Stop Bleeding Data: The End of FTP and the Move to SFTP Chroots
It is May 2009. We have mapped the human genome, we have rovers on Mars, yet I still see senior developers ftping into production servers using port 21.
Let’s be brutally honest: if you are using standard FTP, you are broadcasting your credentials to anyone with a packet sniffer. I recently audited a media firm in Oslo where a developer was updating a client site from a public café Wi-Fi. A script kiddie running a simple sniffer like Wireshark could have—and probably did—capture the root password in plain text.
Latency matters. Uptime matters. But if your server gets rooted because you were too lazy to configure encryption, none of that matters. You're just another statistic.
The Confusion: FTPS vs. SFTP
There is often confusion here. FTPS (FTP over SSL) is an extension of the old protocol. It requires multiple ports and is a nightmare to configure through a strict firewall.
SFTP (SSH File Transfer Protocol) is what you want. It runs over the SSH protocol (port 22), requires no extra ports, and encrypts everything—commands, data, and passwords. If you can SSH into your CoolVDS instance, you can use SFTP.
The War Story: The "Shared Hosting" Trap
Years ago, I managed a cluster for a large e-commerce setup. We had a requirement to let external contractors upload assets. We didn't want to give them shell access, but we needed secure transfer.
On a cheap shared host, we would have been stuck. You can't modify the SSH daemon config. We had to move them to a dedicated VPS environment to implement Chrooted SFTP. This locks the user into their home folder so they can't browse /etc/ or see what other users are doing.
Implementation: Configuring Chrooted SFTP on CentOS 5
Modern versions of OpenSSH (4.8p1 and later) now support the ChrootDirectory directive natively. This is a massive improvement over the old days of patching SSH or setting up complex jail environments.
Here is how we configure this on a standard CoolVDS CentOS 5 build. You need root access for this—something you get by default with us.
1. Prepare the Group and User
# groupadd sftpusers
# useradd -g sftpusers -d /incoming -s /sbin/nologin external_dev
# passwd external_dev
Note the /sbin/nologin shell. We want them to transfer files, not run commands.
2. Configure SSHD
Edit /etc/ssh/sshd_config. You need to comment out the default subsystem and use the internal one to avoid needing valid shell binaries inside the jail.
#Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp
At the very bottom of the file, add the match block:
Match Group sftpusers
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no
3. Fix Permissions (Crucial Step)
This is where 90% of admins fail. For ChrootDirectory to work, the directory itself must be owned by root and not writable by the user.
# chown root:root /incoming
# chmod 755 /incoming
# mkdir /incoming/uploads
# chown external_dev:sftpusers /incoming/uploads
Now, restart SSH:
# service sshd restart
Performance vs. Security
Encryption adds CPU overhead. Some argue that SFTP is slower than FTP. On a Pentium III, maybe. But on modern architecture, the bottleneck is rarely the CPU—it's the disk I/O and network latency.
| Feature | Standard VPS | CoolVDS Architecture |
|---|---|---|
| Virtualization | Virtuozzo/Containers (Oversold) | Xen/KVM (Hardware Isolation) |
| Storage Speed | Standard SATA | RAID-10 SAS 15k RPM |
| Network | congested uplinks | Direct peering at NIX (Oslo) |
Because CoolVDS uses enterprise-grade RAID-10 SAS arrays and strictly limits tenants per node, the I/O wait is negligible. You get the security of SFTP with transfer speeds that max out your client's bandwidth, not our server's CPU.
Pro Tip: If you are transferring massive log files, use compression. In your SSH client (or command line), use the-Cflag.sftp -C user@your-coolvds-ip
The Compliance Angle: Personopplysningsloven
For those of us operating in Norway, the Personal Data Act (Personopplysningsloven) of 2000 is clear about securing sensitive data. If you are transferring customer data over plain FTP, you are likely in violation of the requirement for "satisfactory information security" (Section 13).
Don't wait for a Datatilsynet audit to fix your infrastructure.
Final Thoughts
Moving to SFTP isn't just about being a "nerd"; it's about basic professional responsibility. The tools are here. OpenSSH 5 makes it easy.
If your current host doesn't give you the root access needed to edit sshd_config, or if their network is so slow that encryption kills your workflow, it is time to move.
Deploy a secure, root-access Xen VPS on CoolVDS today. We are live in the Oslo datacenter with low-latency links ready for your code.