Security of SFTP

Posted on 2004-11-29
Last Modified: 2010-04-11
We run a public FTP server, which lives in a DMZ.  The entire Internet is allowed to FTP to it.  It also runs SSH.  The firewall only lets admins connect to the SSH port (port 22).

We've had a request from some partners to switch from FTP to SFTP.  Of course in concept that makes sense (encryption and strong authentication).  But the problem I see with SFTP through OpenSSH is that it runs over port 22, just as a part of SSH.

So in order to enable SFTP, I have to open port 22 up to the world.  I don't like that.  I realize there are ways to not allow an FTP user interactive SSH login, but I still don't like it.  

Is it possible to run SFTP on another port using a special server process?  Or some other way to solve this problem?
Question by:shanepresley
    LVL 14

    Accepted Solution

    No, this is not possible. It is the client that makes SFTP SFTP instead of SSH. The server is the same.

    If you don't want to open SSH up to the world, I suggest looking at FTPS (FTP/SSL, an IETF standards-track revision to the FTP protocol). There are many client and server implementations available for both *nix and Windows, some free and some $$$.

    See for additional information.
    LVL 4

    Expert Comment

    so let me get this right !!! you already allow FTP in from the entire internet - which FTP is NOT secure, but you do not want to allow SSH from the entire internet !!!! well obviously you need to go away and think about it.

    Solution is simply just get the partner's public ip address and only allow they're ip addresses to SSH into the firewall, also you can use FTP over SSH2 with program like SecureFX which will allow SFTP (ssh2) then use the ftp protocol after doing and SFTP into the server, that way the user doesn't get ssh into the server, also you can set the shell env to be e.g: /bin/nologin
    LVL 14

    Expert Comment


    Just because shanepresley cares about the security of his server doesn't mean he cares about the security of the data in the FTP archive. These are not the same thing.

    For example, many sites allow anonymous FTP for grabbing public software. But the admins still want the systems to be secure.

    In this case, it sounds like FTP was originally considered "good enough" but that situation is changing. Thus, shanepresley is asking a reasonable question, IMO.
    LVL 1

    Author Comment

    Thanks chris_calabrese, that was a helpful alternative.  And yes you are correct, the FTP data was public.  Then need for SFTP came because we are going to start publishing data that is not classified as public.  

    Nemesis-Services, while I see your point that FTP is "insecure", I also don't like the idea of opening up port 22 to the entire Internet (I can't lock it down, dynamic clients).  

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    When the confidentiality and security of your data is a must, trust the highly encrypted cloud fax portfolio used by 12 million businesses worldwide, including nearly half of the Fortune 500.
    Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now