Stop using FTP, SFTP all the way

Yet again I had a chat with a friend about their web site, and I opt the suggestion to consider using SFTP and to uninstall their FTP daemon. They are on a dedicated solution, and have full server control. Why not increase security?

Okay, let me explain a little and hopefully I convince you to look into your hosting and consider these steps.

Sure, there's nothing wrong with using just FTP, but realize please that just having a password for your ftp account doesn't mean it's that safe. For example, it's perhaps easy to brute force the ftp if there are no anti brute force services running on the box. Also, since content is transmitted in plain text a malicious user could sniff out traffic (especially when over wi-fi).

The 's' in SFTP stands for secure, basically it means that through an encryption protocol the connection between the client and server is made secure. You take away the traffic sniffing element; all the man in the middle gets is garbled text.

Uninstalling the FTP daemon also means that it's one less process running on the server, and a program less that might potentially get exploited.

If you can SSH to your server you can SFTP into the server as well. And that's my recommendation.

Additionally I strongly recommend to change the default port for ftp from 21 to something else if you do decide to keep using ftp. And of course, to change your SSH port to something else (default is 22).

Of course, make sure your FTP client supports SFTP (such as Transmit from panic.com, the Mac client that I use).

Note: Users on a Shared hosting solution might not always be able to do this. Hence why I recommend to consider hosting your site on a VPS or better.


 
Next Article