Securing FTP transfers can be done using several methods. FTP was not designed as a secure protocol. This being said, it is always a good idea to take steps towards ensuring your site’s security! Below I’ll go over a couple of easy ways to keep your ftp transfers secure.
Creating ftp.allow/deny files.
This method is used when you are hosting on a Linux server. When ever a ftp session is started, the ftp client searches the home directory for an ftp.allow to see if the IP address your are connecting from is allowed in. If your IP address is permitted or on the allow list then you are allowed to connect. If this ftp.allow file is not found however then another check is performed. This next check looks for a file name ftp.deny. If your IP address is found on this ftp.deny file you are not able to connect.
These files must be created as they are not present by default. Below I’ll go through the steps to create these files.
1. Access your customer control panel.
2. Choose File Manager. This will take you to the home directory via webshell
3. While in the home directory click on the File option.
4. OK so now you get to choose which IP addresses are to be allowed ftp access. Each IP address will need to be on a separate line. Say you only want to allow your home address for example. To do this you would only have one line with your home IP address. If you do not know your current IP address click here. Change the name to ftp.allow. Then you’ll add your allowed IP addresses. After making a line for each IP click the save button. With just a single IP listed it would look like this:
Note: Always leave an empty line at the end of your ftp.allow file. Same goes for the ftp.deny file.
If you needed to allow multiple IPs over a certain range your ftp.allow file should look like this.
5. Next repeat step 3. This time we are changing the file name to ftp.deny. This time in the body of the text you’ll add a line for each IP you want to block. Be sure to save.
If you wanted to block ALL IP addresses that are not on the ftp.allow list make your ftp.deny file look like this:
Reminder: Do not forget the empty line at the end.
If you were to block a specific set of IP addresses your file should look like this:
Note: You can block a certain range of IP addresses the same way you can allow ranges or “blocks” of IP addresses.
Now if your on a Windows server the process is almost identical. The only difference being you only need one file. This file is known as a .winftpaccess file.
You can think of this file as a VIP list. Only the IP addresses listed in the .winftpaccess file are allowed FTP access. ALL others are denied. Adding a range of IP addresses is just as simple. As mentioned before this process is almost identical to creating an ftp.allow or ftp.deny file. The only differences are:
1. Your naming the file .winftpaccess
2. Your simply listing the IP address or addresses you want to be able to connect with.
Note: The ftp.allow and ftp.deny instantly go into effect. When using the .winftpaccess file on your windows server you will have to wait for a periodic task that is schedule to run every 15 minutes or so.
Once you have added the IPs you would like to allow to connect via ftp, you will want to save the file, and you are complete!