Is there a way to turn off the TLS default in the latest Filezilla?

Need help with FileZilla Client? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Message
Author
User avatar
botg
Site Admin
Posts: 35508
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: Is there a way to turn off the TLS default in the latest Filezilla?

#16 Post by botg » 2015-01-23 10:19

FTP over TLS isn't forced. If the server rejects the AUTH command, plain FTP is still used.

User avatar
boco
Contributor
Posts: 26913
Joined: 2006-05-01 03:28
Location: Germany

Re: Is there a way to turn off the TLS default in the latest Filezilla?

#17 Post by boco » 2015-01-23 11:21

Why are users forced to use TLS as default now?
Using FTP over TLS improves security through transfer encryption.
I'm not using that unsecure site manager as passwords are stored unencrypted (!) in a plain xml/text file, easy accessible for malware and other bad guys.
1. You know that QuickConnect does the same?
2. You can disable password saving in the settings and it is valid for both Site Manager and QuickConnect.
So why encrypt the connection at all then?!
There's a difference between a place you can control (your PC) and a place you can't (public net). Local encryption is your job, transfer encryption FileZilla's.
I'm using FileZilla via cli within KeePass. The Connection type can be controlled with the "protocol" here in some way (sftp://, ftps://, ftpes://) but "ftp://" has to be plain FTP !
There will be changes in that handling in the future.
Changing the security settings for all ftp sites in the world is no reasonable way.
Configuring FTP servers correctly is the ONLY reasonable way.
I'm now switching back to v3.9 until this gets fixed.
Please don't hold your breath.
No support requests over PM! You will NOT get any reply!!!
FTP connection problems? Please read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
FileZilla Pro support: https://customerforum.fileZilla-project.org

mattauckland
504 Command not implemented
Posts: 6
Joined: 2015-01-19 23:13
First name: Matt
Last name: Auckland
Location: UK

Re: Is there a way to turn off the TLS default in the latest Filezilla?

#18 Post by mattauckland » 2015-01-25 02:06

It is poor, especially as it is under Plesk 12, Parallels latest version and one of the most popular hosting control panels out there.

ajbird
500 Command not understood
Posts: 5
Joined: 2015-01-24 19:49
First name: andy
Last name: bird

Re: Is there a way to turn off the TLS default in the latest Filezilla?

#19 Post by ajbird » 2015-01-25 08:58

What ports are required to be open to enable ftp over TLS?

User avatar
botg
Site Admin
Posts: 35508
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: Is there a way to turn off the TLS default in the latest Filezilla?

#20 Post by botg » 2015-01-25 09:18

The same as when using plain FTP. There's a detailed overview at https://ftptest.net/Help

ajbird
500 Command not understood
Posts: 5
Joined: 2015-01-24 19:49
First name: andy
Last name: bird

Re: Is there a way to turn off the TLS default in the latest Filezilla?

#21 Post by ajbird » 2015-01-25 09:35

Our firewall is more than happy to let ftp traffic through but TLS hangs on retrieving directory listing

Jan 25 09:29:11 dx1062 proftpd[14089]: 127.0.0.1 ([localip][[localip]]) - FTP session opened.
Jan 25 09:29:11 dx1062 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=[some_mac_address] SRC=[localip] DST=[serverIP] LEN=52 TOS=0x00 PREC=0x00 TTL=118 ID=30588 DF PROTO=TCP SPT=53869 DPT=51619 WINDOW=65535 RES=0x00 SYN URGP=0
Jan 25 09:29:14 dx1062 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=[some_mac_address] SRC=[localip] DST=[serverIP] LEN=52 TOS=0x00 PREC=0x00 TTL=118 ID=31388 DF PROTO=TCP SPT=53869 DPT=51619 WINDOW=65535 RES=0x00 SYN URGP=0

Drop firewall and all works fine.

ajbird
500 Command not understood
Posts: 5
Joined: 2015-01-24 19:49
First name: andy
Last name: bird

Re: Is there a way to turn off the TLS default in the latest Filezilla?

#22 Post by ajbird » 2015-01-25 09:54

UP date.

Using proftp add

PassivePorts 30000 35000


and open all those ports in the firewall..

how is this more secure?

User avatar
botg
Site Admin
Posts: 35508
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: Is there a way to turn off the TLS default in the latest Filezilla?

#23 Post by botg » 2015-01-25 10:05

The communication itself is now encrypted. Before it wasn't.

ajbird
500 Command not understood
Posts: 5
Joined: 2015-01-24 19:49
First name: andy
Last name: bird

Re: Is there a way to turn off the TLS default in the latest Filezilla?

#24 Post by ajbird » 2015-01-25 10:58

now I have 5000 open ports?

Are we sure the balance of risk is right?

chances of a network plain text intercept v 5000 open ports?

mattauckland
504 Command not implemented
Posts: 6
Joined: 2015-01-19 23:13
First name: Matt
Last name: Auckland
Location: UK

Re: Is there a way to turn off the TLS default in the latest Filezilla?

#25 Post by mattauckland » 2015-01-25 16:06

There is a known issue with ProFTP and Plesk when trying to enter Passive Mode after the initial connection. But there is a fix and as mentioned in another comment, you need to add additional ports for passive mode, and update the ProFTP config as well as your Firewall to use these ports. Here's the steps I use to do this, and I only normally need to open a range from 57000 to 58000, and that works on a multi-domain production server.


1. Start off by adding the TCP port range of 57000 to 58000 to your firewall of choice.

2. Once you have saved and activated the changes, you next need to add the port range to the ProFTP configuration file.

3. Login to your server via SSH (terminal), and enter the following command to edit the ProFTP configuration file:

Code: Select all

vi /etc/proftpd.conf
4. Enter Insert mode by pressing the Escape key to make sure your are in Command mode, followed by pressing the A key to enter Insert mode.

5. Next find the line that reads:

Code: Select all

DefaultServer			on
And add the following line below it:

Code: Select all

PassivePorts 			57000 58000
6. Finally we need to save and exit. Do this by pressing the Escape key to enter Command mode, and then type :wq and press Enter.

7. I prefer to either restart ProFTP or reboot the server for changes to take effect, but that is my personal preference.


Sorry if the steps are a little dumbed down, but it is from a larger guide to help newbies setup a CentOS and Plesk 12 on a fresh Digital Ocean server.


As an edit to my post, I do apply lots of additional security to server installs. So many hosting providers fail to do this, which is why it is common for a server to be used as a zombie to launch attacks on other servers or as part of a bot-net. Golden rule has to be, if it's connected to the internet, it needs securing.

Personally I think service providers who don't employ basic security on server instances, should be held accountable. But that is my personal stance. Nothing can be air tight secure these days, but at least they should make an effort. I'm looking at you cheap Plesk VPS providers! Rant over :)

xeon
226 Transfer OK
Posts: 131
Joined: 2009-08-19 03:18

Re: Is there a way to turn off the TLS default in the latest Filezilla?

#26 Post by xeon » 2015-01-25 19:04

ajbird wrote:now I have 5000 open ports?

Are we sure the balance of risk is right?

chances of a network plain text intercept v 5000 open ports?
The ports aren't open unless they're in use. Your firewall probably just relied on iptables FTP helper for automatically allowing incoming data connections and that's obviously no longer possible now that the traffic is encrypted.

NO_DEFAULT_TLS_PLEASE
500 Command not understood
Posts: 1
Joined: 2015-05-10 23:23

Re: Is there a way to turn off the TLS default in the latest Filezilla?

#27 Post by NO_DEFAULT_TLS_PLEASE » 2015-05-10 23:31

+1 OP - Jeez, about 50% + FTP sites I use are now unusable, with Filezilla 3.10

TLS? - OK, Default Setting? - NO..

NON_SELECTABLE DEFAULT?! :roll: = NOOOOO!!!

- back to 3.9, till you see sense - and, as for "you can select this in site manager, if you add every *** site to site manager.." - :hammer: - utter nonsense, sorry.

User avatar
botg
Site Admin
Posts: 35508
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: Is there a way to turn off the TLS default in the latest Filezilla?

#28 Post by botg » 2015-05-11 07:55

FTP is only used by default if the server says it supports FTP over TLS. Why is your server lying?

vidi
500 Command not understood
Posts: 1
Joined: 2016-01-13 21:04

Re: Is there a way to turn off the TLS default in the latest Filezilla?

#29 Post by vidi » 2016-01-13 21:07

Try to connect to ftp.ubuntu.org.

Code: Select all

Servidor FTP preparado.
AUTH TLS
234 Proceed with negotiation.
Initialisiere TLS...
Überprüfe Zertifikat...
TLS-Verbindung hergestellt.
USER anonymous
530 Anonymous sessions may not use encryption.
\o/

What a crappy feature.


So howto disable forced TLS in quick connect?

User avatar
botg
Site Admin
Posts: 35508
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: Is there a way to turn off the TLS default in the latest Filezilla?

#30 Post by botg » 2016-01-13 21:22

Whoah, what a terrible server.

You can manually force insecure plaintext FTP in the site manager.

Post Reply