FTP is Dead: It is Time to Lock Down Your Transfer Layer

It is October 2012. We are sending rovers to Mars, yet I still see sysadmins pushing sensitive customer data over Port 21 in clear text. If you are managing infrastructure in Norway, relying on standard FTP is not just negligence; it is an open invitation for a man-in-the-middle attack. I have spent the last week auditing a client's legacy stack in Oslo, and the amount of clear-text credentials flying across the NIX (Norwegian Internet Exchange) was terrifying.

Let’s be pragmatic. The Norwegian Personal Data Act (Personopplysningsloven) requires you to secure personal data. When you use standard FTP, your username, password, and file contents are broadcast unencrypted. Anyone with tcpdump and access to a compromised hop between your office and the datacenter can capture your root password in milliseconds. It is sloppy, it is dangerous, and it needs to stop today.

The Anatomy of Failure: Why FTP Must Go

To understand the gravity of the situation, look at what happens on the wire during a standard FTP session. Unlike SSH, which negotiates an encrypted handshake before authentication, FTP waits for the banner and then politely asks for credentials in plain ASCII.

Here is what a packet capture looks like when I sniff traffic on a compromised switch:

# tcpdump -nn -l -A port 21
14:02:11.954201 IP 192.168.1.50.56432 > 85.x.x.x.21: Flags [P.], length 16
USER admin

14:02:12.023144 IP 192.168.1.50.56432 > 85.x.x.x.21: Flags [P.], length 18
PASS SuperSecret123

That is it. Game over. If that was your production server, I now own it. This is why at CoolVDS, we advocate strictly for SFTP (SSH File Transfer Protocol) or SCP. We build our infrastructure on KVM virtualization to ensure strict resource isolation, but the best hypervisor in the world cannot save you if you hand over your keys in plain text.

The Solution: SFTP via OpenSSH

Many developers confuse SFTP with FTPS (FTP over SSL). While FTPS adds encryption, it is a firewall nightmare due to the requirement of a passive port range (often 1024–65535). SFTP, on the other hand, is a subsystem of SSH. It uses a single port (default 22), is fully encrypted, and is native to Linux.

Below is a comparison of the protocols available to us in 2012:

Tutorial: Configuring Chrooted SFTP on CentOS 6

A common complaint is that giving a user SFTP access also gives them shell access. This is a valid concern. You do not want a web developer snooping around /etc/ or running cron jobs. The solution is the ChrootDirectory directive available in modern OpenSSH versions (5.x and later), which traps the user in a specific directory.

This setup works flawlessly on the CoolVDS standard CentOS 6 and Ubuntu 12.04 LTS images. We prioritize low latency connectivity to the Norwegian backbone, so once this is set up, your file transfers will be snappy and secure.

Step 1: Create the Restricted Group and User

First, create a group for your SFTP-only users. This allows us to apply the configuration globally to anyone in this group.

# groupadd sftponly
# useradd -g sftponly -s /bin/false -d /home/client_site client_user
# passwd client_user

Note that we set the shell to /bin/false. This prevents the user from logging in via a standard SSH terminal session.

Step 2: Modify sshd_config

Open your SSH configuration file. On most systems, this is located at /etc/ssh/sshd_config. You need to comment out the default sftp-server subsystem and replace it with the internal one, which simplifies chrooting.

# vi /etc/ssh/sshd_config

# Comment out the default:
# Subsystem sftp /usr/lib/openssh/sftp-server

# Use the internal subsystem:
Subsystem sftp internal-sftp

# Add this block at the END of the file:
Match Group sftponly
    ChrootDirectory %h
    ForceCommand internal-sftp
    AllowTcpForwarding no
    X11Forwarding no

Step 3: Correcting Permissions (The Tricky Part)

This is where 90% of sysadmins fail. For ChrootDirectory to work, the directory must be owned by root and not writable by any other user. If you get a "Connection Closed" error immediately upon login, check your permissions.

# chown root:root /home/client_site
# chmod 755 /home/client_site

# Create a writable directory INSIDE the chroot for uploads
# mkdir /home/client_site/public_html
# chown client_user:sftponly /home/client_site/public_html
# chmod 755 /home/client_site/public_html

Pro Tip: Never set the chroot directory itself to be writable by the user. OpenSSH checks this strictly to prevent security exploits. Always create a subdirectory for the actual data.

Step 4: Restart SSH and Verify

Apply the changes. Be careful: if you messed up the config, you might lock yourself out. I always keep a secondary root session open when restarting sshd.

# service sshd restart

Now, test it from your local machine:

$ sftp client_user@your-coolvds-ip
client_user@your-coolvds-ip's password:
Connected to your-coolvds-ip.
sftp> cd /public_html
sftp> put backup.tar.gz

Performance Considerations: SSDs and Latency

Security often comes with a performance tax. Encryption requires CPU cycles. In 2005, this was a bottleneck. In 2012, on modern Xeon processors, the overhead is negligible—unless your disk I/O is trash.

When you transfer thousands of small files (like a Magento or WordPress installation) via SFTP, the latency of the storage system becomes the limiting factor, not the bandwidth. This is why CoolVDS deploys high-performance enterprise SSD storage rather than spinning rust (HDDs). The random read/write speeds of SSDs drastically reduce the time it takes to handshake and write small files.

Furthermore, for Norwegian businesses, physical distance matters. If your VPS is hosted in Germany or the US, every packet round-trip adds 30-100ms. Hosting on CoolVDS infrastructure closer to the region ensures that the SSH handshake (which requires multiple round trips) completes instantly.

A Note on "Datatilsynet" Compliance

While we wait for unified EU data protection reforms, the Norwegian Datatilsynet is very clear: you must implement "satisfactory security" for personal data. Running FTP in 2012 fails that test. If you are handling customer emails or addresses, using SFTP isn't just a technical preference; it is practically a legal requirement under the Personal Data Act Regulations (Personopplysningsforskriften).

Conclusion

There is no excuse for using plain FTP anymore. It exposes your infrastructure to reconnaissance and brute force attacks, and it signals to your clients that you do not take their data seriously. Switching to SFTP takes five minutes of configuration and provides robust encryption by default.

If you are ready to upgrade your stack, you need a host that understands these requirements. CoolVDS offers pre-hardened VPS Norway instances with root access, blazing fast SSDs, and ddos protection to keep your services online. Do not let slow I/O or weak security kill your project.

Deploy your secure SSD VPS instance on CoolVDS today.