Stop Broadcasting Passwords: The Critical Migration from FTP to SFTP
It is 2011. If you are still running a standard FTP daemon on port 21 without encryption, you aren't just administering a server; you are broadcasting your credentials to anyone with a packet sniffer. I recently sat in a coffee shop in Grünerløkka, fired up Wireshark, and watched a developer at the next table log into his production server. I saw his username. I saw his password. In clear text. Just floating through the air.
If that server had been hosted on a shared network, the damage could have been catastrophic. For serious system administrators, the era of plain FTP is over. It is time to embrace SFTP (SSH File Transfer Protocol).
The Problem: RFC 959 is Ancient
The original FTP specification is older than the modern internet. It was never designed for the hostile environment of 2011. When you authenticate via standard FTP, the entire control channel is unencrypted. This is unacceptable, especially here in Norway where the Datatilsynet (Data Inspectorate) is tightening scrutiny on how businesses handle sensitive data under the Personal Data Act (Personopplysningsloven).
Many sysadmins try to patch this with FTPS (FTP over SSL), but that introduces firewall headaches with passive port ranges and certificate management. There is a cleaner, more robust way: utilizing the SSH daemon you already have running.
The Solution: Native SFTP with OpenSSH
SFTP is not FTP over SSH. It is a completely different protocol that runs as a subsystem of SSH. It requires only one open port (usually 22), encrypts both commands and data, and leverages existing user keys.
Configuration: Chrooting Users
The main argument against SFTP used to be, "I don't want my web developers to have shell access." Valid point. You don't want a frontend contractor browsing /etc/.
Since OpenSSH 4.8, we have had the ChrootDirectory directive built-in. This allows us to lock users into their home directories without needing complex third-party patches or rssh. Here is how we configure a secure, jailed SFTP environment on a standard CoolVDS CentOS 5 or Debian 6 node.
1. Edit your sshd_config
Open /etc/ssh/sshd_config. Comment out the default subsystem line and replace it with the internal-sftp command, which creates the chroot environment without needing binary files copied into the jail.
#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp2. Create the Match Block
At the bottom of the file, add rules to trap specific users. We use a group called sftponly for this.
Match Group sftponly
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no
X11Forwarding no3. Permissions Architecture
This is where most admins fail. For ChrootDirectory to work, the directory path must be owned by root and not writable by any other user. The user can only write inside a subdirectory of the chroot.
# Create group
groupadd sftponly
# Create user (no shell access)
useradd -d /home/clientsite -g sftponly -s /bin/false clientuser
passwd clientuser
# Fix permissions (CRITICAL STEP)
chown root:root /home/clientsite
chmod 755 /home/clientsite
# Create the writable content directory
mkdir /home/clientsite/public_html
chown clientuser:sftponly /home/clientsite/public_htmlNow, when clientuser connects via FileZilla or WinSCP, they are locked into /home/clientsite. They cannot see the OS logs. They cannot execute commands. They can only transfer files securely.
Performance: Latency Matters
Encryption adds CPU overhead. On older, oversold VPS platforms, enabling encryption on high-volume file transfers can throttle throughput. This is why underlying hardware matters.
Pro Tip: If you are transferring massive log files or backups, usersync -az -e sshinstead of interactive SFTP. The compression flag (-z) combined with SSH encryption is efficient, but requires CPU cycles. Avoid "budget" VPS providers that steal CPU time from your slice.
At CoolVDS, we use KVM (Kernel-based Virtual Machine) virtualization. Unlike OpenVZ, where resources are often nebulous, KVM gives you a dedicated kernel and strict resource isolation. When you negotiate an SSH handshake, you aren't waiting on a noisy neighbor. This is vital for maintaining high transfer speeds, especially if you are pushing updates from an office in Oslo to a data center in Stavanger or Germany.
The Verdict
FTP is a relic of a trusting past that no longer exists. The tools to replace it are already installed on your server. Using SFTP satisfies the security requirements of discerning Norwegian clients and protects your infrastructure from casual sniffing attacks.
Don't wait for a security breach to upgrade your workflow. Disable port 21 today.
Need a sandbox to test your chroot configs? Deploy a KVM instance on CoolVDS in under a minute and get true root access on enterprise-grade hardware.