Search Engine: Elastic

Article ID: 125868, created on Jun 13, 2015, last review on Jun 13, 2015

  • Applies to:
  • Plesk Automation 11.5


Is it possible to require FTP over TLS be enforced and not optional?


To secure FTP connections to service nodes Plesk Automation(PA) supports the FTP Secure (FTPS, FTP-SSL) protocol. Unlike the traditional (plain) FTP, FTPS supposes protecting data transferred to and from your server over FTP with SSL and TLS protocols.

As a PA administrator you have the option to select allowed types of FTP connections: secure, plain, or both of them.

We recommend that you allow only FTPS connections. This option secures data and access credentials transferred between the server and clients. Moreover, if you need to comply with the PCI DSS standard, selecting this option is required.

NOTE: Though most of modern FTP client applications support FTPS, some of your customers may use clients that are able to work only through plain FTP. To let such clients connect to your server, allow both FTP and FTPS connections.

By the default, all PA service nodes allows to accept both type of FTP connections: FTP and FTPS. In order to enforce service nodes to accept only FTPS connections please follow instructions below:

If you need to enforce to use FTPS connections on all PA service nodes you should do the following:

  1. Login to Hosting Provider CP as Administrator.

  2. Open following link https://<pa_management_node_ip_address>:8443/admin/server/secure-passwords

  3. Set required FTP usage policy and apply changes.

NOTE: do not change any other settings on this page.

After applying settings, PA will reconfigure all Service nodes, for all IP addresses. (Apache, Webmail, IIS).

Also, you can configure FTPS for particular service node. For example, for Apache-based web server:

The TLSRequired option can be enabled globally on the service node as follows:

  1. Go to Apache service node shell

  2. Change directory to /etc/proftpd.d

    # cd /etc/proftpd.d
  3. Create a file with the name like 70-tls.conf with the following content:

    <IfModule mod_tls.c>
        TLSEngine on
        TLSRequired on
  4. Restart xinit.d service:

    # /etc/init.d/xinetd restart
    Stopping xinetd:                                           [  OK  ]
    Starting xinetd:                                           [  OK  ]

For example, for IIS-based web server:

  1. Login to Windows Service node as Administrator.

  2. Open cmd.exe and execute following command, where is IP address of FTP server:

    "%plesk_bin%"\ftpmng.exe --update-explicit-ssl --ip-address= --enable=true --require

NOTE: If you have several IP address on Windows server you need to perform the same steps for all other server IP addresses.

After this FTP server will require TLS for all incoming connections.

33a70544d00d562bbc5b17762c4ed2b3 caea8340e2d186a540518d08602aa065 e0aff7830fa22f92062ee4db78133079

Email subscription for changes to this article
Save as PDF