Security - File Transfer Protocol Activation

FTP Today provides many methods (protocols) for connecting to our service. Service Activation allows you to configure which of these protocols are active and listening for connection over the Internet. Whatever protocols you set as active are allowed to be used by any and all users.

It is highly recommended that you do not activate those protocols that you have no intention of specifically utilizing. This only invites unwanted connections from hackers.

File Transfer Protocols

  • FTP

    FTP is an industry standard protocol that connects on port 21. Port 21 is a command channel. Further ports are opened by the client-server connection when files or directory listings need to be transferred.


    FTP is an un-encrypted protocol. All usernames, passwords and data files will be transferred in the clear (readable).
     
  • FTPeS (Explicit FTPS)

    FTPeS is an industry standard protocol that connects on port 21. Port 21 is a command channel. Further ports are opened by the client-server connection when files or directory listings need to be transferred. FTPeS is essentially the encrypted equivalent to FTP.


    HINT: By enabling FTPeS and disabling FTP, you have effectively required all users to use an encrypted FTP connection.
     
  • FTPS (Implicit FTPS)

    FTPS was an early SSL-encrypted file transfer protocol that connects on port 990. Port 990 is a command channel. Further ports are opened by the client-server connection when files or directory listings need to be transferred.


    FTPS is a deprecated protocol*. It is recommended that you use FTPeS instead of FTPS.
    *In IT, deprecation means that although something is available or allowed, it is not recommended or that, in the case where something must be used, to say it is deprecated means that its failings are recognized.
     
  • SFTP

    SFTP is an industry standard encrypted protocol that connects on port 22. Port 22 is both a command channel and a data channel. It is therefore much more "firewall-friendly" than FTPeS or FTPS, since only one port needs to be opened outbound from behind any client-side firewall. SFTP uses SSH encryption. Note that when this toggle is enabled, both SFTP and SCP (secure copy) are allowed.

  • HTTPS

    Note: If you disable HTTPS, it only affects end-users. Site administrators will be not be affected.

    HTTPS is an industry standard encrypted protocol that connects on port 443. Ports 80 and 443 are the standard ports of the world wide web and are compatible with all web browsers. We therefore also refer to "using HTTPS" as simply "using the Web App" (the FTP Today web application).

    HTTPS uses SSL encryption, the same as you are familiar with for online banking and online shopping. Note that when anyone attempts to connect using http://, for example by typing a URL or domain name in a browser address bar without explicitly preceding it with "https://", their browser will automatically be redirected from HTTP (port 80) to HTTPS (port 443, with encryption).

Service Options

  • Jail users to home directory

    By default, users are not jailed to their home directory. The advantage to this is that you may wish to assign a user access to multiple folders in completely different branches of the directory tree. Even though they are not jailed from navigating above their home directory, FTP Today's permissions system still only allows visibility and access to those folders which you have assigned a user to see.

    In some cases, you may wish for each user to be prevented from navigating above their home directory and you may wish for every user to believe they have their own root (/) instead of seeing the full path name of their home directory. This is also called chroot or change root. If you wish to chroot all users, you may enable this toggle. Note that if you do so and then wish to give a user access to multiple branches of the directory tree, you will need to change their home directory to <FTP Site Root>.

  • Allow restarts on failed uploads

    In the days of dial-up modems, it was much more likely a connection might fail in the middle of a transfer. This is the origin of this toggle. This setting will allow any failed upload due to a lost connection to restart where it left off. Unfortunately, this then allows any file to be appended to, which may give rise to other security concerns. It is therefore recommended that you leave this toggle off.

  • Lock files during upload

    Again, back in the early days of slow modems, it used to take much longer to upload files than it does today. The way most file transfer protocols work, if another user starts downloading a file before the first user finishes uploading it, the user downloading will get a partial file (containing whatever bytes were there when he or she initiated the download).

    This setting will prevent partial downloads by hiding any files in the process of being uploaded. This is done by pre-pending ".in." to the file name and then removing the ".in." after the upload is completed. Any file starting with a period will be hidden from most software when reading a directory listing. Still, we do not recommend enabling this toggle unless you actually run into the issue of partial or incomplete downloads.


    Note that this setting is completely unnecessary for HTTPS uploads and most SFTP software tools also have file-locking built in to prevent such issues.