FTP is Dead: Why Plain Text Transfer is Suicide for Your Systems
It is 2010. Why are you still sending your root password across the internet in plain text? I was sitting in a café in Grünerløkka last week, running Wireshark on the open network just to test the waters (ethically, of course). The amount of FTP traffic I saw on port 21 was terrifying. If I were malicious, I would have harvested credentials for three different e-commerce shops in the time it took to drink my espresso.
As a sysadmin, you cannot afford this negligence. With the rise of automated botnets scanning for vulnerabilities, the "security by obscurity" mindset is over. It is time to kill the FTP daemon and move to SFTP.
The Protocol Gap: FTP vs. SFTP
Many junior admins confuse FTPS (FTP over SSL) with SFTP (SSH File Transfer Protocol). They are not the same. FTPS is a clumsy patch on an ancient protocol that requires opening a nightmare of passive ports through your firewall. It breaks NAT. It breaks your patience.
SFTP is different. It runs over the SSH protocol (standard port 22). It is a single stream of data, fully encrypted from handshake to teardown. If you are managing servers, you already have sshd running. Why run a separate, vulnerable FTP daemon like ProFTPD or vsftpd when you don't have to?
The War Story: The "Chroot" Headache
A few months ago, we migrated a client from a shared hosting environment to a dedicated VPS setup. They insisted on giving their developers file access but didn't want them poking around system files in /etc/ or /var/. Historically, locking users into their home directories (chrooting) with SSH was a complex mess involving third-party shells like rssh or scponly.
However, if you are running a modern distro like CentOS 5.5 or Ubuntu 10.04 LTS, OpenSSH 4.8+ now supports native chrooting. This is the game changer we have been waiting for.
Configuration: implementing the Jail
Here is the battle-tested configuration we use on our CoolVDS instances. This allows you to give a developer file upload access without giving them a full shell prompt.
First, edit your /etc/ssh/sshd_config:
#/etc/ssh/sshd_config snippet
# Use the internal-sftp subsystem (simpler than the external binary)
Subsystem sftp internal-sftp
# Match a specific group so root remains untouched
Match Group sftponly
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no
X11Forwarding noCritical Warning: The directory you chroot into (%h) must be owned by root and not writable by any other user. If you mess this permissions check up, the user will be kicked out immediately upon login. Inside that folder, create a writable directory (e.g., /public_html) owned by the user.
The Norwegian Context: Datatilsynet is Watching
Here in Norway, we operate under the strict guidelines of the Personopplysningsloven (Personal Data Act). If you are hosting customer data—names, addresses, or purchase history—you are legally obligated to secure that data in transit.
Using standard FTP to transfer a CSV of customer emails is potentially a violation of Norwegian privacy laws. If a breach occurs because you used an unencrypted protocol, the Datatilsynet (Data Inspectorate) will not be lenient. Hosting your data within Norwegian borders is a good first step, but the pipe to that server must be secure.
Pro Tip: Latency matters for handshake speeds. An SSH handshake involves multiple round-trips. Hosting on CoolVDS servers in Oslo ensures that your Norwegian developers get instant connectivity, avoiding the sluggish handshake lag you get from US-based servers.
Why Hardware Matters for Encryption
Encryption adds CPU overhead. Every byte transferred via SFTP must be encrypted by the server's processor before it hits the wire. On cheap, oversold VPS providers, you will see transfer speeds drop drastically because the CPU is fighting for cycles with 50 other noisy neighbors.
This is where architecture counts. At CoolVDS, we utilize Xen virtualization to ensure strict resource isolation. We don't rely on burstable RAM that isn't there when you need it. Furthermore, our storage arrays use high-performance RAID-10 SAS drives (and we are currently testing early enterprise SSDs). This ensures that the I/O bottleneck is minimized, allowing the CPU to focus on the encryption tasks required by SFTP.
The Final Verdict
The era of FTP is over. It belongs in the 90s along with dial-up modems. Security is not just a feature; it is a requirement for doing business in Europe.
Don't let a lazy configuration compromise your infrastructure. Switch to SFTP today. If you need a sandbox to test your permissions before rolling out to production, spin up a CoolVDS instance. Our low latency network and solid DDoS protection provide the perfect environment for serious system administrators.
Deploy your secure SFTP server on CoolVDS now. Your root password deserves better than plain text.