Knowledge Essentials - 3Essentials Hosting

FTP-ACL: Securing your site through restricted FTP access

Article ID: 742

 Back to Search

As a new tool in the arsenal against hackers, 3Essentials is making available FTP-ACL.  Access Control Lists (ACL) for your FTP user. 

In short, this allows you to provide us an IP address (or addresses, or range of addresses) that you want to allow to access your hosting space via FTP.  Once implemented, any FTP connection from any other IP address will be rejected.  This additional layer of protection will prevent a hacker's attempt to try to brute force guess your password, or even if a hacker obtained your FTP user/password by way of intercepting your FTP traffic (note that FTP sends user and password in clear text, unencrypted) or through a virus on your PC, they wouldn't be able to use it... because their system would not be allowed FTP access to your hosting space using your FTP username.

If your IP address doesn't change, or doesn't chagne much, we strongly advise you to add this additional layer of protection.

Due to different FTP server products we have implemented on different servers, this feature is not available on all servers.  For SHARED HOSTING servers please see the FTP ACL Availability chart at the bottom of this article.  For MANAGED VIRTUAL/DEDICATED SERVERS, this would be available if you chose the Gene6FTP server upgrade option during the purchase process.  If you are unsure, please feel free to contact our billing or support teams and they can.

To find out if the feature is available on your server, please submit a support request asking if FTP-ACL is available on the server where you are hosted.
  • IF FTP-ACL is available on your server:
    • To enable this feature, submit a support request asking for FTP-ACL to be put into place, and specify the IP address, addresses, or ranges you wish to be allowed FTP access. 
    • Note: if your internet connection uses a dynamic IP address range, then this may not be an applicable solution for you as in a day, week, or month, your IP address may change.  However, it may still provide some benefit to you to implement FTP-ACL anyway in one of the following manners:
      • Contact your ISP and tell them you need to arrange network access to a corporate network for your system whenever you're using their internet connection, and as a result, you need all of the IP ranges that they use for dynamically assigned IPs.  Then, provide us those IP ranges for us to implement FTP ACL with.  While not restricting FTP access to just your IP, you're restricting it to JUST your ISP's ranges actively used for your connection, which is eliminating 99% of the internet... still a very effective approach.
      • If you don't actually FTP changes to your site very often, we can implement FTP-ACL blocking all IP addresses from access.  Then, if/when you occassionally need access, you can request we open it up, or open it up for just your current IP, and have us remove it again when you're done.
    • Multiple addresses or address ranges/networks are supported and can be specified using the following conventions:
      • You can use * and [x-y] in IP addresses, examples:
        • 12.23.34.* 
        • 12.23.34-35.*
        • CIDR convention is supported, i.e.:
          • 192.168.0.0/24 would include the range 192.168.0.0 - 192.168.0.255.
          • 12.23.34.128/29 wouldinclud the range 12.23.34.128 - 12.23.34.136
  • IF FTP-ACL is NOT available on your server, there is one additional option if you do not use your FTP account to make changes to your hosting space frequently... we can disable your FTP account.  This prevents anyone (including you) from accessing your site via FTP.   We make this option available because we do have many customers who don't make modifications to their site for years at a time.  With your FTP account disabled, you still have access to email, webmail, and the control panel (to create email users, manage your database), except for the Control Panel File Manager feature (as it impersonates the FTP user).  For many customers who don't regularly modify their files, or who use a content management system like DNN, Wordpress, Mambo or others, where all modifications are made through the website once it's initially installed, the FTP account is no longer utilized, and it makes sense to disable this method of access, if it's not regularly used otherwise. 
    • Disabling the FTP user account will NOT affect content management systems (like DNN, Wordpress, etc) from being able to upload/create files in your website.  This is because your website runs under a different user, not the FTP user.  The FTP user is used only for uploading files.  With one exception: FrontPage sites or sites that are based on FrontPage Server Extensions (MS Expressions Web and similar) require the FTP user account to be active.
    • To enable this, please submit a support request referencing this article, and request that your FTP user account be disabled.
    • You can request for it to be re-enabled at any time by submitting a support request.

FTP ACL Availability on SHARED HOSTING servers
FTP ACL Available Servers
YES
  • Even numbered webservers from WEB16 and up
NO
  • Odd numbered webservers
  • even numbered webservers from WEB14 and down

 

 
Downloads Associated With This Article
No downloads are currently associated with this article.