Is FTP secure and how can I secure FTP (SFTP)
A general connection to your FTP server, (file transfer protocol) is not secure. When you connect without using SSH, both your userid and password are sent to the server “in the clear” or in other words, without any encryption. Would you post your username and password on a public website for all to see?
Furthermore, the files you are sending are unencrypted too, so if they contain passwords, sensitive customer data, etc, you are putting that on the public site as well. Anyone using Cain & Able type software could sniff your information relatively easily.
How to use Secure FTP or SFTP?
Secure FTP is more secure than FTP as it uses SSH. To use this you need to [level-basic]enable it in Plesk for each account (or for a quick global change of all your sites – assuming you trust all the sites on your server, you can execute the group command to change all at once). In the setup page select /bin/bash(chrooted) under “Shell access to server with FTP user’s credentials”.
This user will now be able to login over SFTP. Dont’ forget that if you have changed the SSH port (another article coming soon), you will need to specify the custom port in your FTP client when you connect. If you are sure you don’t want users to login over standard FTP you should block this via the firewall.
Deny incoming from all on ports 21
(You can do this quickly in Plesk by Clicking Modules on left side, then Firewall and disable Ftp server. This will disable the firewall on port 21).
To really button up your FTP access to your server, if you have a static IP (one that does not change), you can tell the server to only allow FTP access by your IP only. For example, if your static IP is 123.456.789.10 Under the FTP Server rule add:
Allow incoming from 220.127.116.11
Deny incoming from all others