How safe are FTP servers?
I plan on serving up files through http, no real logins or anything. I assume there is a way to configure sftp for the transfer or that most modern ftp servers come configured with this by default.
I know that some things such as running a telnet daemon are inheritently dangerous but I still see sites use FTP through a web interface.
5 Replies
http://mywiki.wooledge.org/FtpMustDie
FTPS (FTP over SSL) is better, but if you're going to the trouble of setting that up, don't bother. Just use sftp, the server for which is already provided by your distro's ssh daemon. From the client's perspective, SFTP works in a nearly identical fashion to FTP, but it can take advantage of strong authentication (you do have password auth turned off, don't you?), as well as encryption all data including credentials.
I've seen other sites do this and I was not required to login. If SFTP requires users to provide login credentials it sounds like my only option might be to go with FTPS.
Why do you think you need any form of FTP?