Search

GlobalSCAPE Knowledge Base

VIEWING INBOUND CONNECTION ENCRYPTION LEVELS

Karla Marsh
EFT

THE INFORMATION IN THIS ARTICLE APPLIES TO:

  • EFT v7.4.9 and earlier (which uses an old SFTP library v1.82_sshlib (Bitvise))
  • EFT v7.4.11 and later with clients that are using older SFTP versions (SFTP library v1.82_sshlib (Bitvise)) EFT v7.4.11 and later use an updated SSH library, v7.7.1.0_openssh. In this case, you will also need to apply the Advanced Property UseLegacySFTP.

DISCUSSION

When it comes to troubleshooting, there are several challenges, including the pressure to meet strict security policies and comply with regulations. These efforts are further complicated by a lack of visibility into how end-users are connecting with your systems. If users are connecting with deprecated or outdated ciphers or algorithms, then problems can occur and your data security could be at risk.

Understand how users are connecting with your EFT platform. Disable deprecated or weaker cryptography whenever possible to help maintain strong system security.

Many EFT customers have asked us if it is possible to gain insight into the SFTP and SSL/TLS cryptography details that their inbound connected clients are using when connecting to EFT. The simple answer is, yes. Having this information is useful not only for troubleshooting, but for proactive/preventive measures as well. To gain this level of visibility into your EFT log files, you will need to enable verbose logging when troubleshooting or debugging.

How To Enable EFT Verbose Logging

Log levels in EFT all default to the TRACE or INFO setting, which is standard or typical logging. If you need more details in your logs, change the logging configuration to extended or verbose log level in logging.cfg to DEBUG. This will give you an extended level of detail in your logs to help you pinpoint where the trouble lies.

For example, with the SSL logging level set to DEBUG, you would see whether the connection was accepted, and which protocol version, cipher, and key length were used in the connection:

DEBUG SSL <> - SSL connection accepted; protocol version = TLSv1.2, cipher = ECDHERSA-AES128-GCM-SHA256, key length = 128

Please note: it is recommended that you only use verbose logging during debugging or troubleshooting. It will produce a large amount of data and quickly use up your processing speed and drive space. It is not necessary to reboot after making these modifications.

Advanced Configuration for Verbose Logging:

Use the following example to set up a separate file appender for verbose logs, which should make data capture and analysis a bit more manageable.

Instead of SFTP = TRACE or SSL = TRACE, specify the following settings in the logging.cfg file:

log4cplus.appender.SFTPFileAppender=log4cplus::RollingFileAppender
log4cplus.appender.SFTPFileAppender.File=${AppDataPath}\EFT-SFTP-${COMPUTERNAME}.log
log4cplus.appender.SFTPFileAppender.MaxFileSize=20MB
log4cplus.appender.SFTPFileAppender.MaxBackupIndex=5
log4cplus.appender.SFTPFileAppender.layout=log4cplus::TTCCLayout
log4cplus.appender.SFTPFileAppender.layout.DateFormat=%m-%d-%y %H:%M:%S,%q
log4cplus.logger.SFTP=TRACE, SFTPFileAppender
log4cplus.additivity.SFTP=false
log4cplus.appender.SFTPFileAppender.filters.1=log4cplus::spi::StringMatchFilter
log4cplus.appender.SFTPFileAppender.filters.1.StringToMatch=Sending SSH_MSG_KEXINIT
log4cplus.appender.SFTPFileAppender.filters.1.AcceptOnMatch=true
log4cplus.appender.SFTPFileAppender.filters.2=log4cplus::spi::StringMatchFilter
log4cplus.appender.SFTPFileAppender.filters.2.StringToMatch=Received SSH_MSG_KEXINIT
log4cplus.appender.SFTPFileAppender.filters.2.AcceptOnMatch=true
log4cplus.appender.SFTPFileAppender.filters.3=log4cplus::spi::StringMatchFilter
log4cplus.appender.SFTPFileAppender.filters.3.StringToMatch=Handling SSH_MSG_USERAUTH_REQUEST for user
log4cplus.appender.SFTPFileAppender.filters.3.AcceptOnMatch=true
log4cplus.appender.SFTPFileAppender.filters.4=log4cplus::spi::DenyAllFilter

After using verbose logging for however long is needed to troubleshoot, copy the EFT-SFTP-*.log files to a new folder for processing. (You have to copy the log files to a separate folder for analysis because the PowerShell cannot open files that EFT is holding open.)

Unzip these PowerShell scripts (specific to this SFTP example) and run the applicable one against those log files in that separate folder to generate a CSV file with the results. Be sure to change the path in the script to the location in which you have created a new folder.

  • ParseLogFilesForSFTPKex_v1.ps1 applies to EFT v7.4.9 and earlier
  • ParseLogFilesForSFTPKex_v2.ps1 applies to EFT v7.4.11 and later with clients that are using older SFTP versions (SFTP library v1.82_sshlib (Bitvise)). You will also need to apply the Advanced Property UseLegacySFTP.

Reminder: Your security efforts will be most effective if you use the latest version of EFT. Periodically check the Globalscape support site for the latest version and upgrade accordingly.

For more information about Advance Properties, refer to the online help for your version of EFT.

Details
Last Modified: Last Year
Last Modified By: kmarsh
Type: HOWTO
Rated 3 stars based on 2 votes.
Article has been viewed 3.7K times.
Options
Also In This Category