Using Secure FTP

Posted 30 July 2008 08:40am by Patrick Oak with 1 comment

If you run a website, you're almost certainly familiar with FTP, the file transfer protocol that enables you to upload files to the server that hosts your website.

FTP isn't perfect; one of its biggest flaws is that usernames and passwords are sent in clear text.

That means that every time you use your website's FTP server, there is the possibility that a hacker could intercept your username and password and gain access to your website.

Secure FTP (SFTP) is a file transfer protocol based on the Secure Shell protocol, and as its name suggests, it is designed to provide a more secure means to transfer files between computers.

Because of this, I personally advise all my clients to ditch FTP and set up SFTP.

Setting Up the Server

To use SFTP, it needs to be set up on your server. A competent system administrator should be able to do this with ease.

There are a number of ways to implement SFTP. OpenSSH is probably the most popular, but there are others, including paid options such as CrushFTP.

SFTP Clients

To use SFTP, you need to use client software that supports it. Fortunately, many of the most popular FTP clients also support SFTP. Here are a few:

• CuteFTP
• SecureFX
• WinSCP (Free)
• WS_FTP Professional

• Consider setting up your SFTP server to use a port other than 22. Port 22 is the standard port for SFTP so by using a different one, you can help prevent lazy hackers from determining that you're running an SFTP server simply by scanning for an open port 22. Note that this is a good technique to implement with standard FTP as well (which uses port 21 as a default).
  
  
• Be sure to set up your SFTP server so that it supports strong encryption. AES is my cipher of choice.
  
  
• Consider using more secure authentication. Since passwords alone can be guessed, if you need a higher level of security, note that SFTP supports public key authentication and Kerberos, amongst other authentication methods.