Stop Broadcasting Your Root Password to the Entire Coffee Shop
It is 2011. We are seeing a massive rise in public Wi-Fi attacks, tools like Firesheep are making packet sniffing a script-kiddie activity, and yet I still see experienced developers using plain FTP. Let's be blunt: if you are using standard FTP (Port 21) to manage your server, you might as well write your credentials on a post-it note and stick it to the monitor.
I recently audited a client in Oslo who claimed their server was "hacked by magic." It wasn't magic. They were updating their WordPress site from a hotel lobby using plain FTP. A simple sniffer grabbed the cleartext password. Game over.
For those hosting in Norway, we have the Personopplysningsloven (Personal Data Act) and strict guidelines from Datatilsynet. Negligence regarding data transport isn't just bad technical practice; it is a legal liability.
The Anatomy of Failure: Why FTP Must Die
FTP was designed in an era where the internet was a friendly village. It transmits everything, including your username and password, in clear text. Don't believe me? Run this on your local machine while connecting to an FTP server:
tcpdump -i eth0 port 21 -AYou will see your password scroll by in plain ASCII. That is unacceptable for any professional environment. The solution is SFTP (SSH File Transfer Protocol). Do not confuse this with FTPS (FTP over SSL). SFTP runs over the SSH protocol (Port 22), meaning it is encrypted by default, requires no complex firewall port ranges, and uses the same robust authentication keys you already use for shell access.
Implementing SFTP with Chroot Jails (Debian 6 / CentOS 5)
The common complaint in 2010 was that SFTP gave users full shell access. That is no longer true if you configure OpenSSH correctly using the internal-sftp subsystem. This allows you to restrict a client only to file transfers, locking them into a specific directory (chroot).
Here is the battle-tested configuration we use on our CoolVDS KVM nodes. Open /etc/ssh/sshd_config:
# Comment out the default subsystem
# Subsystem sftp /usr/lib/openssh/sftp-server
# Use the internal subsystem
Subsystem sftp internal-sftp
# Match block for specific group
Match Group sftponly
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no
X11Forwarding noAfter saving, restart SSH (service ssh restart on Debian or service sshd restart on CentOS). Now, any user you add to the sftponly group will be locked into their home directory and cannot execute shell commands. This is crucial for giving access to web developers or clients without handing them the keys to the kernel.
Pro Tip: Directory permissions are the number one cause of "Broken Pipe" errors in Chroot. The directory owned by root must not be writable by the user. Structure it like this:/home/user/(owned by root) ->/home/user/www/(owned by user).
The Latency Myth
Some sysadmins argue that the encryption overhead of SFTP slows down transfer speeds. On legacy hardware, maybe. But we are deploying CoolVDS instances on Enterprise SSDs and Intel Xeon processors. The CPU overhead for AES encryption is negligible on this hardware. What actually kills your transfer speed is latency.
If your target audience is in Norway, hosting in the US or Germany adds 30-100ms of latency per packet. TCP handshakes over high latency destroy throughput. By hosting locally in Oslo (connected via NIX - the Norwegian Internet Exchange), you reduce round-trip time to single-digit milliseconds.
Why Virtualization Matters for Security
We see many cheap hosts still pushing oversold OpenVZ containers where kernel exploits can bleed from one customer to another. For secure file handling, true isolation is required.
At CoolVDS, we rely on KVM (Kernel-based Virtual Machine). This gives you a dedicated kernel. Even if you mess up your SFTP config, your neighbors can't see your process table. Combined with our RAID-10 SSD storage, you get the I/O performance needed to encrypt data on the fly without the bottleneck.
Final Thoughts
The tools to secure your data transfer have existed for years. There is no excuse for using Port 21 in 2011. Switch to SFTP, set up SSH keys (generate 2048-bit RSA keys, drop the old 1024-bit ones), and ensure your host provides the raw CPU power to handle encryption transparently.
Need a sandbox to test your Chroot config? Deploy a CoolVDS KVM instance in Oslo. It takes less than 60 seconds.