Securing FTP (ftpes) using filezilla (client & server)

Using standard FTP is generally speaking a really bad idea from a security perspective.  The issue, among other things, is that the userid and password are sent over the network in clear text.  This means anyone sniffing the network now has complete access to your account.

To solve this, use either sftp or ftps.  Both use SSL to help secure the connection.  There are arguments for either sftp or ftps, but I will describe setting up ftps because it is rather simple and easy to install/configure.

This setup uses both the filezilla server and the filezilla client.  Part 1 describe configuring the ftpd (the server or daemon).  Part 2 describes how to set up the client.

Part 1: the server

Configure the server for SSL support:

1. Download and install the filezilla server.  Use google to find the download site.
1. You will probably want to set this up to "Install as a service, start with Windows"
2. Bring up the Filezilla Server, and open Edit > Setting
3. Under General settings, choose a non-default port (adds security): 2121
4. Under General settings > Welcome message, alter the welcome message as you desire.  This is the message that is displayed to the incoming client requests.
5. Under Passive mode settings:
• Select "Use custom port range" and enter a range (for example 54054 - 54084)
• Select "Use the following IP" and enter your hostname 
• This should be your external hostname assuming you are using DDNS
• You then need to configure port forwarding for the port you previously specified [2121] and the port range to this host's local IP address
6. Under SSL/TLS settings, select "Enable FTP over SSL/TLS support (FTPS) and click "Generate new certificate..."
1. In the dialog box, enter "US" for the country code
2. Click Browse next to Save key and certificate to this file".  Browse to "C:\Program Files (x86)\FileZilla Server" and click Save.  Click "Gernerate certificate".
3.  Fill in whatever other fields you wish
4.  and click "Generate certificate"
5. Back on the SSL/TLS settings screen, select both "Allow explicit FTP over TLS" and "Disallow plain unencrypted FTP"
7. Click OK
8. Restart the server

Configure the filewall.  If you have a filewall running on the server machine, you will need to create the appropriate rules to allow your ports in.  Those steps will depend on the specific firewall software being used.

Assuming the Windows firewall on Windows 7, here are the steps I followed:

1. Start -> Windows Firewall with Advanced Security
2. Inbound Rules
3. New Rule...
4. Select Port, click Next
5. Select Specific local ports" and enter "2121, 54054-54084"  (matching the ports for the server above).  Click Next
6. Select "Allow the connection", click Next
7. Select all options for "When does this rule apply" and click Next
8. Provide a name (for example ftpes), click Finish

Create your user account (at least one account):

1. Edit > Settings > Users
2. Click Add to create the user
3. Enter a username and click OK
4. Select the Password checkbox and enter a password
5. Check "Force SSL for user login"
6. Click Shared folders on the left
7. Click Add to create the home directory and browse to the location you want to assign as the users home directory.  Click OK
• Add any aliases to point at other disks or directories as needed
8. Select the user permission (leave the default settings for read-only access or select all for read/write access)
9. Click OK

Part 2: the client

Install the filezilla client

1. Download and install the filezilla client.  Use google to find the download site.
2. Run the install and accept all the defaults

Connect from the client to the server over SSL

1. Start the filezilla client
2. Enter ftpes::/<hostname or ipaddress> into the Host field
3. Enter the username and passwords
4. Enter the port you defined in the server in the port field
5. Press enter