Secure FTP over TLS

Our servers support secure FTP through FTP over explicit TLS/SSL. This is sometimes referred to as FTPeS. This is not be confused with SFTP which is an FTP subsystem branched for Secure Shell (SSH). SFTP had its pitfalls, mainly in that it was dependent on Secure Shell. FTPeS is a protocol that is based entirely on the FTP standard, it just makes use of TLS to add a layer of security.

To understand FTP and FTP over explicit TLS, you need to understand how FTP works. FTP consists of two parts, two channels. A control channel, which is used to authenticate a user and log them into the FTP system, and a data channel, which is used to actually transport files from one end to the other. A lot of times when you hear of FTPeS or any type of secure FTP based on the FTP standard, you get encryption but only for the control channel. That is your login information is encrypted, but when you actually send files, either uploading or downloading, the data channel is not encrypted and these pass over the wire in plain text.

Unfortunately, there is no way to differentiate the terminology here. FTPeS will always encrypt the control channel, assuming that the server supports it. But for the data channel, if FTPeS is used and if the FTP application supports it, then the data channel will be encrypted, but if the FTP application does not support it then the application will fall back to unencrypted data channel transmission.

What happened to SFTP access?

This new FTP over explicit TLS replaces the old SFTP system. FTP over explicit TLS is geared more towards FTP and does not rely on other protocols and it allows virtual FTP users to also connect and transfer securely.

How do you insure that your connection is encrypted all of the time?

This is where we have set up a secure FTP service running on port 2112. The FTP service on port 2112 will only accept encrypted connections for both the control channel and the data channel. If your FTP application does not support or is not configured for FTPeS, it will not connect on port 2112. If your FTP application does not support data channel encryption then you won't be able to upload or download files on port 2112. In this way, using port 2112 insures that your transmission is always encrypted.

Can I use port 21 for secure connections?

Absolutely. Encryption on port 21 will work just as it does on port 2112, as long as your FTP application supports it. The reason we have port 2112 set up is because it will only support encrypted connections. Port 21, by contrast, will support encrypted connections, but it will also fall back if encryption is not supported by the FTP application on the client-side. Port 2112 will not fall back, it will just fail.

I connected to my FTP account on port 2112 but I cannot upload files.

If this is the case, then your FTP application does not support encryption on the data channel. You will be able to connect on port 21 with your FTP application, but when you go to upload a file, it will be sent across the Internet in plain text, unencrypted. The service on port 2112 essentially provides a service that tells you whether or not your FTP application supports data channel encryption.

My FTP application connects on port 2112 and I am able to upload files, can I use port 21 with this FTP application?

Yes, you should be able to. Just be sure that you always select FTPeS or FTP over explicit TLS/SSL when using port 21. Again, I can't guarantee that your FTP application won't fall back to an unencrypted data channel on port 21, but if your FTP application supports this on port 2112, then it should use it on port 21 as well.

Can I use this to connect securely with virtual FTP users?

Yes. This is the good thing about FTPeS versus SFTP. Virtual FTP accounts, that is FTP usernames and passwords that you create in your control panel, usernames that you must use with, can be used with FTPeS. Just specify the correct FTP account username as the User when setting up the connection and use its corresponding password.

To connect to your FTP account securely, I recommend the FileZilla FTP application. This FTP application does support encrypted data channel transmission, so this should work for your connection. To download FileZilla follow the link to their website below:

The FileZilla Project

Start FileZilla and click on File and select Site Manager

Click on New Site to add a new site to the Site Manager. The text will highlight in the site selection dialog box, enter a name for your account, something that you associated with your account, you might use just your domain name.

Now you want to complete the details under the General tab setting. Complete the details to look like:

Completed Site Details

Notice the highlighted sections, Host and User these are both options that will need to be changed depending on your account.

The Host to use will be displayed in your cPanel. Log into your cPanel and click on the FTP Accounts icon:

FTP Accounts cPanel Icon

Then near the middle of the page, under the heading Account Management you will see a list of your FTP accounts. Find the one that has your username listed and click the Configure FTP Client icon:

Configure FTP Client Icon

Then on the resulting page you will see instructions for accessing your account with FTPeS:

Highlight Secure FTP Hostname

The portion that is in the highlighted section in your control panel is Host you need to enter in FileZilla.

The User would obviously be the FTP username that you are wanting to log in as.

When you click on Connect you will be asked for the password for your account, enter that password. You may be asked to accept a certificate, you will need to accept that certificate in order to proceed. This is just the secure certificate that is being used to encrypt your connection, it is perfectly safe to accept this certificate. Then proceed to use FTP as you normally would.