How to: Force FTP over TLS in FileZilla Server

If you are planning on hosting a FTP server like FileZilla over the internet, then you may want to fine tune some security settings. One of them being forcing TLS encryption, especially if your users will be connecting to FTP port 21. You don’t want them accessing the server without encryption. Here’s how you can get their connections encrypted by forcing FTP over TLS in FileZilla Server.

FileZilla Server

FileZilla is a free Windows FTP client/server software package. You can easily configure and host your own FTP server on a Windows machine. FileZilla still receives updates on a regular basis to tackle security issues and performance enhancements.

We will be going over how to force TLS with FileZilla server which can be downloaded here.

Configuration

Once you have already installed or at the admin window of the FileZilla server manager, click on the menu option Edit->Settings.

Next, we are going to look for the option FTP over TLS settings.

Here we are going to check the checkbox labeled Enable FTP over TLS support (FTPS). This will enable FTPS (File Transfer Protocol Secure) which will allow users to connect via encrypted connection.

You will also need to check to enable Disallow plain unencrypted FTP to ensure plain text connections aren’t allowed. Now all incoming connections will be forced to use TLS for encryption via the default port 21. Also make sure Allow explicit FTP over TLS (default: yes) is checked as well. It should be enabled by default.

A valid certificate is required for all incoming connections. Click Generate new certificate… to generate a self-signed certificate.

You only need to put in the 2-Digit country code. Everything else is optional. Make sure to click Browse… and save the certificate to a secure folder.

Click Generate certificate to being the process, your newly generated certificate are automatically both configured within the private key file and certificate file. Click OK to exit the options window. It’s time to test it.

Testing the connection

You are now ready to start accepting connections, make sure that your server is online by making sure that the lightning icon is highlighted in blue. If not, click on it to activate. Now all connections will be forced over TLS.

If you haven’t created any user accounts yet, simply go to Edit->Users and add one to test it with. Download the FileZilla client here if you need it to connect, the FileZilla FTP client also has several versions available including Linux and MacOS as well.

Note: A portable zip version is available to download if you would rather run it than install the whole thing.

FileZilla client certificate warning

Enter your credentials, server host/address, and port which is 21. A warning pop-up window will appear telling you that the certificate is unknown, this is normal, make sure that the information matches the one you’ve entered when generating the certificate. If you would like to trust the certificate, click Always trust this certificate in future sessions.

Click OK to continue.

You now have successfully connected and any user will be able to connect with TLS instead of plan text.