WordPress

Enforcing Secure FTP Sessions

fb-cover-ftpes

If you’ve recently joined HostNexus you have probably tried to connect with an FTP client like FileZilla and found you’ve been unable to connect with an error like 550 SSL/TLS required on the control channel. This is due to you trying to connect to FTP with the antiquated and woefully insecure Plain method. At HostNexus we enforce secure FTP sessions. When you connect to FTP in Plain Text protocol you are sending your password to the server in clear text. Why is this bad? Glad you asked.

Gumblar and its descendants

Malware exploits via FTP hit the mainstream in 2009. The most famous of these was a virus called Gumblar. I wrote a post about it way back in 2010. These viruses infect a target computer and then listen in on any FTP connections and obtain the full connection string – including the un-encrypted password. The virus will then open its own FTP connection and upload the malware.

In those first few years the battle against Malware was grueling and time consuming. We ultimately fixed it by implementing a two-pronged strategy. Firstly we switched out the operating system on Linux servers to CloudLinux. This was so we could take advantage of their CageFS system which isolates a user’s file system. No longer could malware propagate through a server. Secondly, and most importantly, we started enforcing Secure FTP sessions. No more FTP based malware attacks were recorded after that. It still amazes me that most hosts don’t enforce Secure FTP. Some will provide it as an option but that is not good enough. All FTP programs support secure FTP connections so there is no excuse in not enforcing it.

 

Secure FTP with FileZilla

Securely connecting to your FTP server is very simple and all FTP software has the option. So all you need to do is find the option in your FTP program to connect via FTP over SSL. Often it is called TLS Explicit. There are often a few options for Secure FTP connections like SFTP and TLS Implicit but it is TLS Explicit that you want.

In the popular FileZilla client you can simply connect to your FTP Server using ftpes://domain.com in the Host field. Add your FTP Username and Password and Port is 21.

 

filezilla-1

 

Generally though, you will want to store your website’s connection settings in FileZilla. So in future you can just connect with a click of the mouse. To do this go to File > Site Manager and then click on New Site.

 

filezilla-new-site

 

Here are my settings for hostnexus.com:

 

Secure FTP - FileZilla

 

  • In Host you want your domain name (if domain resolves to our server). Otherwise you can input your IP.
  • Under Protocol you want FTP – File Transfer Protocol (not SFTP)
  • In Encryption select Require explicit FTP over TLS
  • Logon Type: Normal.
  • Enter username and password.

 

If, for some reason, you don’t have a TLS Explicit option you can try using the SFTP option with port 4000 and it *should* work. However, the port is firewalled so we would have to whitelist your IP. That port could be subject to change at any time so if 4000 is not working for you please contact Support to find out the SFTP port for your server. Also you will need to provide your IP address. If you use the TLS Explicit option you don’t need a port number as the connection will happen over the standard port the connection will be encrypted.

 

About the author

Laurence Flynn

Hey! I'm Laurence, hosting industry veteran and entrepreneur, obsessed with web performance. My aim is to build the cheapest and fastest Optimized WordPress Hosting platform available today. Our back-end systems include Nginx and Redis combined with PHP 7, FPM and MariaDB to deliver maximum performance. Our front-end UI is powered by the beautiful Plesk control panel to deliver a smooth user experience. All secured with Imunify360, artificial intelligence and machine learning. Connect with me on LinkedIn.

Add Comment

Click here to post a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.