FTPS/ES vs SFTP vs FTP

[IEC]

So the webhosting I'm using right now is great except they apparently do not offer SFTP with reseller hosting packages. I'd have to step up to VPS hosting.

Am I being too paranoid in worrying that FTP sending data over the internet in plain text is a Bad Thing?? Or is this a minor quibble/something not even possible with reseller accounts?

I did some searching around online and eventually did this:

In Cpanel, generated a 1024-bit private key under SSL/TLS manager. Then generated a SSL certificate. If using Filezilla, you can then connect using FTPES (explicit SSL) and it will ask you to accept your self-generated key. Or you could connect using FTPS (implicit), but if I understand correctly it won't send the AUTH TLS request until after you login...

Since it uses AUTH TLS and then transfers with a SSL/TLS layer it *should* then be encrypted and not send things over plain text.

Networking guys or someone more knowledgeable, am I correct?

 

[IEC]

Seems WHT has more info anyways.

Edit: I was originally confused in thinking SFTP was secure FTP. It's actually done through SSH (shell access) and so really can't be used without root...

Just like https is the secure form of http, FTPS/FTPES appears to be the equivalent for FTP...

 

[IEC]

I think I figured it out, but would like someone more experienced than this newb to confirm/clarify that I am indeed using "safe" FTP by using FTPES with a self-generated key...

I have three SSL certs available for use from NameCheap, so I can implement signed certs if I want to. I just generated one to test it out.


Edit: Gar, I'm still a newb:

534 Fallback to [C]
...
LIST

connection timed out

FAIL Spartan Niner, FAIL! Looks like the server doesn't support encrypted data transfer, just commands...

 

[Shaotai]

Should have posted this in Networking... have a mod move it... I'm sure you'll get more responses there.

 

[IEC]

http://forum.filezilla-project...0adfec14c54afa171503fd

Looks like FileZilla doesn't support the "half-assed" security of FTPS command encrytion only. Guess it's off to find another FTP client, as encrypted login/commands is better than NOTHING.

 

[jjones]

I use the Auth TLS feature in FlashFXP when I want to go secure. Mostly I don't bother with it though.

 

[Crusty]

The only time you really need to use non self-signed certs is when you are running a service that is taking information from 3rd parties(ie shopping cart). If you are the only one using the secure FTP I wouldn't worry about paying for a cert from a Trusted CA.

 

[IEC]

Originally posted by: Crusty
The only time you really need to use non self-signed certs is when you are running a service that is taking information from 3rd parties(ie shopping cart). If you are the only one using the secure FTP I wouldn't worry about paying for a cert from a Trusted CA.

I've got three free certs from NameCheap 😉

 

[IEC]

Getting '500 I won't open a connection <local IP> <real IP>' or something like that.

Guess my port forwarding or firewall is interfering, or maybe my piece of crap Actiontec router doesn't handle FTP porting correctly.

 

[Pheran]

I'm not sure why you say sftp can't be used without root, it should work fine for normal users.

 

[Crusty]

Originally posted by: Pheran
I'm not sure why you say sftp can't be used without root, it should work fine for normal users.

It's not that he needs root, it's that his hosting company doesn't give him shell access.

 

[IEC]

Originally posted by: Crusty

Originally posted by: Pheran
I'm not sure why you say sftp can't be used without root, it should work fine for normal users.

It's not that he needs root, it's that his hosting company doesn't give him shell access.

^this.

Anyways, here's a log from FlashFXP (edited out sensitive info)

[L] Connecting to *domainname*.com -> DNS=ftp.*domainname*.com IP=67.222.6.107 PORT=21
[L] Connected to *domainname*.com
[L] 220---------- Welcome to Pure-FTPd [TLS] ----------
[L] 220-You are user number 8 of 50 allowed.
[L] 220-Local time is now 14:11. Server port: 21.
[L] 220-This is a private system - No anonymous login
[L] 220 You will be disconnected after 15 minutes of inactivity.
[L] AUTH TLS
[L] 234 AUTH TLS OK.
[L] Connected. Negotiating TLSv1 session..
[L] TLSv1 negotiation successful...
[L] TLSv1 encrypted session using cipher AES256-SHA (256 bits)
[L] PBSZ 0
[L] 200 PBSZ=0
[L] USER *username*@*domainname*.com
[L] 331 User *username*@*domainname*.com OK. Password required
[L] PASS (hidden)
[L] 230-User *username*@*domainname*.com has group access to: hfslokqo
[L] 230 OK. Current restricted directory is /
[L] SYST
[L] 215 UNIX Type: L8
[L] FEAT
[L] 211-Extensions supported:
[L] EPRT
[L] IDLE
[L] MDTM
[L] SIZE
[L] REST STREAM
[L] MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*;
[L] MLSD
[L] ESTP
[L] PASV
[L] EPSV
[L] SPSV
[L] ESTA
[L] AUTH TLS
[L] PBSZ
[L] PROT
[L] 211 End.
[L] PWD
[L] 257 "/" is your current location
[L] TYPE A
[L] 200 TYPE is now ASCII
[L] PROT C
[L] 200 OK
[L] PASV
[L] 227 Entering Passive Mode (255,255,255,255,16,198)
[L] Opening data connection IP: 255.255.255.255 PORT: 4294
[L] Data Socket Error: Connection timed out
[L] List Error
[L] PASV
[L] 227 Entering Passive Mode (255,255,255,255,231,7)
[L] Opening data connection IP: 255.255.255.255 PORT: 59143
[L] Data Socket Error: Connection timed out
[L] List Error
[L] PASV mode failed, trying PORT mode.
[L] Listening on PORT: 2443, Waiting for connection.
[L] PORT 192,168,0,255,9,139
[L] 500 I won't open a connection to 192.168.0.255 (only to *real IP address*)
[L] List Error
[L] QUIT
[L] 221-Goodbye. You uploaded 0 and downloaded 0 kbytes.
[L] 221 Logout.
[L] Logged off: *domainname*.com

I had the range from 2000-9999 and 50000-59999 forwarded for kicks. I even disabled my firewall. No dice.

 

[IEC]

I tried forwarding all ports, disabling firewall, even enabling DMZ.

I'm not sure what the hell is going on here. 🙁

 

[Pheran]

Spartan, to clarify, if you FTP to your web hosting server normally (not encrypted), it works, but if you use the encryption it fails?