Stop Broadcasting Your Root Password to the World
It is 2009. If you are still using standard FTP (port 21) to manage your servers, you might as well write your root password on a sticky note and leave it at Oslo Central Station. I've seen it happen too many times: a developer logs in from an unsecured hotel Wi-Fi, a packet sniffer captures the cleartext transmission, and ten minutes later, the server is part of a botnet.
The solution isn't FTPS (FTP over SSL), which is a nightmare to configure through firewalls due to ephemeral data ports. The solution is SFTP (SSH File Transfer Protocol). It runs over a single port (22), encrypts everything including headers, and leverages the stability of the OpenSSH daemon you are already running.
The Architecture: Why SFTP Wins
Unlike FTP, which requires a separate daemon (like vsftpd or ProFTPD) and opens multiple ports for passive mode data transfer, SFTP is a subsystem of SSH. This means fewer running services, less memory usage, and a smaller attack surface.
For those of us managing high-availability clusters across NIX (Norwegian Internet Exchange), reducing overhead is critical. When you are running a Xen VPS with 512MB RAM, you don't want to waste resources on redundant daemons.
Configuration: The Modern Approach (OpenSSH 4.9+)
Until recently, locking a user to their home directory (chroot) via SSH was painful, often requiring third-party hacks like scponly or complex library copying. With the release of OpenSSH 4.9 (standard in our CoolVDS Debian Lenny and CentOS 5 templates), we can use the ChrootDirectory directive natively.
Here is the battle-tested configuration to create a secure, jailed file-transfer-only user. This assumes you have root access—something you won't get with standard web hosting, which is why professionals choose Virtual Private Servers.
1. Create the group and user:
# groupadd sftponly
# useradd -g sftponly -s /bin/false -d /home/clientwebs client1
# passwd client1
2. Configure /etc/ssh/sshd_config:
Open your config file and locate the Subsystem line. Change it to use the internal-sftp process, which doesn't require shell binaries inside the jail:
# Old config: Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp
At the bottom of the file, add the match block:
Match Group sftponly
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no
X11Forwarding no
3. Fix Permissions (Crucial Step):
The chroot directory must be owned by root and not writable by any other user. This is where most people fail.
# chown root:root /home/clientwebs
# chmod 755 /home/clientwebs
# mkdir /home/clientwebs/public_html
# chown client1:sftponly /home/clientwebs/public_html
Compliance and the "Datatilsynet" Factor
In Norway, the Personal Data Act (Personopplysningsloven) mandates that we secure personal data against unauthorized access. If you are hosting customer data—whether it's an osCommerce shop or a simple client portal—transmitting data via plain FTP is arguably a violation of the requirement for "appropriate technical security measures."
Using SFTP isn't just about avoiding hacks; it's about compliance. If you are audited, showing that all file transfers occur over 2048-bit RSA encrypted tunnels goes a long way.
Pro Tip: Network latency in Norway is low, but TCP handshake overhead kills performance on small files. Because SFTP runs over SSH, it handles multiple small files better than FTP SSL, which often requires renegotiation. On our CoolVDS Xen instances connected to 100Mbps ports, we consistently see SFTP saturating the link faster than FTPS.
Performance: 15k SAS vs. The Protocol
Some argue that encryption adds overhead. In 2009, with modern Xeons (like the Harpertown or Nehalem series we use), the CPU cost of AES encryption is negligible compared to the I/O bottleneck.
| Feature | Classic FTP | SFTP (CoolVDS Recommended) |
|---|---|---|
| Encryption | None (Cleartext) | Full (SSH Tunnel) |
| Ports Needed | 20, 21, + Passive Range | 22 (Only) |
| Firewall Complexity | High (NAT issues) | Low |
| Chroot Capability | Native | Native (via internal-sftp) |
The real bottleneck is usually disk I/O. That is why we equip CoolVDS nodes with Enterprise 15k RPM SAS drives in RAID-10. You need high IOPS to handle concurrent SSH handshakes and file writes. Standard SATA drives in shared hosting environments choke under this load.
Conclusion
Security is not a luxury; it is a requirement. By moving to SFTP, you simplify your firewall rules, satisfy compliance requirements, and protect your credentials from sniffing attacks.
Don't risk your data on outdated protocols. Spin up a CoolVDS Xen VPS today, configure OpenSSH properly, and sleep better knowing your transport layer is secure.