This page explains how to configure a Discover Server for scanning hosts exposing the SSH/SFTP protocol.
Note: Linux discover server for scanning hosts with the SSH/SFTP protocol is currently not supported.
- Windows Discover Server
- Installing and Configuring WebDrive
- Configuring the Discover Server
- Configuring the Target
- General WebDrive Remarks
- Error Handling
- Testing Instructions:
Windows Discover Server
Scanning a host exposing the SSH/SFTP protocol from a Windows Discover Server requires the WebDrive SFTP client to be installed and configured on that server. Then some Vontu configuration files (SharePointMapper.properties and sftp.bat) need to be updated/created on this Server. Finally the target need to be configured for SFTP scanning.
Installing and Configuring WebDrive
The WebDrive SFTP client installer can be download from the South River Technologies web site. The currently tested version is 9.0 (build # 2199). To install click on the installer and accept all default options. A license key needs to be acquired from South River Technologies and activated during configuration (Or the first time the WebDrive UI is run).
Note: WebDrive settings are set on a per user basis, so make sure they are set for the 'protect' user under which the scan process is runnig. To do so, it is recommended to:
- Install WebDrive as the Discover Server local administrator. The WebDrive installer will setup the WebDrive service to run as the Local System account. Do not change the service account.
- Configure WebDrive for the local administrator.
- Log in the Discover Server as the protect user.
- Configure WebDrive for the protect user.
Alternatively one could:
- Install WebDrive as the Discover Server local administrator. The WebDrive installer will setup the WebDrive service to run as the Local System account. Do not change the service account.
- Configure WebDrive for the local administrator.
- Copy the WebDrive registry entries from the local administrator to the protect user:
- Open the registry with a registry editor tool like 'regedit'.
- Identify the SID of the local administrator, say <SID Admin>.
- Identify the SID of the protect user, say <SID Protect>
- Export the key 'HKEY_USERS\<SID Admin>\Software\South River Technologies' to a file.
- Edit this file with a file editor like 'notepad' and replace all occurrences of <SID Admin> by <SID Protect>
- Re-import the file.
Note that these 2 methods are equivalent.
This page* *shows how WebDrive settings should be configured.
The attached Protect WebDrive Settings.reg file give an example of the registry export after the above step 5). It was exported from WebDrive version 9.0. If you run the same version you can simply replace <SID Protect> in this file with the correct SID and import it.
Configuring the Discover Server
First we must create a new scripts for the SFTP protocol: Copy the batch file sftp.bat and sftpu.bat to the Vontu\Protect\bin directory (Note that the generic CIFS unmount batch file 'smbu.bat' and 'sftpu.bat' contain the same script).
The sftp.bat batch file contains the following script:
@echo offSET RETRY_COUNT=7SET WEBDRIVE_HOME="c:\program files\webdrive"SETLOCALSET sftpserver=%2SET sftpserver=%sftpserver:\\=%REM extract the host nameECHO %sftpserver% | FIND "\"> nulIF "%ERRORLEVEL%"=="0" ( ECHO Error wrong share syntax: 'sftp:\\%sftpserver%', it should be 'sftp:\\^<host name or ip^>' EXIT /b 1)FOR /L %%i IN (1, 1, %RETRY_COUNT%) DO ( REM ECHO Unmounting first START /wait /D%WEBDRIVE_HOME% webdrive.exe %1 /batch /d ping 127.0.0.1 -n 2 -w 1000 > nul REM ECHO Mounting server '%sftpserver%' with user '%3' START /wait /D%WEBDRIVE_HOME% webdrive.exe /batch /nosaveuserinfo /s:"DiscoverMounter" /u:%3 /p:%4 /url:%sftpserver% /pr:4 /d:%1 IF %ERRORLEVEL%==0 ( REM Wait about 2 seconds ping 127.0.0.1 -n 2 -w 1000 > nul REM Test if we can access the drive DIR %1 2>nul >nul && ( ECHO success EXIT /b 0 ) REM ECHO Didn't mount ) ELSE ( REM Wait about 2 seconds ping 127.0.0.1 -n 2 -w 1000 > nul REM Test if we can access the drive DIR %1 2>nul >nul && ( ECHO success EXIT /b 0 ) ECHO Error level %ERRORLEVEL% while connecting to server %sftpserver% with user %3. ECHO Check the error log Vontu\Protect\logs\DiscoverMounter.log for error messages. EXIT /b 1 ))ECHO The system could not access the mounted server.EXIT /b 1 |
The sftpu.bat batch file contains the following script:
@echo offSET WEBDRIVE_HOME="c:\program files\webdrive"START /wait /D%WEBDRIVE_HOME% webdrive.exe %1 /batch /dIF "%ERRORLEVEL%"=="0" ( ECHO success) ELSE ( ECHO Error level %ERRORLEVEL% while unmapping drive '%1' ECHO Check the error log Vontu\Protect\logs\DiscoverMounter.log for error messages.) |
Then add the following lines at the end of the property file: Vontu\Protect\config\SharePointMapper.properties
MAKE SURE THERE ARE NO SPACES AT THE END OF EACH OF THESE PARAMETERS.
It has been observed that some email applications add spaces to the end of these parameters when they are sent over email.
#Windows WebDrive implementation of SFTPmounter3.uri=sftpmounter3.prefix=SFTP#SFTP GeneralSFTP.scriptName=sftp.batSFTP.Success=successSFTP.unmountScriptName=sftpu.batSFTP.umountSuccess=success#Mount ErrorsSFTP.AccessDenied=Not ApplicableSFTP.ShareNotFound=Not ApplicableSFTP.ShareExists=Not ApplicableSFTP.MultipleConnections=Not ApplicableSFTP.SyntaxError=Not ApplicableSFTP.ResponseExpected=Not ApplicableSFTP.ServerNotFound=Not ApplicableSFTP.AccountLockedOut=Not ApplicableSFTP.NoLogonServers=Not Applicable#Unmount ErrorsSFTP.MountDoesNotExist=could not be foundSFTP.MountDependencyExists=force them closed |
Configuring the Target
A target for SFTP scanning must be setup as a File System Target, the share specification follows a slightly different syntax than other file system protocol:
To specify the shares use the following syntax: sftp:
<host> where host is the name or the IP address of the host exposing the SFTP protocol. Note that the host will be scanned from the root as WebDrive doesn't allows to specify a mount point inside the directory structure.
The workaround for this limitation is to specify the start directory in the include filters.
Example:
The above Scanned Content Target Specification will scan:
- Only the home directory of 'John Doe' located in SFTP server: server1.
- Everything located in SFTP server: server2.
- Only the HR directory of the Archive share located in CIFS server: server3.
Note include filters must be comma separated (no carriage return).
General WebDrive Remarks
- We sometimes observe the error: "The system cannot find the file specified" in the FileReader log. This is probably due to the fact Webdrive cannot open the file handle for that folder or file. If reducing the connection limit fixes this issue then it is possible that there is a limit on the server for open filehandles by the SFTP client process.
Check with the Unix SFTP servers administrator if there is an option somewhere that limits these open file handles. - The number of active connections in WebDrive is set to 4 by default. We have find that reducing this number to 1 reduce the number of error described in bullet 1, however it also reduce the performance quite significantly.
- When a linux machine is scanned symbolic links and mounted file systems on that machine will be followed. They should be filtered out to avoid performance issues, scanning infinit loops, scanning other machine, etc...
Error Handling
SFTP mounting error (wrong credential, wrong host, etc...) are not reported directly in the Enforce UI, Instead the Discover Target page will show a scan completed with 0 items scanned and 1 error (assuming we were trying to scan only 1 SFTP server). The scan detail page will contain an error message referencing to the WebDrive log for further details.
It will look like this: 
In this particular case the server server1.company.com didn't exist, the WebDrive log Vontu\Protect\logs\DiscoverMounter.log reported:
05/16/2008 02:04:37.200 (21120.413) 08bc [L:] Connect failed, 305/16/2008 02:04:37.200 (000.155) 08bc [L:] Failed to connect to Site DiscoverMounter at server1.company.com, error=Socket connectfailed to the server., LogonFailure=0 |
Testing Instructions:
After implementing SFTP on a Discover Server it is recommanded to execute the following test cases:
- Configure a target with 6 shares, make sure that all symbolic links and mounted file system, if any on the scan target, are filtered out from the target definition.
- Run the scan 20 times and make sure we don't have any failures.
- Configure a target with 6 good shares and 6 bad shares (make sure the bad ones are mixed in with the good ones and not all at the end).
- Run the scan 10 times and make sure we only have the expected failures.
- Configure a long running scan. Make sure pause/restart can be done 10 times.
- Configure a long running scan. Make sure that the filereader can be killed an that the scan will recover (try 10 times).
- Configure a scan with a bad username. Make sure we get the right error message in the UI and in the log.
- Configure a scan with a bad password. Make sure we get the right error message in the UI and in the log.
- Configure a scan with a bad share url. Make sure we get the right error message in the UI and in the log.