Filezilla will not connect to server using Secure File Transfer Protocol (SFTP)
Filezilla is unable to connect to the server using the Secure File Transfer Protocol (SFTP), however regular file transfer protocol (FTP) works fine. Additionally, you have confirmed that the required ports for the Secure File Transfer Protocol have been enabled on the firewall. The generic port for SFTP is port 22 and the port for FTP is 21, port 20 may be required if the server is running the ftp services in passive mode.
- SSH into the server and edit the /etc/ssh/sshd_config file, if your config is in another location you can use the “locate sshd_config” to identify that location.
- Once in the file find the following commented out line: #Subsystem sftp /usr/lib/openssh/sftp-server. Leave the line commented out, if its not commented, go ahead and comment it out using a hash tag (#).
- Below the commented out line add: Subsystem sftp internal-sftp then reboot the server.
- Your Filezilla should now be able to connect.
SSH (Port 22 if you haven’t moved it) and the SASL mail authentication will get hammered with Brute force attacks on a regular basis if a system is available on the Internet. However, there are ways to mitigate these attacks…
Fail2Ban for Linux bases systems does an excellent job of stopping these kinds of attacks. These instructions are for installing fail2ban on a Ubuntu Server 14.04.
From the Command-Line and a sudo authorized account:
Sudo apt-get update
sudo apt-get install fail2ban
Copy the Config file: sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Edit the Config: vi or nano /etc/fail2ban/jail.local
Bantime is defaulted to 600 seconds (10 Minutes), I prefer 1200 (20 minutes) or 1800 (30 Minutes) since most clients that trigger the ban are well deserving.
Maxretry defines how many attempts in Findtime (600 Seconds or 10 Minutes) a user can try to login before triggering the ban. 3 attempts in 10 minutes is a great qualifier for a web server, if its a server in a production environment that has multiple users leveraging ssh, you may want to raise the attempts.
You can then turn fail2ban on for other web services towards the bottom of the configuration file.