Submit a ticketCall us

Don’t fall victim to a ransomware attack
Backups are helpful, but sometimes that’s not enough to protect your business against ransomware. At our live webcast we will discuss how to protect against ransomware attacks with SolarWinds® Patch Manager and how to leverage log data to detect ransomware. Register now for our live webcast.

Home > Success Center > Serv-U Managed File Transfer & Serv-U FTP Server > Set up a blind upload and blind download folder in Serv-U

Set up a blind upload and blind download folder in Serv-U

Updated April 25, 2017

Overview

This article provides steps to set up a blind download folder and a blind upload folder that are both shared across an entire domain.

 

Environment

All Serv-U versions

Detail

Serv-U allows Administrators to set up shared folders to support both blind uploads and blind downloads.

Blind transfers prohibit end users from seeing the contents of the folders on Serv-U, while blind uploads allow end users to upload files and perform integrity checks such as XMD5 against their files, but is unable to list any files. In blind downloads, end users are allowed to download specific files by name, but are unable to browse them.

 

Set up virtual upload and download folders

  1. Open the Serv-U Management Console.
  2. Click Directories > Virtual Paths.
  3. Add a download folder and associate that with a Virtual Path of %Home%\download.
  4. Add an upload folder and associate that with a Virtual Path of %Home%\upload.

The Virtual Paths configuration should look like the image below. 

Set up an upload file and folder access

  1. Open the Serv-U Management Console.

  2. Click Directories > Directory Access.

  3. Add a Directory Access Rule to allow blind file uploads:

    1. Go to the Physical Path of your virtual folder. For example, D:\local\upload.
    2. Click the Path box and add \* to the end of your path. For example, change D:\local\upload to d:\local\upload\*.
    3. Clear all options except Files | Write and Subdirectories | Inherit. Make sure that Directories | List remains unchecked.
  4. Add a Directory Access Rule to ensure the upload folder is visible during file lists.
    1. Go to the Physical Path of your virtual folder. For example, D:\local\upload. Make no changes to this path.
    2. Clear all options except Directories | List.
  5. Verify if you have two upload Directory Access entries as shown below.

Set up a download file and folder access

  1. Switch to the Directory Access tab.
  2. Add a Directory Access Rule to allow blind file downloads:
    1. Go to the Physical Path of your virtual folder. For example, D:\local\download.
    2. Click the Path box and add \* to the end of your path. For example, D:\local\download to D:\local\download\*.
    3. Clear all options except Files | Read and Subdirectories | Inherit. Make sure that Directories | List remains unchecked.
  3. Add a Directory Access Rule to ensure the download folder is visible during file lists.
    1. Go to the Physical Path of your virtual folder. For example, D:\local\download. Make no changes to this path.
    2. Clear all options  except Directories | List.
  4. Verify if you have two download Directory Access entries as shown below.
  5. Test this from the Serv-U's Web Client or a command-line client:
    1. Log in using an end user domain (locked to own home folder). You should see an upload and a download folder to the home folder and both will look empty.
      Note: You will be able to upload files to the /upload folder but not in the /download folder. 
    2. To test the blind downloads, use a a command-line client, such as the built-in FTP client that comes with Windows and most Linux operating systems. Use this client to CD into your /download folder. Verify if you are unable to list files, but you can download and perform integrity checks against the hidden files.
      ftp> pwd
      257 "/" is current directory.
      ftp> dir
      200 PORT command successful.
      150 Opening ASCII mode data connection for /bin/ls.
      drwxrwxrwx   1 user     group           0 May 28 22:11 download
      drwxrwxrwx   1 user     group           0 May 29 11:09 upload
      ftp: 128 bytes received in 0.01Seconds 8.33Kbytes/sec.
      226 Transfer complete. 128 bytes transferred. 0.13 KB/sec.
      ftp> cd download
      250 Directory changed to /download
      ftp> get KB2054-Sample01.png
      200 PORT command successful.
      150 Opening BINARY mode data connection for KB2054-Sample01.png (21207 Bytes).
      226 Transfer complete. 21,207 bytes transferred. 20.71 KB/sec.
      ftp: 21207 bytes received in 0.02Seconds 1294.37Kbytes/sec.
      ftp> QUOT XMD5 KB2054-Sample01.png
      250 B2D7846E5FE660AD58B3F5F375CF5D53
      ftp> dir KB2054-Sample01.png
      200 PORT command successful.
      150 Opening ASCII mode data connection for /bin/ls.
      ftp: 0 bytes received in 0.02Seconds 0.00Kbytes/sec.
      226 Transfer complete. 0 bytes transferred. 0.00 KB/sec.

Variations

Serv-U supports Group-, Server-, and User-level virtual paths for the Directory Access and Virtual Path to have the same settings that can be applied to specific users, groups, or every users on the system.

It is optional to use the Directories | Inherit. If this is removed, you must add additional permissions for any subdirectories of the upload and download folders.

Troubleshooting

If issue occurs during the setup, there may be an incorrect configuration of the Virtual Path. Try creating a Virtual Path similar to step one, but only set up the Read Only Directory Access to the folder until you Serv-U resolves the Virtual Paths that is configured. When this works, proceed to steps two and three.

The specific permissions shown above and the double Directory Access entries for each Virtual Path are important that each pair of entries must be double-checked. A Directory Access entry must end with \* while others do not. Also, double-check that one entry has only L permissions and the other one does not.

The order of the Directory Access is important wherein the file permission entry (the one ending in \*) is above the directory list entry (the one that doesn't end in \*)

 

 

 

Last modified
23:46, 24 Apr 2017

Tags

Classifications

Public