File Transfer Protocol or FTP as it is commonly known has been around since the beginning of the internet.
Personally I use FTPS Explicit SSL and recommend this, however it is important that you check your server's certificate, including its chain back to the CA as well as making sure PROT P
is used.
My tool of choice for FTP is FileZilla - The free FTP solution, sure it has its faults but it works well for me. It is good at many things but importantly it displays a "secure padlock" in the bottom right if you have a secure connection.
One key point to note is that as of October 2014 it stores passwords in plain text in sitemanager.xml on the user profile directory. There has been much discussion of this and it will hopefully change, so worth knowing about and either checking or using a different tool.
This uses port 21, which is the default port for FTP. When FTP was first introduced security was much less of a concern, so by default FTP is not secure as the username, password and all the data is transmitted without encryption. Oh and just so you know, FTP uses separate command and data channels, the command channel is port 21 and a different port number is used for the data. In addition FTP works in two modes, Active and Passive.
Back in September 1998 the FTP standard was updated to support IPv6, however you will need an operating system and client/server that supports IPv6 to use this.
This mode means the FTP Server should use port 20 for data at its end, however the catch is that it is the FTP server connecting from its port 20 to the port specified by the client, so this is an inbound connection and this is why firewalls often block this. You can see which port the server will attempt to connect to the client on as you will see a PORT command sent by the client, which lists 6 numbers, the first 4 are the IPv4 address and the last two the port number the server should connect to, for example PORT 10,0,0,0,206,176
. Those last two numbers are decimal, where the first is the "upper" byte and the second is the "lower", so (206*256)+176=52912 and hence the connection was made from port 20 on the server to 52912 on the client.
The sequence for Active Mode is this:
The key difference with passive mode it that the client initiates both connections, command and data, unlike with Active mode. This is why Passive mode is much better at traversing firewalls because there is nothing connecting to the "client". The server specifies which port it is listening on after the client has sent the PASV command and like the PORT command with Active mode it has 6 numbers in the same format.
The sequence for Passive Mode is this:
This works over the standard port 21 and immediately after connecting to the server the client sends AUTH TLS
after which the certificate handshaking is done and the username and password are then sent over the secure command channel. The advantage of this approach is that the server and client use FTPS if the client requests it but also it can use plain FTP if the client only supports that, the advantage of this is one server can listen on port 21 and support both protocols. It is for this reason that the "Implicit SSL" has been deprecated. It is possible that your data channel is actually clear, so you need to look for the command PROT P
being sent by the client to request a "private" and hence encrypted channel, otherwise it might be clear and will definitely be clear if PROT C
is used.
The implicit version of FTPS uses different port numbers, as non-secure communication is not permitted. Port 990 is used for the command channel and port 989 for the data channel.
SFTP should not be confused with "Simple FTP" or with FTPS but this often happens. SFTP is based on Secure Shell or SSH. SFTP uses a combined command and data channel and the server listens on port 22. Just like using SSH you will need to make sure the server's key is the one you expect. It is worth noting that the security is established before credentials are sent, that is SSH is connected first and then the file transfers are done over the SSH session. SFTP is secure with keys, rather than certificates.
It should also be noted that SFTP is a protocol of its own and is different to "FTP over SSH", which is also possible although difficult because FTP uses multiple connections. It is worth adding that SFTP is more platform independent than SCP (Secure Copy) and is much more powerful and flexible. SFTP is packet or binary based, so uses binary codes when sending files, not text based commands like FTP does. This is how it can use only a single port and thus is more firewall friednly than even Passive FTP. There is also no insecure version, everything is always encrypted. It can even do things that FTP(S) cannot, for example it provides richer file metadata.
You can configure SFTP to authenticate with just the SSH keys and not require a username/password, this is handy for scripting uses. On the client machine run a command like ssh-keygen -t rsa
which will create files called "id_rsa" and "id_rsa.pub" in the ".ssh" directory of the users home directory. Copy the .pub file to the FTP Server and configure for your FTP Server, which varies by products.
I have worked with FTP servers on several platforms, and thought it worth documenting a couple of things I have learnt.
The "standard" FTP server for Windows is Internet Information Server (IIS), which most people associate with HTML/Web Browser functionality, however it does also support FTP. The Windows Role does need specifically configuring, first you need to add the "Web Server (IIS)" Role and then add the "FTP Server" Role Service. Once this is done you can add an FTP Site and configure it. It is very easy to get IIS to support plain FTP, but this is, of course, not secure, fortunately FTPS Explicit is not too hard. I could not get FTPS Implicit working but this is technically deprecated. It is also worth noting that IIS does not support SFTP, which is hardly suprising given this is based on SSH. The FileZilla Project has an FTP Server, as well as the more common client, but note that this does not support SFTP either.
There are a number of commercial products that support SFTP on Windows, including GoAnywhere MFT Server, which I have bulit a proof of concept with and it is an excellent product working easily with FTP, SFTP and FTPS. Do note however that the free version of GoAnywhere MFT only supports unencrypted FTP. Another option for SFTP to implement OpenSSH, however that is not an easy task as far as I can tell. The only free product I have found is freeSSHd and freeFTPd - open source SSH and SFTP servers for Windows however it is a little quirky and did not prove reliable, so was actually abandoned. After installing freFTPd, I would suggest you stop the Windows Service, do all your config and testing with the GUI and then when you are happy, terminate the GUI process and start the service.
The standard Linux FTP server is vsftpd - Secure, fast FTP server for UNIX-like systems which ships with most Linux distributions. Note that GoAnywhere MFT
support Linux.The best option on AIX is the standard AIX FTP server from IBM. If you wish to use VSFTP then I would recommend compiling it yourself, so that you understand exactly which version of OpenSSL you have. Alternatively GoAnywhere MFT works on AIX and so does SFTPPlus by Pro:Atria.
A good cross-platform command line option is curl. If you prefer a GUI then FileZilla - The free FTP solution works on Windows, Linux and Mac OS X
If you wish to read further on this and understand where I have gathered most of this information from then please see the follows: