Discover Centmin Mod today
Register Now

How secure is FTP?

Discussion in 'Other Centmin Mod Installed software' started by joshuah, Nov 14, 2017.

  1. joshuah

    joshuah Member

    118
    14
    18
    Apr 3, 2017
    Ratings:
    +17
    Local Time:
    10:41 AM
    Just wondering how secure is FTP? Like, if I host someone’s website for them and they have a secure password but somehow their list of passwords got compromised and they gained accesss to that particular FTP account, can they view other directories? Can they damage the server? Can they delete files from other directories?
     
  2. eva2000

    eva2000 Administrator Staff Member

    30,606
    6,862
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,297
    Local Time:
    9:41 AM
    Nginx 1.13.x
    MariaDB 5.5
    FAQ item 2 covers users accounts you can't lock site accounts down to user level like cpanel/WHM as there is no 100% user isolation between site accounts on Centmin Mod.

    Pure-ftpd virtual ftp users only isolates ftp Pure-FTPD Virtual FTP Users but isn't fully jailed like cpanel/WHM as Centmin Mod is not made or setup for shared hosting like cpanel/WHM but more for usage by trusted user (myself/yourself).

    So the pure-ftpd virtual ftp user can lock that ftp user to the nginx vhost directory but because files are owned by nginx user/group, it wouldn't stop a hacker using php/file based transversal of other nginx vhosts. If you want isolation, setup 1 server for each site your want to host. It's how I usually host my centmin mod sites/subdomain sites i.e. this forum is hosted on separate server from centminmod.com site and separate server from my other subdomain sites for *.centminmod.com subdomains.
     
  3. Xon

    Xon Active Member

    134
    57
    28
    Nov 16, 2015
    Ratings:
    +177
    Local Time:
    7:41 AM
    1.13.x
    MariaDB 10.1.x
    FTP isn't secure, as the password is transmitted in plaintext.

    Really can't recommend using FTP.
     
  4. eva2000

    eva2000 Administrator Staff Member

    30,606
    6,862
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,297
    Local Time:
    9:41 AM
    Nginx 1.13.x
    MariaDB 5.5
    I believe @joshuah is referring to Centmin Mod's pure-ftpd virtual ftp over TLS/SSL which is technically FTPS not FTP and how pure-ftpd virtual ftp is setup in Nginx context.

    Though yes there's native SFTP vs FTPS vs FTP (which is unsecure).
    • Centmin Mod root user uses SFTP
    • While per Nginx vhost pure-ftpd virtual ftp user is FTPS so all authentication is transmitted in encrypted form and not plain text https://centminmod.com/ftp.html
    FTPS vs FTP https://www.goanywhere.com/blog/2011/10/20/sftp-ftps-secure-ftp-transfers