FileZilla Forums

FTP over TLS isn't forced. If the server rejects the AUTH command, plain FTP is still used.

Why are users forced to use TLS as default now?

Using FTP over TLS improves security through transfer encryption.

I'm not using that unsecure site manager as passwords are stored unencrypted (!) in a plain xml/text file, easy accessible for malware and other bad guys.

1. You know that QuickConnect does the same?
2. You can disable password saving in the settings and it is valid for both Site Manager and QuickConnect.

So why encrypt the connection at all then?!

There's a difference between a place you can control (your PC) and a place you can't (public net). Local encryption is your job, transfer encryption FileZilla's.

I'm using FileZilla via cli within KeePass. The Connection type can be controlled with the "protocol" here in some way (sftp://, ftps://, ftpes://) but "ftp://" has to be plain FTP !

There will be changes in that handling in the future.

Changing the security settings for all ftp sites in the world is no reasonable way.

Configuring FTP servers correctly is the ONLY reasonable way.

I'm now switching back to v3.9 until this gets fixed.

Please don't hold your breath.

It is poor, especially as it is under Plesk 12, Parallels latest version and one of the most popular hosting control panels out there.

What ports are required to be open to enable ftp over TLS?

The same as when using plain FTP. There's a detailed overview at https://ftptest.net/Help

Our firewall is more than happy to let ftp traffic through but TLS hangs on retrieving directory listing

Jan 25 09:29:11 dx1062 proftpd[14089]: 127.0.0.1 ([localip][[localip]]) - FTP session opened.
Jan 25 09:29:11 dx1062 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=[some_mac_address] SRC=[localip] DST=[serverIP] LEN=52 TOS=0x00 PREC=0x00 TTL=118 ID=30588 DF PROTO=TCP SPT=53869 DPT=51619 WINDOW=65535 RES=0x00 SYN URGP=0
Jan 25 09:29:14 dx1062 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=[some_mac_address] SRC=[localip] DST=[serverIP] LEN=52 TOS=0x00 PREC=0x00 TTL=118 ID=31388 DF PROTO=TCP SPT=53869 DPT=51619 WINDOW=65535 RES=0x00 SYN URGP=0

Drop firewall and all works fine.

UP date.

Using proftp add

PassivePorts 30000 35000


and open all those ports in the firewall..

how is this more secure?

The communication itself is now encrypted. Before it wasn't.

now I have 5000 open ports?

Are we sure the balance of risk is right?

chances of a network plain text intercept v 5000 open ports?

There is a known issue with ProFTP and Plesk when trying to enter Passive Mode after the initial connection. But there is a fix and as mentioned in another comment, you need to add additional ports for passive mode, and update the ProFTP config as well as your Firewall to use these ports. Here's the steps I use to do this, and I only normally need to open a range from 57000 to 58000, and that works on a multi-domain production server.


1. Start off by adding the TCP port range of 57000 to 58000 to your firewall of choice.

2. Once you have saved and activated the changes, you next need to add the port range to the ProFTP configuration file.

3. Login to your server via SSH (terminal), and enter the following command to edit the ProFTP configuration file:
4. Enter Insert mode by pressing the Escape key to make sure your are in Command mode, followed by pressing the A key to enter Insert mode.

5. Next find the line that reads:
And add the following line below it:
6. Finally we need to save and exit. Do this by pressing the Escape key to enter Command mode, and then type :wq and press Enter.

7. I prefer to either restart ProFTP or reboot the server for changes to take effect, but that is my personal preference.


Sorry if the steps are a little dumbed down, but it is from a larger guide to help newbies setup a CentOS and Plesk 12 on a fresh Digital Ocean server.


As an edit to my post, I do apply lots of additional security to server installs. So many hosting providers fail to do this, which is why it is common for a server to be used as a zombie to launch attacks on other servers or as part of a bot-net. Golden rule has to be, if it's connected to the internet, it needs securing.

Personally I think service providers who don't employ basic security on server instances, should be held accountable. But that is my personal stance. Nothing can be air tight secure these days, but at least they should make an effort. I'm looking at you cheap Plesk VPS providers! Rant over

ajbird wrote:now I have 5000 open ports?

Are we sure the balance of risk is right?

chances of a network plain text intercept v 5000 open ports?

The ports aren't open unless they're in use. Your firewall probably just relied on iptables FTP helper for automatically allowing incoming data connections and that's obviously no longer possible now that the traffic is encrypted.

+1 OP - Jeez, about 50% + FTP sites I use are now unusable, with Filezilla 3.10

TLS? - OK, Default Setting? - NO..

NON_SELECTABLE DEFAULT?! = NOOOOO!!!

- back to 3.9, till you see sense - and, as for "you can select this in site manager, if you add every *** site to site manager.." - - utter nonsense, sorry.

FTP is only used by default if the server says it supports FTP over TLS. Why is your server lying?

Try to connect to ftp.ubuntu.org.
\o/

What a crappy feature.


So howto disable forced TLS in quick connect?

Whoah, what a terrible server.

You can manually force insecure plaintext FTP in the site manager.