1. Home
  2. Server Security
  3. How to Securely Managed Files with Secure FTP SCP WinSCP

How to Securely Managed Files with Secure FTP SCP WinSCP

Still using FTP? If so, you may want to consider this:

Every time your FTP client logs into your server, you are sending your user name and password over the internet unencrypted.

It is as if you stood at the ATM and yelled out your PIN number. If someone gained access to your ATM card, they could then get into your account.

With FTP, your user name and password are not encrypted before they are sent to the server. So, if anyone is listening along the way, then your access credentials could be captured by a third party. Insecure WI-FI access points, networks with hacked servers, and malware could all lead to a compromised password.

Enter Secure FTP
I don’t see these attacks often but they can be prevented by using Secure FTP (SFTP) or Secure Copy (SCP) methods. Most FTP clients now support Secure FTP. If your client does not, then you can grab a easy to use and free Secure FTP client WinSCP.

WinSCP Control Interface

When you use secure FTP methods, your username and password are encrypted before they are sent over the network. So if someone is listening, they get encrypted data and not your plain text information.

On most Linux systems, Secure FTP is provided by the OpenSSH daemon, which can function as a shell client.

Firewall Benefits
Often, we receive support tickets because a client cannot connect via FTP. This is because FTP is a multi-port process. There is a port opened for the data and the commands. Firewall configurations can often block FTP access. Using SFTP, you can often avoid this problem since it only uses one port (TCP: 22).

Using SFTP on Plesk
On Plesk, you must set FTP user to have a shell in order to enable SFTP. You can do this under the hosting setup area. You can pick /bin/bash or /bin/bash (chrooted) to limit their access. If you are really concerned about them having a shell account, we can modify the shells to include a SFTP only shell.

Advanced SFTP Usage
If you manage many accounts, you may want to look into creating SSH keys for use with your SFTP client. SSH keys allow you to access sites without passwords. Instead you use your key file. A public key file is placed on the server and the private key file is kept on your system. Only when the public and private key files are in sync can you gain access.

The benefit of this approach is that you can use a single SSH key on many different sites. You can then protect your key file with a passphrase. This allows you to use different passwords on each of your sites for enhanced security. This is how rackAID manages 100’s of servers without worrying about password updates. We use SSH Keys to get into the systems.

WinSCP includes a program called PuTTY Key Generator. You can find many tutorials by searching Google on how to use this. Once you create your key pair, you can upload your public key to the server and then begin using SSH keys instead of passwords.