FTP (File Transfer Protocol) is a legacy protocol that should only be used for absolutely no other than publicly share non sensitive files over the Internet. For example, public repositories of open source files for download. But even for this purpose a web-server like Apache or NGINX can do better (using Directory Listing over HTTPS with Basic-Authentication [Link]).

Because the FTP protocol does not offer any encryption all the information is transferred in plain text, including the credentials (user and password) of the users. That is why FTPS and SFTP were created.

  • FTP
    • Totaly unencrypted communication.
  • FTPS
    • It uses SSL/TLS (like HTTPS does) to wrap the FTP protocol with an encrypted layer.
  • SFTP
    • It is NOT FTP, it is actually SSH that after authenticate behaves (same commands) as if it was an FTP server.

FTP

It can allow anonymous connections (using username anonymous and anything as password). and that is the only recommended way to use this protocol directly exposed to the internet.

To safely use FTP over the internet is needed a VPN to establish the encrypted tunnel that will allow the FTP communication to go through.


FTPS

Is used additional “modules” of the FTP server to establish a Secure Socket Layer (using SSL certificate) than switch the plain text communication over SSL encryption.

See the following posts that demonstrate how to tweak the vsFTPd [Link] and ProFTPd [Link] configuration to achieve the FTPS.


SFTP

As mentioned, this is not FTP but SSH that behaves as if it was an FTP after the session is stated.

  • PROS
    • Alternatively to password, it can use or enforce (recommended) the usage of SSH-Keys for authentication.
  • CONS
    • If misconfigured, It has the potential of exposing the server with a very powerful shell. Do a risk assessment prior to implement this solution.

Since it requires SSH, make sure OpenSSH-server is installed then edit its configuration.

sudo apt update && sudo apt install openssh-server -y
sudo nano /etc/ssh/sshd_config

Append the following lines to the end of the file:

Match Group sftp
  ForceCommand internal-sftp
  ChrootDirectory /sftp-root
  PasswordAuthentication yes    # Not recommended for production. Change to no after testing.
  X11Forwarding no
  AllowTcpForwarding no

Note: the appended configuration will check if the user trying to log in is a member of the group sftp, then it overrides the configuration the parameters. It enforces the internal-sftp “mode” for the session, change the root of the file system to a safe path (/sftp-root), and disable unnecessary features. Alternatively it can be used /home but I would recommend to keep the sftp users away from the home directory of the system users.

It is not the scope of this post to harden the SSH server so keep in mind that many other tweaks might be necessary to protect your server, such as:

  • Dot not allow empty passwords (preferably no passwords at all) nor root login,
  • Require SSH-Keys and a secondary factor such as OTP mobile app [Link] or USB/NFC Hardware Key [Link],
  • Only allow certain users or groups or use restrictive rules to allow connections that Match an specific pattern,
  • Ans always use Fail2Ban in combination with most of your publicly facing services [Link].

Create sftp group and the safe path for its users.

sudo addgroup sftp
sudo mkdir /sftp-root

Create the users as follows for each user:

sudo useradd -m userName -g sftp
sudo mkdir /sftp-root/userName
sudo chmod 700 /sftp-root/userName

Note: each user will have its own home directory automatically created /home but when they log int they will only see what is in /sftp-root and only will be allowed to access (read/write) its own directory in it.

sftp userName@127.0.0.1

Add the Public keys for created user into the file /home/userName/.ssh/authorized_keys.

See the post Setting Up SSH Keys [Link] to find out how create the key pair.

If everything was done correctly, it will not prompt for password anymore but will automatically authenticate with the SSH key. Time to change the PasswordAuthentication to no.