How to Set Up WinSSHD SFTP Server On Windows

How-To
1

Summary

I wanted to post a quick walkthrough on how to set up Bitvise WinSSHD on a Windows computer to use as a SFTP target/destination for Duplicati. This is a great enterprise class piece of software that the author is kind enough to allow us to use for personal use free of charge and is great when paired with Duplicati. Don’t let the length of this post scare you, the software is very easy to set up and run, but I wanted to be thorough for those that like step by step instructions.

Basic Install

  1. Download latest version from Download Bitvise SSH Server

  2. Run the installer
    a. Accept Agreement
    b. Choose to Install New Default instance
    c. Choose “Personal Edition”, which is free for personal non-commercial use and more than adequate for even moderately complicated multi-family member backup scenarios
    d. Enter whatever name you want
    e. Restart after installation

  3. After restart, open the Bitvise SSH Server Control Panel by double clicking the little hammer icon in the systray

  4. Click on “Open Easy Settings”
    Note: All configuration settings have a very useful tooltip next to them if you need more information.

    a. Server Settings

    • IP Version: IPv4
    • Listening Port: 6789
      Pick any random port between 1024 and 10,000. This alone will greatly cut down on false logon attempts from malicious people on the internet.
    • Auto Configure Router: Disable if you prefer to manually configure port forwarding on your router or don’t need to allow access from the internet. Enable if you want to allow backups across the internet.
    • Open Windows Firewall: Set to “Open ports to any computer” if you’re allowing computers to backup via the internet, otherwise set to “Open to local network”

    b. Windows Accounts

    • Allow login to any Windows account: Disable

    c. Virtual Accounts
    Note: You can create basic accounts at this point and have a perfectly viable SFTP destination for your backups, but I recommend skipping this and continuing to the advanced section, especially if you plan on using more than one account or want additional security.

    • Click to Add a new Virtual Account
    • Virtual account Name: This is the actual SFTP account username
    • Virtual account Password: Give the account a password if you don’t plan on using key based authentication
    • Public Keys: Import a public key if you prefer to use key based auth instead of passwords
    • Shell Access Type: No Shell Access
      Leave as BvShell if you want interactive login for some reason, DO NOT USE ANY OTHER TYPE unless you understand the risks.
    • Root Directory: Point this where you want the account to place the backup files

Advanced Settings

  1. Open the Bitvise SSH Server Control Panel by double clicking the little hammer icon in the systray

  2. Click on “Edit Advanced Settings”
    Note: I lean a little toward the paranoia side, the defaults are perfectly fine but these are the settings I make to lock things down

    a. Session

    • Maximum login attempts: 1
    • Login attempt delay: 10
    • Do not delay public key login attempts: Uncheck
    • IP Blocking windows duration: 3600
    • IP Blocking threshold: 3
    • IP Blocking lockout time: 10080
    • IP Blocking penalize no authentication: Check

    b. Access Control

    • Allow Windows account password change: Uncheck
    • Allow Virtual account password change: Uncheck
    • Limit delegated administrator mount points: Check

    c. Virtual Accounts Password Policy

    • Minimum password length: 20
    • Number of alpha: 1
    • Number of numeric: 1
    • Number of special: 1

    d. Virtual Groups
    Note: This is where you can set defaults so that all virtual accounts that are created have the same settings. This is very useful if you plan on having several accounts for friends and family.

    • Double Click on the existing “Virtual Users” group to open it up
    • Editable by delegated administrators: Uncheck
    • Authentication
      • Password Authentication: Disabled if doing key based only, Required if doing password only, Allowed if doing a mix of both
      • Public Key Authentication: Required if doing key based only, Disabled if doing password only, Allowed if doing a mix of both
      • Allow public key management: Disabled
    • Terminal and exec requests
      • Shell access type: No Shell Access
        Leave as BvShell if you want interactive login for some reason, DO NOT USE ANY OTHER TYPE unless you understand the risks.
    • File Transfer
      • Virtual home directory: /
    • Mount Points (Double click existing / entry to open)
      • Real Root Path: Set this to the place you want backup files to be written to (You will likely override this for each virtual account you create)
    • Click “OK” to close out of the Virtual Group setup window

    e. Virtual Accounts
    Note: These should now be pretty simple to set up since they will inherit all of the settings from the Virtual Group

    • Click “Add” to create a new Virtual User
    • Virtual account Name: This is the actual SFTP account username
    • Virtual account Password: Give the account a password if you don’t plan on using key based authentication
    • Virtual Group: Select “Virtual Users” from the drop down
    • Authentication
      • Public Keys: Import a public key if you prefer to use key based auth instead of passwords
    • Mount Points
      • Click “Add” to create new mount point
      • Real Root Path: Point to folder for backups for this user
      • Delay initialization until accessed: Uncheck
    • Click “OK” to close out of Virtual Account setup window

  3. Click “OK” to close configuration settings

Permissions

Depending on how you have things set up, you might need to give the WinSSHD application permission to read/write to your backup area. If you need to there is a BvSsh_VirtualUsers account created that you will need to grant access to.

5 Likes
2

Just wanted to say that I just ran through your instructions verbatim, and it worked like a charm. I now have an SFTP server set up on my Windows 10 PC, and I have family backing up to it remotely. Thank you so much! This was awesome!

2 Likes
3

Excellent! Glad it was able to help get you up and running. I’ve been running my family’s backups for a while now without a bit of trouble.

I’m a huge fan of the software and really like the control that gives me over the SFTP service and locking it down.

FYI, the only thing you might want to do is check a couple times a year for new versions in case they’ve fixed any security defects. Upgrading is as simple as downloading the new installer and running it, it’ll keep all of your settings.

Let me know if you run into any issues and I’ll be glad to help.

1 Like
4

I have a simple question that the process which has been given here can be applied for the IOS platform also. Can I do the same process for the ios, I have also asked Apple iPad support for this.

5

If you’re asking “can Duplicati run on iOS” the answer is “no” as Duplicati needs mono (not on iOS, I think).

If you’re asking “can an SFTP server run on iOS” the answer is “probably” but that is pretty far outside the scope of this forum.