Name of this class

This setting has no function, it's purpose is simply to remind you what this class is defining.

Type of users

There are two types of user, real and anonymous. Essentially, if the user logs in with the username 'anonymous', they are in the anonymous class of user and will only be members of a class with Anonymous ticked. If the user logs in with a genuine username and password, they are considered to be a 'real' user.

Specific users in this class

This lets you refine a class to specific users, e.g. "bob,fred" or even wild cards, "*jones", or lists of users including the 'not' character, e.g. all users except bob "*,!bob"

IP Addresses of connecting users

Again, this refines who is a member of this class. The user's IP address must match this parameter (if the parameter is not blank). You can use lists and wild cards and the not character, e.g. "1.2.3.*". In this second example, all users in the 1.2.3 network are allowed to connect, with the exception of the user with the ip address, "1.2.3.*,!"

Directory Aliases

You can allow your FTP users to have access to multiple directories plus their home directory. Perhaps used to provide access to certain common files, or to allow one class of users access to a special set of files in a directory.

You do this by specifying an "alias directory" the user would see this as an additional directory, and if they change into that directory, they can access the files in real path associated with that alias.

     Alias        Path
     /            ~
     /files       c:\installers

If user Bob logs in he will see the files in his home directory "/" and a directory listed as "files".

If you do provide access to other areas in the file system like this, make sure that there are appropiate files protection rules in place, either in the operating system, or configured in SurgeFTP

Define home and alias directories accessible for this class of user

This table lets you define the translation between virtual paths and real disk paths. Each path can also have it's own read/write rules. Often you will give anonymous users write access to only one directory, and read access to other areas.

When defining aliases for a real user there are two common methods. One is to define the users root as their home directory:

     Alias        Path
     /            ~

This limits each user to access only their own files unless you add another alias to point to some common area, etc. The normal UNIX FTP servers behavior can be emulated with a primary alias like this:

     Alias        Path
     ~            ~
     /            /

This is translated for a user bob to this:

     Alias        Path
     /home/bob    /home/bob
     /            /

which lets the user move to any directory on the system (assuming they have access to those files as a user).

One last useful option, if your users all have their directories under the /home tree, is to limit ftp users to that part of the file system like this:

     Alias        Path
     ~            ~
     /home        /home

The result being that bob gets /home/bob as their initial path, and they can move between any directory below the /home tree, and thus read other users' files (assuming the files are not protected from reading by the operating system).

As a final example, if you only want to allow a user to see their own files, but to see directory specifications of the entire path, use a single alias like this:

     Alias        Path
     ~            ~

Limit: All directory names and file paths are limited to 200 characters. If this limitation is ever a real problem please let us know.

SSL Encryption

SSL Encryption, if available on this platform and can be set to disable, allow or require.    There is also a global setting for this parameter, which must be set in order for the class specific setting to have any meaning.  For more details on SSL see this web page.

Max bytes per second

This setting limits the speed at which data can be downloaded from the server. This is commonly used to prevent all of your bandwidth from being used by a single or a few customers downloading huge files. The daily limit below is often more useful as it prevents abuse but doesn't slow everyone down in the process.

Daily download limit per IP address

This limits each user (or unique IP address) to a certain number of megabytes of downloads per day. This is ideal for preventing abuse. Often a single user will mistakenly download every file from your server, or repeatedly download the same file all day long, and this could cost you real money. This limit stops such abuse (intentional or accidental) without stopping your real users/customers.

Idle connection timeout

After the specified number of minutes, the server will terminate an idle link to recover lost resources and prevent dead links from using up all your spare channels. However, many other FTP servers have this idle limit set so low it is simply annoying.

Max concurrent users connected

This limit applies to all users in this virtual domain, and is good for limiting the total resource that can be used by this domain. This also prevents some denial of service attacks.

Files that cannot be retrieved

This is a 'paranoid' safety mechanism. It is possible to accidentally give read access to a directory containing a password file or some other 'secret' information. As a precaution you can list the names of such files here, and, even if the user can download other files from the same directory, the server will prevent them from fetching these secret files. Typically on unix this should be set to ".netrc,password"

Files that cannot be stored locally (uploaded)

This is a 'paranoid' safety mechanism. It can prevent users from uploading files of specific types.

Root path for users (~ translation uses this)

In the aliases for this domain you can use ~ to indicate the home directory of the user that has logged in. So if the root path for users is /home, the alias specified ~/upload, and the current logged in user is 'bob', the resulting path would be /home/bob/upload

Hashing of users home directory

This setting lets you access existing hashed directories, or lets you specify a hashing method for an optimised directory structure. The setting is a string, combinations of these three characters "f", "o" and "/".
Use "f" for the first letter of the users name.
Use "o" for the next letter of the users name (if there is a next letter).
Use "/" for a directory separator.
The string used, is converted and inserted after the "Root path for users" and before the users name. This setting only works when the Root path for users (above) is set.

		Root path for users "d:\ftphome\"
 		hashing string "f/o"
		user "bob" logs into path d:\ftphome\b\o\bob
		user "blackadder" logs into path d:\ftphome\b\l\blackadder

		Root path for users "m:\home\"
 		hashing string "fo"
		user "bob" logs into path m:\home\bo\bob
		user "blackadder" logs into path m:\ome\bl\blackadder

Limit connections per ip (1-n)

This limits the concurrent users per IP address connected to the server. This is useful to prevent abuse from FTP clients that open multiple connections to get more than their share of bandwidth to your system. Often this stems from people using speed throttling FTP servers instead of limiting the MB downloads per day as you can do with this server. If your server really is heavily used, this setting allows you to prevent this kind of sneaky abuse/cheating.

Passive mode IP Address (use when inside NAT fire wall)

When using an FTP server through a NAT fire wall, this setting allows you to tell the server to give the NAT gateways 'IP' address instead of its own to users connecting from outside. This is done by creating a class that only external users use. You will also need to specify a passive IP port, and map those ports from the NAT firewall into the FTP server ports.

Passive mode starting IP port number (use when inside NAT fire wall)

When the FTP server wants to listen on a port, it will start at this number and increment the port until it finds a free port. You should map this same range of ports from the NAT gateway into the FTP server. Typically, a range of 50-100 will be sufficient, roughly how many concurrent users you expect.

Impersonate users when accessing files

This is an NT specific setting. This setting has 'odd' effects regarding mapping of network drives, etc. Usually on NT it is best turned off.

Allow 'FTP PROXY' 3 way transfers

If enabled, this allows an FTP client to transfer files between two FTP servers. This can be very efficient and quite neat. However, it can also be a security problem as it allows a hacker to send files from your system to someone elses system. This can make it very difficult to track down the hacker.

Also, this is very rarely used in the real world. More commonly, when this is attempted it is actually caused by a mis-configured NAT TCPIP router, and the user will simply not get the file they are requesting. By disabling this feature, the user gets a clear error message telling them to use passive mode to transfer files.

Hide real directory information

Some people believe that hiding real directory information from users increases the security of your system. This is probably true but it is generally not a significant security problem. By default, this is off because the real directory path is often very helpful in sorting out problems, and we believe that making the server easier to use and administer is more important than this subtle security enhancement. However, the option is provided here if you do want/need to be paranoid.


The banner is displayed after the user has logged in. Some FTP clients hide this information but most will display it in some way. Typically you use this banner to tell users what they will find in various directories. You can use a special variable %virtual_paths% which the server will replace with a list of aliases that are defined and there real physical paths.

Back to server