- Newest
- Most votes
- Most comments
I haven't got experience with GoAnywhere, but have you checked in the logs delivered by the AWS Transfer server to CloudWatch Logs if the failed connections have recorded the algorithms (Kex, Ciphers, MACs) attempted to be used? They are recorded for successful SFTP connections, but I'm not quite sure how they would look for the unsupported or unidentifiable options that might be coming from GoAnywhere. If the algorithms are logged, they should map to the support matrix of the chosen AWS Transfer server security policy. The log fields are listed here: https://docs.aws.amazon.com/transfer/latest/userguide/cw-structure-logs.html
In general, SFTP is often used by legacy systems, and in my experience, it's common that ramping up security requirements (as we should be doing) leads to compatibility issues with client applications and integration components that might never get updated after they're initially installed. It sounds quite possible that some of your GoAnywhere users might also be using outdated versions, causing issues, while others would be using more recent versions that work with your settings.
The approach in my environment is to require that partners comply with our common sense good practices on the algorithms used, based on the heavy lifting AWS has done constructing the standard security policies, but I appreciate not all companies may be in a position to do that.
Relevant content
- asked 3 years ago
- asked 2 years ago
- asked 3 months ago
