10

We're setting up a web server at our workspace. In conjunction, we're planning to install an FTP server, however I'm stuck at what protocol to employ -- FTP, SFTP or FTPS. I googled around, trying to see what protocol offers what, coming across articles like this, but I can't make up my mind. Only simple, once-in-a-while file transfer is desired; however, security is a concern since the file server is intended to be accessible from the internet.

What protocol is the most apt for my use, and why?

susmits
  • 203
  • 1
  • 2
  • 5
  • Do you already have an Apache set up with SSL? Then I would add ...v/s WebDAV :-) – Chris Lercher Apr 10 '10 at 14:17
  • No, we're going to use lighttpd as the HTTP daemon. – susmits Apr 10 '10 at 14:18
  • If you still want to consider it: WebDAV is also possible with lighttpd http://www.howtoforge.com/setting-up-webdav-with-lighttpd-debian-etch – Chris Lercher Apr 10 '10 at 14:30
  • I'm afraid I'm unfamiliar with WebDAV. Can you cite me some advantages it has over other schemes? Or perhaps link me to someplace that can explain it to me? – susmits Apr 10 '10 at 14:37
  • 1
    The first argument for me would be: If I already have an HTTP server (with SSL), why set up an extra server, and why open additional firewall ports? More arguments for WebDAV: http://www.howtoforge.com/webdav_with_ssl_and_two_factor_authentication – Chris Lercher Apr 10 '10 at 14:49
  • Thanks a lot everyone! I'll give WebDAV a look, it does seem quite an attractive option. – susmits Apr 10 '10 at 15:46

5 Answers5

14

So the two sane options these days are:

  1. WebDAV, nice on the server side, nice for Linux and Mac OS clients, however the inbuilt Windows client has issues.

  2. SCP/SFTP, very easy as you're likely to have ssh anyway, GUI clients easily available (FileZilla for example)

Although FTP is still around I'd really avoid setting anything new up based on it.

LapTop006
  • 6,466
  • 19
  • 26
  • 1
    Plus SFTP operates through a single port only (22). Less issues with firewalls and configuration of them. – JKim Dec 04 '12 at 16:30
5

I think the short answer is to use an FTP server that supports all three protocols. You probably want to avoid allowing FTP since you mentioned security as a primary concern but both the SSH2 File Transfer Protocol (SFTP) and FTP over TLS/SSL (FTPS) are considered secure file transfer protocols.

SFTP is definitely the favorite these days because of its robust security model and easier setup than traditional FTP and FTPS. SFTP is also considerably more firewall friendly than FTP because it only requires one port to establish a connection and carry out file operations.

FTP and FTPS require multiple ports (one port to issue commands and a separate port for each and every directory listing or file transfer) to accomplish the same thing that SFTP can do with one port. The requirement to setup forwarding for large numbers of ports can be a problem in many environments and can make troubleshooting problems very difficult. However, FTP and FTPS have been around a lot longer than SFTP and there are still lots of devices and clients that only support FTPS.

In terms of security, both the SFTP and FTPS protocols are considered secure. The requirement to open up multiple ports with FTPS can be viewed as a security concern but there is nothing inherently more secure about the SFTP protocol over the FTPS protocol.

The only real advantage I would give FTPS over SFTP would be performance. SFTP runs over a considerably more robust and generic protocol than FTPS and that robustness imparts a significant performance impact. There is simply a lot more overhead involved in SFTP because it is running over the SSH2 protocol and because SFTP implements its own handshaking mechanism. If you want the highest transfer speeds possible you want FTPS.

To sum all of this up, try to support all 3. Most modern FTP servers already have support for FTP, FTPS, and SFTP.

Grant
  • 51
  • 2
  • 2 ports for (active) FTP, and some OSes have helper modules that will handle the second automagically. – Ignacio Vazquez-Abrams Apr 29 '10 at 03:37
  • I guess it depends on how you look at it. For any single directory listing or file transfer only 2 ports are used (one port for the control connection and one port for the data connection), but in practice a new port is required each time a new data transfer takes place. That new port may need to be opened on the server (for passive mode) or on the client (for active mode) but a new port is still usually required. This means that a range of ports needs to be available on either the client or server for a large number of transfers. – Grant Apr 29 '10 at 04:04
4

Any-one interested in some numbers here are my results from running some benchmarks on my local network. SMB 2.1 performance is about 112 MB/s

Machine: Intel(R) Core(TM)2 Quad CPU Q8400 @ 2.66GHz/8GB ram/Gigabit Local Network

FTP Mode                      MB/s CPU Usage/APP   Encrypted
-------------------------------------------------------------
FTP Transfer rate:            120  40.9  proftpd   No
FTPS (SSL) Transfer Rate:      55  99.8% proftpd   Yes
SFTP Transfer Rate:            30  100%  sshd      Yes
Putty SSH Tunnel, (Raw) FTP:   32  100%  sshd      Yes
Chad
  • 221
  • 2
  • 6
2

Definitely avoid installing an FTP daemon. As long as you have SSH, you have SFTP. No extra set up required. The only reason to use FTP is for the masses.

I run an FTP server that also supports FTPES (FTP over explicit SSL) and I really see no advantages of it, aside from the fact that it is already in place. I inherited it, and all the user accounts and permissions work. But for everything else, I just use SSH/SFTP.

Ryan
  • 149
  • 8
0

I do agree with Ryan. SFTP if only a limited number of people will be using the server. If its going to be a server more open to the public, I would only make the FTPES available (Both channels FTP over explicit SSL) as the only choice. FTPES is secure in BOTH channels (if server is set up correctly) both in regards to sending the FTP username and password and data transfered. Don't EVEN think about just FTP. Nuff said.

But once again if its basically just you SFTP will be fine.