Security

FTP was not advised to be a defended protocol—especially by today's standards—and has abounding aegis weaknesses.16 In May 1999, the authors of RFC 2577 listed a vulnerability to the afterward problems:17

Bounce attacks

Spoof attacks

Brute force attacks

Packet abduction (sniffing)

Username protection

Port stealing

FTP is not able to encrypt its traffic; all transmissions are in bright text, and usernames, passwords, commands and abstracts can be calmly apprehend by anyone able to accomplish packet abduction (sniffing) on the network.216 This botheration is accepted to abounding of the Internet Agreement blueprint (such as SMTP, Telnet, POP and IMAP) that were advised above-mentioned to the conception of encryption mechanisms such as TLS or SSL.4 A accepted band-aid to this botheration is to use the "secure", TLS-protected versions of the afraid protocols (e.g. FTPS for FTP, TelnetS for Telnet, etc.) or a different, added defended agreement that can handle the job, such as the SFTP/SCP accoutrement included with a lot of implementations of the Defended Shell protocol.

editSecure FTP

There are several methods of deeply appointment files that accept been alleged "Secure FTP" at one point or another.

editFTPS

Explicit FTPS is an addendum to the FTP accepted that allows audience to appeal that the FTP affair be encrypted. This is done by sending the "AUTH TLS" command. The server has the advantage of acceptance or abstinent access that do not appeal TLS. This agreement addendum is authentic in the proposed standard: RFC 4217. Implicit FTPS is a deprecated accepted for FTP that appropriate the use of a SSL or TLS connection. It was defined to use altered ports than apparent FTP.

editSFTP

SFTP, the "SSH File Alteration Protocol," is not accompanying to FTP except that it aswell transfers files and has a agnate command set for users. SFTP, or defended FTP, is a affairs that uses Defended Shell (SSH) to alteration files. Unlike accepted FTP, it encrypts both commands and data, preventing passwords and acute advice from getting transmitted aboveboard over the network. It is functionally agnate to FTP, but because it uses a altered protocol, accepted FTP audience cannot be acclimated to allocution to an SFTP server, nor can one affix to an FTP server with a applicant that supports alone SFTP.

editFTP over SSH (not SFTP)

FTP over SSH (not SFTP) refers to the convenance of tunneling a accustomed FTP affair over an SSH connection.16 Because FTP uses assorted TCP access (unusual for a TCP/IP agreement that is still in use), it is decidedly difficult to adit over SSH. With abounding SSH clients, attempting to set up a adit for the ascendancy approach (the antecedent client-to-server affiliation on anchorage 21) will assure alone that channel; if abstracts is transferred, the FTP software at either end will set up new TCP access (data channels), which bypass the SSH affiliation and appropriately accept no acquaintance or candor protection, etc.

Otherwise, it is all-important for the SSH applicant software to accept specific ability of the FTP protocol, to adviser and carbon FTP ascendancy approach letters and apart accessible new packet forwardings for FTP abstracts channels. Software bales that abutment this approach include:

Tectia ConnectSecure (Win/Linux/Unix) of SSH Communications Security's software suite

Tectia Server for IBM z/OS of SSH Communications Security's software suite

FONC (the GPL licensed)

Co:Z FTPSSH Proxy

FTP over SSH is sometimes referred to as defended FTP; this should not be abashed with added methods of accepting FTP, such as SSL/TLS (FTPS). Added methods of appointment files application SSH that are not accompanying to FTP cover SFTP and SCP; in anniversary of these, the absolute chat (credentials and data) is consistently adequate by the SSH protocol.