The FTP protocol by nature is quite insecure, it stores the passwords in plain-text format and it is quite difficult to firewall. However, there are still many places where using FTP would make good sense. Examples include downloading and uploading large files that do not necessarily need much security, such as video or audio files.
That is where SFTP comes in, which is the SSH File Transfer Protocol. It uses SSH keys to make it secure and make sure there is no-one watching the connection. In this article, I will go over how to set up a regular FTP server, and then how to set up an SFTP server for those transfers which really need beefed up security.
Proftpd is a popular FTP daemon and can be found in Debian repositories. You can get it by using the following command in a terminal window as root: apt-get install proftpd
After the installation has completed, you should be able to access the configuration files at /etc/proftpd.conf where you can decide who can write and whether users are jailed in their home directories. Proftpd is already fairly secure, but there are more options available if you need more security. The main one is known as TLS security and in order to use it, you will need to generate a key.
Generating a key is fairly simple; at root, create a directory at: /etc/proftpd and then navigate inside it. You will then use an openssl command to generate your key:
openssl req -new -x509 -days 365 -nodes -out ftpd-rsa.pem \ -keyout ftpd-rsa-key.pem
Once you have generated the key, you can add the correct module to the proftpd.conf file that we were editing earlier.
Secure File Transfer
Secure File Transfer is a very secure way of transferring files using SSH. The first thing to do if you don’t have it already is install SSH. Open up the terminal as root and type: apt-get install ssh openssh-server
Once you have done that, enabling SFTP is very easy. Open /etc/ssh/sshd_config as root and make sure that it has the following line somewhere in the file: subsystem sftp /usr/lib/openssh/sftp-server
After you have confirmed that the line is there, you will want to add something like this into the bottom of the configuration file, editing the values for your own users.
Once you have restarted the daemon (/etc/init.d/ssh restart), you should be able to access these users through a regular FTP client that supports SFTP such as filezilla.
In this article, I have shown you two ways in which you can set up a file server. The first one is less secure and uses the age old FTP protocol but is very useful for files which do not need much security, and the second one is far more secure and uses SSH as its back end.
SSH can use keys as well as passwords and does not store passwords in plaintext. You can also do far more using SSH such as remotely open an application or run commands from another computer. In order to learn more about SSH see this article.