In any Keenetic router able to connect USB drives, you can enable the built-in SFTP server and organize secure remote access to files on the USB drive via the SFTP protocol (SSH File Transfer Protocol, also known as Secure FTP and SSH FTP). You can set up access to the server from both the local network and the Internet.
The SFTP server is supported by KeeneticOS starting from version 3.4.1.
The SFTP is an application layer protocol designed to perform operations with the files over a reliable and secure SSH connection. The SFTP has nothing to do with the usual FTP protocol. It provides improved security for data transmission over the Internet by implementing a fully encrypted transport layer. The SFTP is a separate protocol and should not be mistaken for the FTPS (FTP + SSL), the Simple File Transfer Protocol (has the same abbreviation for SFTP) and FTP via SSH.
1. You can directly connect to the SFTP server from the Internet if there is a public IP address on the WAN interface of the Keenetic router used to access the Internet.
2. If you have a private IP address, you can access the SFTP server through an SSTP VPN connection.
3. We recommend obtaining a permanent and easy-to-remember domain name for your Keenetic using the KeenDNS service for more convenient use. When enabling KeenDNS, you can connect to the SFTP server in the 'Direct access' mode. Using the 'Cloud access' mode, you can connect to the SFTP server via an SSTP.
4. Some ISPs filter incoming user traffic by standard protocols and ports. For example, filtering by 21 (FTP), 22 (SSH), 23 (Telnet), 25 (SMTP), 1723 (PPTP) and other ports. Therefore it is necessary to know that the SFTP server operates via the port that the provider does not block.
5. To operate the SFTP server in the Keenetic router, you should install the 'SSH server' and 'SFTP server' system components. You can do it on the 'General system settings' page in the 'Updates and component options' section by clicking on the 'Component options'.
After installing the 'SSH server' and 'SFTP server' components, go to the 'Applications' page of the router's web interface, find the 'Private cloud' section and click on the header.
You will see the window, the main server settings, and user management options are presented in the 'SFTP settings' section.
If you want to access the SFTP server from the external interface, enable the 'Allow access from the Internet' option. You will see the following message: 'Warning! Enabling internet access for SFTP will enable SSH public access'. Click on 'Confirm'.
You can find the port number that uses the built-in SSH server in the 'SSH port' field. The server uses the standard TCP port number 22 for the connection by default. If necessary, you can change the port number (for example, use 2022). We recommend doing this to improve the security, as the standard ports are often exposed to attacks on the Internet.
If the 'Anonymous access' option is enabled, the connection to the SFTP server will be available to all users without authorization. We recommend not using anonymous access but setting up access rights to the SFTP server with authorization (in this case, when connecting to the SFTP server, the user will have to enter a username and a password).
NOTE: Important! When using authentication, you must configure the access rights to the folders of the USB memory device for the client; otherwise, it will not be possible to connect to the SFTP server.
In the 'Users and access' subsection, select the accounts that will be granted to access the SFTP server. Here you can add new accounts by clicking the 'Add user' button.
Enable the SFTP option for the user you want to allow remote access via the specified protocol. Then click 'Select directory' and indicate a certain folder on the USB disk. For example, you can choose a personal folder for each account. You can set up either read and write or read-only access rights for the user, depending on the task. You can do this by following the instruction 'Folder permission control on a USD drive'.
NOTE: Important! There is no need to create port or firewall redirection (forwarding) rules to access the SFTP server. The system will automatically create the necessary rules and allow access.
Go back to the 'Applications' page. By default, the SFTP server is disabled. To enable the server, put the switch in the On state.
Now, using an account with the rights to access the SFTP server (we use 'admin' in our example), you can access the files of a disk connected to the router's USB port from the Internet.
You need to use an SFTP client or file manager with SFTP protocol support for a secure and encrypted connection to the SFTP server on your mobile device or computer. For example, you can use mobile applications such as Cx Explorer, File Manager+ and others, or computer programs such as FileZilla Client, WinSCP, etc.
Here is an example of a connection to the SFTP server on a Keenetic device.
NOTE: Important! In our example, we use the private IP address of the SFTP server. If you configure your access to the server from the Internet, then in the 'Host' field, you need to specify a public IP address on the router's external interface or the router's domain name registered with KeenDNS or DynDNS.
Run the Cx Conductor application on your Android mobile device.
Add a connection on the 'Network' tab.
Go to the 'Remote' tab and select the 'SFTP' protocol.
Specify the router's IP address in the 'Host' field (for access from the Internet, it is a WAN IP address, and for access from the local network, it is a LAN IP), the SSH port number, and the admin username and password.
NOTE: Important! To connect to the router via third-party applications, we recommend creating a separate user account, only allowing access to the SFTP server. For security reasons, do not use the router's administrator account; specify a user account with restricted rights.
If the connection is successful, you will see the folders and files on the USB drive.
You can also use any file manager or client with the SSH FTP protocol support on your computer.
Here is an example of a connection using FileZilla and WinSCP programs: