Connecting Brother ADS-2400N with Paperless-ngx

I recently got a great deal on a second-hand Brother ADS-2400N document scanner. My goal is to digitize my paperwork and store it in Paperless-ngx, which I host on a mini-server at home using Proxmox.

But how do the scans get from the device to Paperless?

⚠️ WARNING: To make this work, you'll need to enable some outdated and insecure protocols on your server. Be aware of the implications for your setup and take countermeasures, such as the firewall rule described below!

️ℹ️ INFO: This guide was developed and validated by a human. AI was only used as an assistant for translation, spelling, sentence structure, and grammar.

Since the scanner is more than 10 years old, this isn't a trivial task. Although it supports SFTP (encrypted file transfer over SSH), it uses such old parameters that a connection to modern servers fails out of the box.

The Idea: The scanner copies the scan to a dedicated server (in my case, a Debian LXC on Proxmox). A script runs there, sending new files to Paperless-ngx for import via its API. You could probably do this without an additional server, but I prefer this setup as it clearly separates responsibilities and isolates the insecure part from the rest of the system.

But let's take it one step at a time.

First Step: Scanner Setup

First, start the scanner, connect it to your network, find its IP address, and open the web interface. The default login password is usually initpass.

Brother scanner web interface

Second Step: Connecting the Scanner and Server

Now for the tricky part. We want the scanner to securely log in to the server via SFTP. The best way to do this is with an SSH key pair.

The scanner is the client that wants to connect to the server.
The server is the host that allows the connection.

For the server to trust the scanner, we need to add the scanner's public key to the server.

1. Create a Key Pair on the Scanner

In the scanner's web interface, set up an SFTP profile. There's an option to create a new Client Key Pair. Choose RSA with 2048 bits.

The scanner will now generate a private and a public key. Download the public key: publickey.pub. It will look something like this: ssh-rsa AAAA....

Creating an RSA 2048-bit key pair in the Brother web interface

2. Add the Public Key to the Server

Now, connect to your server. You need to add the scanner's public key that you just created to the ~/.ssh/authorized_keys file. This file lists all keys that the server trusts. I'm doing this for the root user, as the scanner will log in as root later.

# Create the directory if it doesn't exist
mkdir -p /root/.ssh

# Add the scanner's public key to the file (replace ... with your key)
echo "ssh-rsa AAAA..." >> /root/.ssh/authorized_keys

# IMPORTANT: Set the correct permissions, or SSH will ignore the file
chmod 700 /root/.ssh
chmod 600 /root/.ssh/authorized_keys

This tells the server that the scanner is allowed to log in as root without a password.

3. Insecure SSH Server

A modern SSH server will reject the scanner's connection attempt with an error because the encryption algorithms used are outdated.

To avoid making our main SSH server insecure, we'll start a second, separate SSH server on a different port (e.g., 2222), configured specifically for the scanner.

1. Create the Configuration File Create a new configuration file, for example at /etc/ssh/sshd_config_scanner.

# /etc/ssh/sshd_config_scanner

# Custom port to avoid conflicts
Port 2222
Protocol 2

# Use a separate host key, just for this instance
HostKey /etc/ssh/ssh_host_rsa_key_scanner

# Only allow root login, and only from the scanner's IP
# Replace 10.10.0.192 with your scanner's IP
PermitRootLogin yes
AllowUsers root@10.10.0.192

# Force old algorithms that the scanner (OpenSSH 6.0) understands
KexAlgorithms diffie-hellman-group14-sha1
Ciphers aes128-cbc,aes256-cbc,3des-cbc
MACs hmac-sha1
HostKeyAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa

# Standard SFTP settings
PubkeyAuthentication yes
AuthorizedKeysFile /root/.ssh/authorized_keys
Subsystem sftp /usr/lib/openssh/sftp-server -l DEBUG3

2. Generate the Corresponding Host Key In the configuration, we referenced a custom host key. We still need to create it—also in the old RSA format.

ssh-keygen -t rsa -b 2048 -f /etc/ssh/ssh_host_rsa_key_scanner -N ""

3. Automate the Service with Systemd To ensure our second SSH server is always running, we'll create a systemd service. Create the file /etc/systemd/system/sshd_scanner.service.

# /etc/systemd/system/sshd_scanner.service
[Unit]
Description=Insecure Legacy SSHD for Brother Scanner
After=network.target

[Service]
ExecStart=/usr/sbin/sshd -D -f /etc/ssh/sshd_config_scanner
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
RestartSec=5s

[Install]
WantedBy=multi-user.target

Now, we just need to tell systemd to load, enable, and start the new service:

# Reload systemd to read the new configuration
systemctl daemon-reload

# Enable the service (starts automatically on boot) and start it now
systemctl enable --now sshd_scanner.service

# Check the status
systemctl status sshd_scanner.service

4. Optional: Further Restrict Access with a Firewall

Our insecure SSH server is running. To ensure that only the scanner can access it, we could add some firewall rules. I'm using ufw (Uncomplicated Firewall) here because it's easy to use.

# Install UFW if you haven't already
apt-get update && apt-get install ufw -y

# Allow normal SSH access for yourself (important to avoid locking yourself out!)
ufw allow ssh

# Allow the scanner to access the new port 2222
# Replace 10.10.0.192 with your scanner's IP!
ufw allow from 10.10.0.192 to any port 2222 proto tcp comment 'Brother Scanner SFTP'

# Enable the firewall and check the status
ufw enable
ufw status verbose

The firewall rule ensures that the weak SSH configuration is not exposed to the rest of the network.

5. Putting It All Together

Back in the scanner's web interface, enter the connection details in the SFTP profile:

Server Address: Your server's IP
Username: root
Authentication Method: Public Key
Target Folder: e.g., scans (create this directory on the server!)
Port: 2222
Other settings depending on what you want to do.

SFTP settings on the scanner

Now, save, test the connection, and if everything worked, you should see a success message.

What's Next?

The scanner can now save scans to your server. The next step is to write a small script that monitors this directory with inotifywait and automatically sends each new file to the Paperless-ngx API. There will be a second post about that.

Happy Scanning!