The Serpent

// Cursing the Internet since 1998

Screw FTPS, SFTP is way better!

The 'S' is for SSH...
Posted August 17, 2012 Archive

Despite being a million years old, FTP still comes in handy for remote file management. In fact its sheer usefulness even manages to outweigh the obvious security risk that comes with using it - no encryption.

Passwords and data are still sent in plain text over the network, not usually an issue if you’re on a secure point-to-point environment, but still in this day where security is now probably the biggest part of IT, it takes some getting used to to let it happen.

Your best choice to secure FTP is to use FTPS - that’s basically FTP wrapped in some good ol’ fashioned SSL. I decided to upgrade an FTP server to use FTPS, but it didn’t go as well as expected.

The server was Linux, so I had the choice of pure-ftpd, proftpd and vsftpd. All support FTPS but differ wildly in how they implement their server features. pure-ftpd freaked me out with no global config file, and proftpd was somewhat complex in terms of user permissions\security. It was also a little overkill for such a small server.

vsftpd was my final choice, which I got working successfully with a self signed SSL certificate. However I started suffering all kinds of bugs at the TLS level, with FileZilla’s FTP client constantly failing to set up an SSL session. Even enabling all the logging and ssl_debug option didn’t give me an insight into the problem. So I started looking for alternatives.

The solution was to abandon FTP entirely and rely on the SSH service already running - by using SFTP.

Commonly confused with “Simple FTP” or “Secure FTP”, it’s actually “SSH FTP” which utilizes OpenSSH (or whatever SSL library you use, but come on… lets be realistic!) to upload, download, rename, create and delete\move files using a client which supports it (such as FileZilla). No new services or configuration are required as the authentication\encryption is managed by SSH.

So if you’re on the market for a secure remote file management tool - I’d highly recommend the one you probably already have ;)

Screw FTPS, SFTP is way better!
Posted August 17, 2012
Written by John Payne