Can Someone Please Tell Me How To Set-up SFTP With Filezilla??

19 replies
Hey Gang,

I ran across a few posts here stating that it was better security to have Filezilla set up as SFTP instead of FTP for better security so that your U.N. & P.W. was encrypted.

But I'm not sure that I know how to set it up? Is it as simple as going to Site manager within Filezilla, and changing the protocol from FTP -to- SFTP? Or are there additional steps -or- actions that I need to take?

If anyone can help me with this, I would be very grateful

In Many Thanks,
Tommy
#filezilla #ftp #security #set-up #setup #sftp
  • Profile picture of the author byau
    Hi,
    Main thing is that sftp runs on port 22 (ssh port)

    So your top text boxes will be:

    host: enter hostname
    username: enter username
    password: enter password
    port: 22

    The main thing is to enter port number 22.

    You'll see Filezilla is smart enough to change to sftp protocol (the hostname should change to sftp://hostname)

    Also, a lighter weight client for sftp/scp is winscp

    Good luck!
    Signature
    Our deepest fear is not that we are inadequate. Our deepest fear is that we are powerful beyond measure. It is our light, not our darkness that most frightens us. We ask ourselves, Who am I to be brilliant, gorgeous, talented, fabulous? Actually, who are you not to be? You are a child of God.
    {{ DiscussionBoard.errors[6880371].message }}
    • Profile picture of the author jennifermark81
      SFTP is SSH File Transfer Protocol. To set up that you can follow below steps

      Step1 From the File menu, select Site Manager

      Step2 Click the New Site button located in the bottom left corner of the window. A New FTP site icon appears beneath.

      Step3 In place of the displayed words New FTP site, type a descriptive name for your new SFTP site profile.

      Step4 Click in the Host field, then type the actual host name of the new SFTP site. The Port number will be changed depends upon the server where your site is hosted.

      Step5 In Servertype, click the down arrow and select SFTP - SSH File Transfer Protocol.

      Step6 In Logontype, select Normal.

      Step7 In the Username and password field , enter username and password of your website.

      Step8 Now click Connect. Now you can upload/download files to/from your website securely using SFTP.

      Regards,
      Jen
      {{ DiscussionBoard.errors[6880468].message }}
      • Profile picture of the author Kingfish85
        Originally Posted by tomfinster View Post

        Hey Gang,

        I ran across a few posts here stating that it was better security to have Filezilla set up as SFTP instead of FTP for better security so that your U.N. & P.W. was encrypted.

        But I'm not sure that I know how to set it up? Is it as simple as going to Site manager within Filezilla, and changing the protocol from FTP -to- SFTP? Or are there additional steps -or- actions that I need to take?

        If anyone can help me with this, I would be very grateful

        In Many Thanks,
        Tommy
        Originally Posted by byau View Post

        Hi,
        Main thing is that sftp runs on port 22 (ssh port)

        So your top text boxes will be:

        host: enter hostname
        username: enter username
        password: enter password
        port: 22

        The main thing is to enter port number 22.

        You'll see Filezilla is smart enough to change to sftp protocol (the hostname should change to sftp://hostname)

        Also, a lighter weight client for sftp/scp is winscp

        Good luck!
        Originally Posted by jennifermark81 View Post

        SFTP is SSH File Transfer Protocol. To set up that you can follow below steps

        Step1 From the File menu, select Site Manager

        Step2 Click the New Site button located in the bottom left corner of the window. A New FTP site icon appears beneath.

        Step3 In place of the displayed words New FTP site, type a descriptive name for your new SFTP site profile.

        Step4 Click in the Host field, then type the actual host name of the new SFTP site. The Port number will be changed depends upon the server where your site is hosted.

        Step5 In Servertype, click the down arrow and select SFTP - SSH File Transfer Protocol.

        Step6 In Logontype, select Normal.

        Step7 In the Username and password field , enter username and password of your website.

        Step8 Now click Connect. Now you can upload/download files to/from your website securely using SFTP.

        Regards,
        Jen
        These are all good steps HOWEVER, you need to contact your hosting provider first. You may not even have ssh access, AND if that web host is using ssh on port 22, I would suggest finding another host. Using the default port is extremely un-secure.

        Are you using shared hosting or VPS/Dedicated which you have root access to?
        {{ DiscussionBoard.errors[6880511].message }}
        • Profile picture of the author tomfinster
          Originally Posted by Kingfish85 View Post

          These are all good steps HOWEVER, you need to contact your hosting provider first. You may not even have ssh access, AND if that web host is using ssh on port 22, I would suggest finding another host. Using the default port is extremely un-secure.

          Are you using shared hosting or VPS/Dedicated which you have root access to?
          I am using Hostgator's shared hosting.
          Signature

          Some Of The Top Affiliate Courses In The Industry!

          {{ DiscussionBoard.errors[6880617].message }}
        • Profile picture of the author byau
          Originally Posted by Kingfish85 View Post

          These are all good steps HOWEVER, you need to contact your hosting provider first. You may not even have ssh access, AND if that web host is using ssh on port 22, I would suggest finding another host. Using the default port is extremely un-secure.

          Are you using shared hosting or VPS/Dedicated which you have root access to?
          Just to voice in here some disagreement:

          Using the default port as insecure is up for debate. It is very easy to port scan for the ssh port so I never minded having default port available.

          So if you're talking security from a "guess the password" point of view, you can always port scan for ssh and then guess the password. If you're talking about sniffing the password, it's still encrypted regardless of what port you're on.

          Keeping your ssh server up to date and patched is definitely a lot more important than running ssh on a non-standard port. I would rather have a technical team spending time keeping servers up to date then spending time configuring ssh to be on a non-standard point

          From real world experience, while I have used many hosting providers over the years, I have mainly used two: one with a great technical team that happens to have ssh on standard port, and one that *had* a great technical team (that got worse) that also happened to run ssh no a non-standard port. I ended up dumping the second host. And have had no problems with the first.
          Signature
          Our deepest fear is not that we are inadequate. Our deepest fear is that we are powerful beyond measure. It is our light, not our darkness that most frightens us. We ask ourselves, Who am I to be brilliant, gorgeous, talented, fabulous? Actually, who are you not to be? You are a child of God.
          {{ DiscussionBoard.errors[6880648].message }}
          • Profile picture of the author Kingfish85
            Originally Posted by tomfinster View Post

            I am using Hostgator's shared hosting.
            See here: Secure FTP, SFTP and FTPS « HostGator.com Support Portal

            Originally Posted by byau View Post

            Just to voice in here some disagreement:

            Using the default port as insecure is up for debate. It is very easy to port scan for the ssh port so I never minded having default port available.

            So if you're talking security from a "guess the password" point of view, you can always port scan for ssh and then guess the password. If you're talking about sniffing the password, it's still encrypted regardless of what port you're on.

            Keeping your ssh server up to date and patched is definitely a lot more important than running ssh on a non-standard port. I would rather have a technical team spending time keeping servers up to date then spending time configuring ssh to be on a non-standard point
            You're right, it is easy for a port scan. By changing the default port, you already eliminate the possibility of a port scan even reaching it. Should your firewall be configured correctly, the IP will be blacklisted before the scan even comes close to reaching it. Port 22, isn't very far up the line. changing the port is only one best practice to do. Using a wheel group and not allowing root login are among others.

            With the amount of people who use p@ssw0rd, Password etc and any other dictionary style password for their accounts, yes, it can be compromised very easily. This is why we do not even allow jailed ssh in our shared/reseller environments.

            From real world experience, while I have used many hosting providers over the years, I have mainly used two: one with a great technical team that happens to have ssh on standard port, and one that *had* a great technical team (that got worse) that also happened to run ssh no a non-standard port. I ended up dumping the second host. And have had no problems with the first.
            I can tell you from real world experience, with almost 10 years in the IT & hosting industry, running ssh on the default port is not a good practice. It's not hard to change, and why would you want anyone to be able to attempt to brute force every ssh port they can come across? It's one of many steps for security by obscurity.

            You may feel otherwise, but I prefer to take additional steps to secure & safeguard our environments.
            {{ DiscussionBoard.errors[6880805].message }}
            • Profile picture of the author byau
              Originally Posted by Kingfish85 View Post


              I can tell you from real world experience, with almost 10 years in the IT & hosting industry, running ssh on the default port is not a good practice. It's not hard to change, and why would you want anyone to be able to attempt to brute force every ssh port they can come across? It's one of many steps for security by obscurity.

              You may feel otherwise, but I prefer to take additional steps to secure & safeguard our environments.
              You point out some really great points and I respect that. I agree that it is an 'additional" caution and doesn't hurt, EXCEPT in the case where there is always so much to be done as a sysadmin, and sysadmin time management is one of the toughest hurdles. And so choosing to spend your time on what is most effective is tough. There is always something to be done in the life as a sysadmin.

              From my real world experience, I have been a senior unix/linux admin for close to 20 years now. I love it. If my IM career ends up giving me riches beyond belief, I would still be working as a sysadmin.

              Security audits are a normal part of many businesses. Among those 20 years, I have worked for a credit card company. To do work with VISA you need to pass VISA's CISP audit. I also have worked with companies that need to pass PCI audits as well. This means external companies come in and scan your networks both internally and externally and come up with a list of remediations. In the case of VISA, if you do not fix all their remediations you cannot do business anymore

              In my experience, if your openssl, openssh, php, apache, and perl were not up to date within about ..oh..3 months? It would get flagged as a medium or high priority. That's how often security problems are found with those services.

              That being said..no security audit I've been involved with has ever flagged ssh running on default port 22 as a problem. Not a high risk. Not a medium risk. Not even a low risk.

              From a sysadmin/security point of view, there was always enough to keep me busy remediating the high and middle risks (along with general user and server support) If I had spare time, heck I could work on all the low risks. SSH on default port 22 never came up as even a low risk and so we never bothered with it.

              I agree again that it can't hurt, every little bit helps, but that has to be balanced with what is the most effective way to spend your time (which hehheh includes posting on a forum..eep!)

              I hope you take this in the spirit of debate. I appreciate and respect your well thought out response.
              Signature
              Our deepest fear is not that we are inadequate. Our deepest fear is that we are powerful beyond measure. It is our light, not our darkness that most frightens us. We ask ourselves, Who am I to be brilliant, gorgeous, talented, fabulous? Actually, who are you not to be? You are a child of God.
              {{ DiscussionBoard.errors[6880914].message }}
              • Profile picture of the author Kingfish85
                Originally Posted by byau View Post

                You point out some really great points and I respect that. I agree that it is an 'additional" caution and doesn't hurt, EXCEPT in the case where there is always so much to be done as a sysadmin, and sysadmin time management is one of the toughest hurdles. And so choosing to spend your time on what is most effective is tough. There is always something to be done in the life as a sysadmin.

                From my real world experience, I have been a senior unix/linux admin for close to 20 years now. I love it. If my IM career ends up giving me riches beyond belief, I would still be working as a sysadmin.

                Security audits are a normal part of many businesses. Among those 20 years, I have worked for a credit card company. To do work with VISA you need to pass VISA's CISP audit. I also have worked with companies that need to pass PCI audits as well. This means external companies come in and scan your networks both internally and externally and come up with a list of remediations. In the case of VISA, if you do not fix all their remediations you cannot do business anymore

                In my experience, if your openssl, openssh, php, apache, and perl were not up to date within about ..oh..3 months? It would get flagged as a medium or high priority. That's how often security problems are found with those services.

                That being said..no security audit I've been involved with has ever flagged ssh running on default port 22 as a problem. Not a high risk. Not a medium risk. Not even a low risk.

                From a sysadmin/security point of view, there was always enough to keep me busy remediating the high and middle risks (along with general user and server support) If I had spare time, heck I could work on all the low risks. SSH on default port 22 never came up as even a low risk and so we never bothered with it.

                I agree again that it can't hurt, every little bit helps, but that has to be balanced with what is the most effective way to spend your time (which hehheh includes posting on a forum..eep!)

                I hope you take this in the spirit of debate. I appreciate and respect your well thought out response.
                I'm not sure it's much of a debate, but rather a preference as we're both pretty much on the same page. I do agree that it adds a bit more time to change things around, but at the end of the day I feel better knowing that with using a different port, the outside world doesn't directly know about it, especially a malicious user. I'd rather have them start port scanning, failing logins etc and then have the IP blocked at the firewall before even getting any further. It's a few extra steps when configuring a server, but it only has to be done once for that server.

                Even leaving it on the default port with a group & not allowing root login over ssh would be alright, but I prefer to run on a non-standard port as an added precaution.
                {{ DiscussionBoard.errors[6880972].message }}
                • Profile picture of the author byau
                  Originally Posted by Kingfish85 View Post

                  I'm not sure it's much of a debate, but rather a preference as we're both pretty much on the same page.
                  Well put - as opposed to my technical background are you possibly in sales/marketing/promotion? ...effective at getting a point across in fewer words?

                  Although the "debate" part is your original point: if a hosting company has SSH on default port 22 to steer clear of them. I am saying, a hosting company having SSH on default port 22 is far from being a deal breaker.

                  But I agree that for the rest, it really is just preference.

                  If your company is as well spoken as you are, I'll have to keep you in mind when I am looking for a new host for a project.

                  p.s. apologies thread starter for the hijack!
                  Signature
                  Our deepest fear is not that we are inadequate. Our deepest fear is that we are powerful beyond measure. It is our light, not our darkness that most frightens us. We ask ourselves, Who am I to be brilliant, gorgeous, talented, fabulous? Actually, who are you not to be? You are a child of God.
                  {{ DiscussionBoard.errors[6881142].message }}
                  • Profile picture of the author tomfinster
                    Originally Posted by byau View Post

                    p.s. apologies thread starter for the hijack!
                    No apology needed! I've been reading this post, and it has been quite a learning experience getting great info from two professionals.
                    Signature

                    Some Of The Top Affiliate Courses In The Industry!

                    {{ DiscussionBoard.errors[6881179].message }}
                  • Profile picture of the author Kingfish85
                    Originally Posted by byau View Post

                    Well put - as opposed to my technical background are you possibly in sales/marketing/promotion? ...effective at getting a point across in fewer words?
                    I do it all, well of course we have other techs as well, but I own/operate VopaHost Web Hosting. I have also been a Windows & Linux admin for almost 10 years as well, so I do have a technical background along with experience in VMware, OpenVZ, NetApp, Security etc etc.

                    If your company is as well spoken as you are, I'll have to keep you in mind when I am looking for a new host for a project.
                    Thanks for the compliments. Feel free to get in touch when you're ready.

                    p.s. apologies thread starter for the hijack!
                    I second this.
                    {{ DiscussionBoard.errors[6881200].message }}
                    • Profile picture of the author tomfinster
                      OK guys,

                      What I did was called hostgator, and they said that they needed to enable SSH for me for it to work... but I felt the person I was dealing with came across uncertain... so I hanged up and didn't make that change with him.

                      I then opened up filezilla, and proceeded to make the changes that byau & jennifermark81 told me to do... but with one exception.... I had to use port 2222.

                      It looks like it worked. I pulled up my files & folders... but does that mean I still have to contact hostgator so that they enable SSH?

                      In Many Thanks,
                      Tom
                      Signature

                      Some Of The Top Affiliate Courses In The Industry!

                      {{ DiscussionBoard.errors[6881598].message }}
                      • Profile picture of the author Kingfish85
                        Originally Posted by tomfinster View Post

                        OK guys,

                        What I did was called hostgator, and they said that they needed to enable SSH for me for it to work... but I felt the person I was dealing with came across uncertain... so I hanged up and didn't make that change with him.

                        I then opened up filezilla, and proceeded to make the changes that byau & jennifermark81 told me to do... but with one exception.... I had to use port 2222.

                        It looks like it worked. I pulled up my files & folders... but does that mean I still have to contact hostgator so that they enable SSH?

                        In Many Thanks,
                        Tom
                        You're dealing with Tier 1 support, and without sounding like I'm badmouthing them, they're most likely either reading a script or searching for the answer.

                        You will need to call them any time you need this access. The reason you had to change to port 2222 is just like what I mentioned above about the port differences. Some companies use non-standard ports and some use the standard ports - preference.
                        {{ DiscussionBoard.errors[6881638].message }}
                        • Profile picture of the author tomfinster
                          Originally Posted by Kingfish85 View Post

                          You're dealing with Tier 1 support, and without sounding like I'm badmouthing them, they're most likely either reading a script or searching for the answer.

                          You will need to call them any time you need this access. The reason you had to change to port 2222 is just like what I mentioned above about the port differences. Some companies use non-standard ports and some use the standard ports - preference.
                          So according to your experience & expertise, do you think I am good to go... in regards to my situation, being secure with SSH service, and therefore SFTP?

                          And according to that support page link you sent me -- if Iam reading it right... it sounds like it would only work with PuTTY or WinSCP... and not filezilla.
                          Signature

                          Some Of The Top Affiliate Courses In The Industry!

                          {{ DiscussionBoard.errors[6881682].message }}
                          • Profile picture of the author Kingfish85
                            Originally Posted by tomfinster View Post

                            So according to your experience & expertise, do you think I am good to go... in regards to my situation, being secure with SSH service, and therefore SFTP?

                            And according to that support page link you sent me -- if Iam reading it right... it sounds like it would only work with PuTTY or WinSCP... and not filezilla.
                            You're good to go. SFTP is file transfer over SSH, which will work with Filezilla. You would just have to have them enable it every time you want to use it.

                            What I would recommend you do is create an FTP user in your cPanel account & change the password after each use. You could also remove the user after you're done and/or create a user each time. If you do that, you might as well just have them enable ssh.

                            The most secure would be to use SFTP (ftp over ssh), but an alternative would be to change the ftp account password after each use. Either will work. Just use a strong password and you should be fine. Remember, standard FTP info is passed in clear text, which is why I mentioned changing the password or deleting the account.

                            Also make sure anonymous ftp is disabled, which it should already be.
                            {{ DiscussionBoard.errors[6881742].message }}
                            • Profile picture of the author tomfinster
                              Originally Posted by Kingfish85 View Post

                              What I would recommend you do is create an FTP user in your cPanel account & change the password after each use. You could also remove the user after you're done and/or create a user each time. If you do that, you might as well just have them enable ssh.
                              Ok, I like the idea of creating an FTP user in my cPanel account & changing the password after each use rather than calling then every time to enable ssh every time I want to use filezilla.

                              But i have a few questions please...

                              #1) When I go into my control panel, and click on FTP accounts -- I see 2 additional login types such as anonymous@mysite[dot]com & ftp@mysite[dot]com already set up in my account.... I don't remember setting these up... maybe hostgator provides these as default. So should I just use the ftp@mysite[dot]com as the FTP user -or- create a new one with a different name? And should I delete the one already in there?

                              #2) And in terms of anonymous@mysite[dot]com within contol panel -- I can't figure out how to delete it -or- disable it like you said?

                              #3) And when I got this squared up in creating a FTP user -- and changing the ftp account password after each use... would I then be better off changing back to the default/Port(21) & Protocol/(FTP instead of SFTP) within filezilla site manager? Or leaving it as is which is Port(2222) -&- SFTP.

                              In Many Thanks!
                              Signature

                              Some Of The Top Affiliate Courses In The Industry!

                              {{ DiscussionBoard.errors[6882090].message }}
                              • Profile picture of the author byau
                                Hey there,
                                You might need to consult with hostgator support for this. I'll do my best here (I haven't checked hostgator's support pages)

                                Originally Posted by tomfinster View Post

                                Ok, I like the idea of creating an FTP user in my cPanel account & changing the password after each use rather than calling then every time to enable ssh every time I want to use filezilla.

                                But i have a few questions please...

                                #1) When I go into my control panel, and click on FTP accounts -- I see 2 additional login types such as anonymous@mysite[dot]com & ftp@mysite[dot]com already set up in my account.... I don't remember setting these up... maybe hostgator provides these as default. So should I just use the ftp@mysite[dot]com as the FTP user -or- create a new one with a different name? And should I delete the one already in there?
                                Just leave them there, I am guessing they are created by default. You should create a brand new account and not use these two. Create one with a username no one would know. Especially since this account will have access to your actual HTML folders

                                #2) And in terms of anonymous@mysite[dot]com within contol panel -- I can't figure out how to delete it -or- disable it like you said?
                                You may not be able to delete the two default accounts anonymous and ftp so just disable them

                                #3) And when I got this squared up in creating a FTP user -- and changing the ftp account password after each use... would I then be better off changing back to the default/Port(21) & Protocol/(FTP instead of SFTP) within filezilla site manager? Or leaving it as is which is Port(2222) -&- SFTP.
                                If you use the default settings for filezilla, it should work with ftp. When you changed it to 2222 that worked with sftp. You should go back to the default 21 port.

                                And just to throw the idea out there again, if your cpanel uses https connection instead of http, then use the filemanager in cpanel since that will remain encrypted whereas your ftp connection will not be (which is especially bad if you are using public wireless somewhere like @ Starbucks or something)

                                Have fun, good luck!
                                Signature
                                Our deepest fear is not that we are inadequate. Our deepest fear is that we are powerful beyond measure. It is our light, not our darkness that most frightens us. We ask ourselves, Who am I to be brilliant, gorgeous, talented, fabulous? Actually, who are you not to be? You are a child of God.
                                {{ DiscussionBoard.errors[6907788].message }}
  • Profile picture of the author byau
    It isn't clear on the link if you need to call every time or not.

    Also if your cpanel is through https, that is also encrypted and you can use the filemanager web gui via https
    Signature
    Our deepest fear is not that we are inadequate. Our deepest fear is that we are powerful beyond measure. It is our light, not our darkness that most frightens us. We ask ourselves, Who am I to be brilliant, gorgeous, talented, fabulous? Actually, who are you not to be? You are a child of God.
    {{ DiscussionBoard.errors[6881947].message }}
  • Profile picture of the author Walter Parrish
    Originally Posted by tomfinster View Post

    Hey Gang,

    I ran across a few posts here stating that it was better security to have Filezilla set up as SFTP instead of FTP for better security so that your U.N. & P.W. was encrypted.

    But I'm not sure that I know how to set it up? Is it as simple as going to Site manager within Filezilla, and changing the protocol from FTP -to- SFTP? Or are there additional steps -or- actions that I need to take?

    If anyone can help me with this, I would be very grateful

    In Many Thanks,
    Tommy
    I'm no expert, but will tell you what I know.
    I don't believe you can do it on shared hosting and even if you could it's probably going to be less secure.

    Get a reseller, vps type of account.
    Purchase a secure cert.
    Install it or have your hosting install it on your domain.
    If you are still using port 22 change that or have your hosting change it.
    If you're on cpanel/whm go in and set the cert for the main domain, that way you will have things set for every domain in the account.
    As far as sftps and all that I didn't even know that was still used.
    The login in filzilla should look like this
    ftpes://yourdomain.com along with your credentials.
    A popup will ask about your cert the first time and you will ok that.
    Problem solved.
    Signature
    Use Feeder Sites, Articles, And Social Media Sites To Generate Unstoppable Traffic, FREE! Click Here Now To Get It For FREE
    {{ DiscussionBoard.errors[6910035].message }}

Trending Topics