FTP (File Transfer Protocol) is a legacy protocol that should only be used to publicly share non-sensitive files over the Internet, such as public repositories of open source files available for download. Even for this purpose, a web server like Apache or NGINX can do better (using Directory Listing over HTTPS with Basic Authentication [Link]).
Because FTP does not offer any encryption, all information is transferred in plain text, including user credentials (username and password). That is why FTPS and SFTP were created.
- FTP
- Completely unencrypted communication.
- FTPS
- Uses SSL/TLS (like HTTPS) to wrap the FTP protocol with an encrypted layer.
- SFTP
- This is NOT FTP. It is actually SSH that, after authentication, behaves (same commands) like an FTP server.
FTP
FTP can allow anonymous connections (using the username anonymous and anything as the password). This is the only recommended way to use this protocol when directly exposed to the internet.
To safely use FTP over the internet, a VPN is required to establish an encrypted tunnel through which the FTP communication can pass.
FTPS
FTPS uses additional modules of the FTP server to establish a Secure Socket Layer (using an SSL certificate), switching the plain text communication over SSL encryption.
See the following posts for how to configure vsFTPd [Link] and ProFTPd [Link] to achieve FTPS.
SFTP
As mentioned, this is not FTP but SSH that behaves like FTP after the session is established.
- PROS
- In addition to password authentication, it can use or enforce (recommended) SSH keys.
- CONS
- If misconfigured, it has the potential of exposing the server with a very powerful shell. Do a risk assessment before implementing this solution.
Since SFTP requires SSH, make sure OpenSSH Server is installed, then edit its configuration.
sudo apt update && sudo apt install openssh-server -y sudo nano /etc/ssh/sshd_config
Append the following lines to the end of the file:
Match Group sftp
ForceCommand internal-sftp
ChrootDirectory /sftp-root
PasswordAuthentication yes # Not recommended for production. Change to no after testing.
X11Forwarding no
AllowTcpForwarding no
Note: This configuration block checks whether the user logging in is a member of the sftp group, then overrides the default parameters for that session. It enforces internal-sftp mode, changes the file system root to a safe path (/sftp-root), and disables unnecessary features. The /home directory could be used instead, but it is recommended to keep SFTP users away from the system users’ home directories.
Hardening the SSH server is outside the scope of this post, but keep in mind that many other tweaks may be necessary to protect your server, such as:
- Do not allow empty passwords (preferably no passwords at all) or root login,
- Require SSH keys and a secondary factor such as an OTP mobile app [Link] or a USB/NFC Hardware Key [Link],
- Only allow specific users or groups, or use restrictive rules to allow connections matching a specific pattern,
- Always use Fail2Ban in combination with most of your publicly facing services [Link].
Create the sftp group and the safe path for its users.
sudo addgroup sftp sudo mkdir /sftp-root
Create users as follows, repeating for each user:
sudo useradd -m userName -g sftp sudo mkdir /sftp-root/userName sudo chmod 700 /sftp-root/userName
Note: Each user will have their own home directory automatically created under /home, but when they log in they will only see the contents of /sftp-root and will only be able to access (read/write) their own directory within it.
sftp userName@127.0.0.1
Add the public key for each created user to the file /home/userName/.ssh/authorized_keys.
See the post Setting Up SSH Keys [Link] to learn how to create a key pair.
If everything was set up correctly, the user will no longer be prompted for a password and will authenticate automatically using the SSH key. At that point, change PasswordAuthentication to no.