:>cacls c: /c /e /t /d copsshdUsers

  3. Now, you can go to individual folders that you want to allow access permissions (using the security tab on the said folder).  Remove the “Deny” permission setting and replace with the permissions you wish to allow
  4. Add copssh users to the copsshdUsers group (assuming that you are creating users *just* for copssh access)
  5. Activate the user

When activating a user, you can also force the user to have SFTP access only.  Yes, copssh can also allow users to “SSH” to the cygwin bash console.  To active a user with SFTP access only, see the following example:

NetCraftsmen recommends that once you stand up a server with copSSH running, that you should test out your security measures to make sure that users can’t access anything that you wish to restrict access to.

Which Cisco UC Products Use SFTP Anyway?

The following products use SFTP as a standard method for “sharing” files:

  • Cisco Unified Communications Manager (CUCM)
  • Cisco Unified Presence Server (CUPS)
  • Cisco Unified Mobile Advantage (CUMA)
  • Cisco Unity Connection

FYI, you can actually load copssh on Windows based Cisco UC applications if you wish.  However, it isn’t necessarily supported by Cisco.  Also, I know that Cisco CSA on a UCCX/IPCCX system will actually block the copSSH service from doing its thing.

It should also be noted that MeetingPlace Express (MPE) is the odd ball.  It does support SCP and SFTP file sharing.  However, its upgrade methodology uses rsync over SSH and not SFTP.  Fortunately, there is an installer provided by ITeF!x for rsync (called cwrsync).

2 responses to “Which Windows SFTP Server Should I Use For My Cisco UC Appliance? How about copSSH?

  1. these instructions seems beautiful, but not sure what version this? there is no such thing as user activation wizard as shown in screenshots etc…i want to configure this , could you please provide instructions for latest release? or post a software for which the above instructions are valid? much appreciated….thanks for your effort.

  2. The version used when writing the article was build 2.1.1. Which appears to be way out of date and removed from the ITeF!x archive. I have not tested with a later version. Primary reason is I switched to a Mac and SFTP is built-in. I’ll put this on the To-Do list, but it may be a couple of weeks.

    Regards,
    Bill

Leave a Reply

 

Nick Kelly

Cybersecurity Engineer, Cisco

Nick has over 20 years of experience in Security Operations and Security Sales. He is an avid student of cybersecurity and regularly engages with the Infosec community at events like BSides, RVASec, Derbycon and more. The son of an FBI forensics director, Nick holds a B.S. in Criminal Justice and is one of Cisco’s Fire Jumper Elite members. When he’s not working, he writes cyberpunk and punches aliens on his Playstation.

 

Virgilio “BONG” dela Cruz Jr.

CCDP, CCNA V, CCNP, Cisco IPS Express Security for AM/EE
Field Solutions Architect, Tech Data

Virgilio “Bong” has sixteen years of professional experience in IT industry from academe, technical and customer support, pre-sales, post sales, project management, training and enablement. He has worked in Cisco Technical Assistance Center (TAC) as a member of the WAN and LAN Switching team. Bong now works for Tech Data as the Field Solutions Architect with a focus on Cisco Security and holds a few Cisco certifications including Fire Jumper Elite.

 

John Cavanaugh

CCIE #1066, CCDE #20070002, CCAr
Chief Technology Officer, Practice Lead Security Services, NetCraftsmen

John is our CTO and the practice lead for a talented team of consultants focused on designing and delivering scalable and secure infrastructure solutions to customers across multiple industry verticals and technologies. Previously he has held several positions including Executive Director/Chief Architect for Global Network Services at JPMorgan Chase. In that capacity, he led a team managing network architecture and services.  Prior to his role at JPMorgan Chase, John was a Distinguished Engineer at Cisco working across a number of verticals including Higher Education, Finance, Retail, Government, and Health Care.

He is an expert in working with groups to identify business needs, and align technology strategies to enable business strategies, building in agility and scalability to allow for future changes. John is experienced in the architecture and design of highly available, secure, network infrastructure and data centers, and has worked on projects worldwide. He has worked in both the business and regulatory environments for the design and deployment of complex IT infrastructures.