SSL Encryption

SSL Encryption, if available on this platform, can be set to disable, allow, or require.    There is also a class specific setting for this parameter, which will only have meaning if the global setting is set to 'allow'.  For more details on SSL see this web page

SSL Requires Client Certificate

Disable this setting for compatability and ease of use by FTP clients. If you enable this setting, FTP clients will be required to send a "client certificate" that was signed by the CA certificate in the file rootCA.pem in the SurgeFTP directory. With ftp this is just a bit of a hassle, as quite a few clients do not support this kind of verification. Basically, you should only use this setting if all your clients will have certificates signed by a trusted CA. SurgeFtp does not come with a default rootCA.pem file. You must either get one for the CA you want to trust, or you can (and probably should) act as your own CA and create certificates for your clients yourself. The sslftp command line client does support client certificates.

FTP port (21)

Implicit FTP port number

This is an alternative method of SSL FTP, it starts SSL before any FTP command negotiation, usually set to port number 990 or 992 or 996. Set to 0 to disable.

Debug

Sets the logging level. This is primarily intended for finding faults with the server. Info level logging is the default.

Alternative location to put log files

This setting is the path to an alternative directory where the log files per domain can go. If this setting is empty, the default location is used, which is the SurgeFTP install directory, usually c:\surgeftp or /usr/local/surgeftp

Dayly Log Rolling

This setting is should only be used when you want to keep all log files that SurgeFTP generates. When active, once per day the main log file is closed and renamed to surgeftpYYYYMMDD.log, where YYYYMMDD is the year month and day. These log files are not automatically deleted by SurgeFTP, and can get quite sizeable on busy systems.

Flushing log

This makes the server flush log data after every write to the file. This badly affects performance but can sometimes be the only way to track down an unusual fault.

Connections limit per ip

This setting limits any individual ip address from connecting more than the specified number of times. This can prevent various types of abuse and denial of service attacks. A value of 10 is probably low enough to prevent abuse without affecting real users.

SMTP mail gateway

Enter the name of your SMTP mail server, so that SurgeFTP can send you your email mesages.

Authent process

The command line of a NetWin authentication module, by default SurgeFTP will use the system authentication database. However, you can use one of our standard modules for LDAP, ODBCAuth, MySQL, etc or write your own. For more information on these modules see the authentication section of the DMail manual module list, which will tell you the protocol and gives download pages to download the individual modules that we provide.  You don't need to install DMail to use these. 

The "ftpquota" response is recognised as a limit on the amount of filespace that a user can have, and the "ftpfromip" is a list of IP addresses that will always allow that user to connect from, eg ftpfromip="127.0.0.1,10.0.0.10"

You will need to manually edit /winnt/surgeftp.ini (/etc/surgeftp.ini) in order to change the path to use the module you download, as the web admin tool does not currently list all options. Do this with SurgeFTP stopped.  Here is an example:

Additional responses understood by SurgeFTP are:

Importing Existing Users

If you change to SurgeFTP from another FTP server, and you want to import existing user logins into SurgeFTP, and you want to use nwauth for authentication, you can do this with the following steps.
1) You need to create a file with a list of all the user's information in this format:

./nwauth set username1 PASSWORD
./nwauth set username2 PASSWORD
./nwauth set username3 PASSWORD
etc...

If your users have a nonstandard home path each, then you should import this data at the same time, and use lines in this format:

./nwauth set username1 PASSWORD ftphome="/path/to/user1/home/dir"
./nwauth set username2 PASSWORD ftphome="/path/to/user2/home/dir"
./nwauth set username3 PASSWORD ftphome="/path/to/user3/home/dir"
etc...

2) Execute the script file in the "/usr/local/surgeftp" dir on Unix platforms (you may need to make the file executable by typing in "chmod +x scriptfilename"), or in the C:\surgeftp installation directory on Windows. Or wherever the nwauth executable is for SurgeFTP.

Authent number

The number of concurrent authent processes to run. If you are using a slow external authent module (e.g. sql etc) it is probably worth running 3-4. There is no need to have more than 1 when using nwauth.exe.

Authent domain

If this is 'true', the virtual domain name is appended to the username before it is passed to the authent process. This lets the authent process deal with virtual domains. If this is not ticked, user 'bob' on one virtual domain will have the same password as user 'bob' on another virtual domain.

Lookup IP names

If ticked, SurgeFTP will lookup the ip name of connecting users. This can make controlling access and reading log files easier, but it also wastes resources and can slow down connections from users without reverse dns entries. SurgeFTP does include a cache, so normally DNS lookups will not slow it down as much as other servers. If your connections regularly take 30 seconds to complete, you probably have a mis-configured DNS server, and disabling this feature will probably solve the problem.

Auto restart server

If turned on, SurgeFTP will spawn a second process that checks every 30 seconds to see if the server is still running. If it isn't running but its pid file still exists (ie. if it died), this second process restarts the missing server and sends the manager of the account an email reporting the fault.

For this to work on NT you will need to set Dr Watson to NOT show visual notification of faults:

 This sets Dr Watson to be the default debugger)
 	 c:/> drwtsn32 /i
 This brings up the Dr Watson settings, un-tick "Visual Notification"
 	 c:/> drwtsn32

On Windows 98 you would also have to disable visual notification to make this feature work.

As it is highly unlikely that the server will die and this feature does not need to be turned on now. However it is available to be set up to provide additional comfort, or to be set up if a problem was experienced and the server needed to be restarted automatically while the issue is identified.

Global Listing Style

Set to choose the directory listing style, the same as a UNIX FTP server or the same as a Windows FTP server.

Global Thread Reuse

Tick this if you want threads to be reused for another FTP connection after the previous FTP connection has ended. Any threads waiting for a connection will appear as "Idle Thread" under the Status Menu of Web GUI.

Bind Server and Admin to specific IP addresses

If this setting is left blank, the SurgeFTP service will be accessible through all IP addresses that your computer has. If you only want SurgeFTP accessible through certain IP addresses, enter all those addresses in this setting in a comma separated list (no spaces).

The ftp service AND the Web Administration tool are bound by this binding to IP numbers, and changing the setting is not reflected until you restart the SurgeFTP server. It is possible to block out your access to the web admin tool if you do not include "127.0.0.1" in the list, so be careful.

	example setting:
	"127.0.0.1,10.0.0.21"
	

Only allow admin from

This setting is an IP wildcard string that lets you specify a range of IP addresses of computers that are allowed to connect to the web administration tool. If you specify "127.0.0.1" then only the server can connect to itself, and if you specify "10.0.0.*" then any IP address that matches that string can connect.

Bind Server to IP addresses

Binds access to the FTP server and web GUI to specific IP addresses.

This setting is the name of all the IP addresses that you want your server to respond to, or if empty, it will accept for any local IP number. This setting only makes sense when your computer has multiple virtual IP numbers.

This setting requires a restart of the SurgeFTP server for the changes to take affect, in a future version this restart may not be required.

Only Allow admin from

This setting is an IP address, if it is set then the web GUI interface will only be available to someone connecting from the nominated IP address.

Watcher Program

These settings are the names of an executable or batch/script file(s) that is run when a file is uploaded or downloaded to the surgeftp server. The program is passed five command line parameters, filename, filesize, User that uploaded, their IP address and if the transfer was upload or download. There may be other parameters in future versions. An example of the passed parameters:

"file=f:\home\user.txt" "bytes=186" "user=Administrator" "userip=127.0.0.1" "transfer=downloaded"
or
"file=f:\home\user.txt" "bytes=186" "user=Administrator" "userip=127.0.0.1" "transfer=uploaded"

A program that passes these parameters should not necessarily rely on them being in the same order, but the prefix of each will be the same (file=, bytes=, user=, userip=, transfer=).

Activate detection

This turns on the Anonymous hammering checking mechanism. The mechanism is designed to prevent a person from making thousands of anonymous connections in order to prevent access to the server for other users.
You can see what IPs are being blocked on the Status Page, when the setting is activated.

Time to monitor for (seconds)

This setting is a measure of time that SurgeFTP remembers the connections that are made by anonymous users.

Maximum users in time period

This setting is a number of anonymous connections from any single IP address.

Period to block for (seconds)

This setting is the amount of time to activly block Anonymous access from an IP address that has exceeded the maximum limit of connections. If the Limit is exceeded then the blocking will last until the "time to block" has elapsed, then anonymous connections will be allowed again.