ⓘ CrushFTP Server. CrushFTP is a proprietary multi-protocol, multi-platform file transfer server originally developed in 1999. CrushFTP is shareware with a tiered ..


ⓘ CrushFTP Server

CrushFTP is a proprietary multi-protocol, multi-platform file transfer server originally developed in 1999. CrushFTP is shareware with a tiered pricing model. It is targeted at home users on up to enterprise users.


1. Features

CrushFTP supports the following protocols: FTP, FTPS, SFTP, HTTP, HTTPS, WebDAV and WebDAV SSL. Additionally, although not a protocol, it has both AJAX/HTML5 and Java applet web interfaces for end users to manage their files from a web browser. CrushFTP uses a GUI for administration, but also installs as a daemon on Mac OS X, Linux, Unix, and as a service in Windows. It supports multihoming, multiple websites with distinct branding, hot configuration changes, Attachment redirection, and GUI-based management of users and groups from a browser. Plugins are included for authentication against SQL databases, LDAP, Active Directory, and other custom methods. All settings are stored in XML files that can be edited directly, or with the web UI. If edited directly, CrushFTP notices the modification timestamp change and load the settings immediately without needing a server restart.


2. History of CrushFTP

CrushFTP was first published publicly around 1998. Initial versions were FTP only. There were no connection restrictions in version 1.x. CrushFTP 2.x brought about virtual directories in a sense, while CrushFTP 3.x brought about a full virtual file system. It supported the ability to merge and mangle several file systems together regardless if they were from local folders, or another FTP site. It could even act as a proxy for other FTP servers. However the complications from all the potential issues that could go on from this was confusing. CrushFTP 3 introduced tiered pricing models.

CrushFTP 4 focused primarily on a cleaner interface and less confusing virtual file system. While it still seems to have some support for merging FTP sites with a local file system, the support seems limited. Updates in version 4 included a full HTTP server as well as the other supported protocols. Later updates began recognizing connection differences between web browsers and FTP/SFTP clients, counting four web browser connections as only one user against the licensed limit.

CrushFTP 5 continued the evolution of the WebInterface with various iterations. It used a flash interface briefly before replacing it with a HTML/AJAX interface. CrushFTPv5 was the last version to still use a thick client Java Swing UI. Version 6 moved to an all web browser UI.

CrushFTP 6 released in 2012 brought about major changes as the management and monitoring interface became entirely web based. Its interface is based on jQuery and jQuery UI. Multiple administrators can work concurrently, fixing the single admin limitation of prior versions. It had image thumbnail support and file replication and synching.

CrushFTP 7 was released in early 2014. According to the "whats new" page it adds a dashboard for server information, delegated role based administration, graphical job / event designer, MP4 movie streaming support using HTML5, UPnP / PMP port forwarding and automatic external port validation testing, among many other features. Some features are available only to enterprise customers such as user synchronization and DMZ prefs synchronization between internal servers.

CrushFTP 8 was released in late 2016. The "whats new" page lists a new faster HTML5 browser uploading system 4x faster with resume support, a limited filesystem server mode, and data replication as key new features. There is a revision system on files, a new reports UI, and a stand-alone client UI as part of the release as well.

CrushFTP 9 was released in late 2018. The "whats new" page lists a new CrushBalance load balancer, new Citrix protocol for VFS, uses less threads, plugin support, automated expiration reminder emails for passwords, accounts, and shares. Additionally it lists Proxy Protocol v2 support for AWS load balancers, and an enhanced Job management system.


3. Features

  • WebInterface allowing on the fly zipped uploads and downloads
  • SAML SSO authentication integration.
  • Auto account expirations.
  • Internal statistic gathering.
  • Event based actions to trigger emails.
  • High availability, session replication, data replication and VIP capabilities.
  • Max upload, download, and minimum download speed.
  • Restricted IP ranges for connections.
  • Detailed audit logging and log rolling. Syslog or DB logging for a secondary server with replicated log data audit purposes
  • DMZ feature to separate Internal and external server interfaces.
  • WebInterface supports image thumbnail generation for live image previews
  • Live realtime dashboard UI for monitoring server health, active users, and their activity.
  • Radius authentication integration.
  • DDOS protection
  • User and group inheritance on a per setting level.
  • Web server supports Server Side Includes, and virtual domains.
  • API for configuring users and VFS items over HTTPs
  • Supports many back end protocols for file storage, including FTPES, SMB, SFTP, HTTPs, WebDAV, Google Drive, Azure, Hadoop and S3
  • Drill down into folders on the WebInterface, delete, or rename.
  • Max login time, idle time.
  • LDAP / Active Directory authentication integration.
  • Max download amount per session, day, or month.
  • Ability to launch custom shell scripts passing in arguments.
  • Custom events including running a plugin or sending an email.
  • SQL integration to store users and permissions in SQL database tables.
  • CrushBalance load balancer included for a software based load balancer that can be put in front of the main CrushFTP server.
  • Bandwidth limiters.
  • Supports FTPs MODE Z for compressed transfers.
  • Scriptable command line CrushClient with support for FTPES/ SFTP/ HTTPs
  • Can do Virtual File System VFS linking to merge several file systems.
  • Quotas and ratios.
  • Job scheduler, visual flow designer, manage and move files across protocols. Pass a list of found files from one step to the next, filtering items out, multithreading multiple steps simultaneously, and monitoring in realtime the progress of the job visually and with realtime logging.
  • Custom usage reports that can be run on demand, or scheduled.
  • Custom web upload forms for collecting additional information with file uploads which can be passed to jobs and events.
  • Supports various encodings including UTF-8.


4. Plugins

  • CrushTask has a long list of tasks it can perform. AS2, Copy, Delete, Email, Execute, Find, Jump, HTTP, MakeDirectory, Move, PGP, PopImap, Preview, Rename, SQL, Unzip, Wait, WriteFile, Zip and an unknown Custom task.
  • CrushLDAPGroup authenticates against an LDAP servers, including Active Directory.
  • MagicDirectory allows creating users by just making a folder. Non administrator type personnel can create users easily.

5. Authentication options

  • SQL tables
  • HTTP Form Based Authentication
  • MagicDirectory folder name based user authentication
  • Web Application POST and retrieval of Xml configurations
  • Active Directory / LDAP
  • HTTP Basic Authentication
  • Built-in user database consisting of XML files describing the user and Virtual File System access.
  • SAML

6. Security

Encryption is supported for files "at rest" using PGP, as well as for passwords using an MD5 or SHA, SHA512, SHA3, MD4 non-reversible hash. SFTP uses SSH for encryption, and FTPS uses SSL/TLS for encryption. SHA-2 hashing algorithms are supported. Hashes can be salted with random salt values.

As April 2018, there has been five published vulnerabilities in CrushFTP.

  • of FTP client software File Transfer Protocol FTP FTPS FTP over SSL TLS FTP over SSH SSH File Transfer Protocol SFTP Comparison of SSH servers Comparison
  • An SSH server is a software program which uses the secure shell protocol to accept connections from remote computers. SFTP SCP file transfers and remote
  • filesystem mounting, bulletin board systems 1978 Usenet 1979 and FTP servers 1985 Internet Relay Chat 1988 and Hotline 1997 enabled users to
  • items and HTML forms sent via email. Support for server side scripting was rare on shared servers so the usual feedback mechanism was via email, using