How do you FTP into a site? I cannot easily find ANY information on the Interworx site that shows how to setup an FTP client like FileZilla to connect to a site.
I’m going to assume that the server is managed using InterWorx, because it’s much less likely that you’d be here if it wasn’t. Here’s what’s been working for me:
First, go into SiteWorx, and manage the domain to which you want to FTP things. For the sake of example, let’s say the domain of interest here is ‘example.com’. Go to Administration -> FTP -> Accounts, and you’ll see that there’s a default ‘ftp@example.com’ FTP user account. This whole username, ‘ftp@example.com’, is what you hand to FileZilla for “Username”. “Host” is the domain of interest (in this example, ‘example.com’). You should probably reset the password on the default FTP account, just to be sure that you actually know what it is (I’m not sure what its default value is, if anything). Obviously, this will go in the “Password” field in FileZilla. “Port” will default to 21, but do hand the FTP client the proper port if you’re using something else.
Enjoy!
Hi
I hope you don’t mind, but if your ns is pointed to your Interworx server, you should be able to use ftp,example.url for server address
However, if your dns is handled by another dns server and the a and FTP records not updated to your interworx server, or your domain has not gone live, then I would suggest you use your main IP address of the interworx server.
Everything else as iWorx have stated.
If you have only just set dns records and it is still not working, assuming you have everything correct, again I would use the main ip for your interworx server due to dns cache.
I hope this helps
Many thanks
John
[QUOTE=IWorx-Michael;23407]I’m going to assume that the server is managed using InterWorx, because it’s much less likely that you’d be here if it wasn’t. Here’s what’s been working for me:
First, go into SiteWorx, and manage the domain to which you want to FTP things. For the sake of example, let’s say the domain of interest here is ‘example.com’. Go to Administration -> FTP -> Accounts, and you’ll see that there’s a default ‘ftp@example.com’ FTP user account. This whole username, ‘ftp@example.com’, is what you hand to FileZilla for “Username”. “Host” is the domain of interest (in this example, ‘example.com’). You should probably reset the password on the default FTP account, just to be sure that you actually know what it is (I’m not sure what its default value is, if anything). Obviously, this will go in the “Password” field in FileZilla. “Port” will default to 21, but do hand the FTP client the proper port if you’re using something else.
Enjoy![/QUOTE]
Thank you so much for this! I hope I will be able to execute this.
Does anyone know the default password? Is this automatically generated and if so, how/where do I get it? Just want to make sure how it works…
Hi Michael
I hope you don’t mind and I’m sorry, using tapatalk I cannot just select certain words to copy, it IW-Michael above states that he does not know.
I myself think it might the siteworx password but I have never tried this as yet. If I have time I will.
As IW-Michael suggests, please manually reset the password and test.
Hope it helps a little
Many thanks
John
Hi John,
thanks for your answer. I have tried the siteworx password, and that’s not it. I’ve tried empty and that’s not it either (which is good).
So maybe something is created but it is not shown anywhere - which means the user MUST create a new password. This would be fine.
I simply would like to understand the mechanism in order to avoid any security holes.
This get#s me to another question: Where and how are the password complexity rules defined? Are these fixed/hard coded or can we edit them? And can we define something else for the password generator somewhere or is that hard coded?
Hi Michael
Thanks for testing the 2 possible passwords, and I believe it is possible to use a different generator, but it would be involved as I believe password strength is a global option, and you would have to change all the templates etc reliant upon it.
You can alter the password strength and length to be used from nodeworx server settings password options and very strong requires symbols I think from memory.
I hope that helps
Many thanks
John
Ah, thanks John, I have missed the password options. Thanks for pointing me in the right direction. Does anyone know the definitions for “weak, medium, strong and very strong”?
Hi Michael
Many thanks, but personally I would not use weak or medium strength, I would even go so far as to say they should be removed.
Weak most likely means no capitals, numbers etc are needed
Medium most likely means have to contain at least 1 Capitol and perhaps number
Strong, must be mixture of above
Very strong as medium but with symbols I think
Length set as you need, but length option only is needed if user changes their password, using generator, it creates long length passwords.
I’m sorry if I’m wrong
Many thanks
John
I have been testing this just now and am not completely clear on when a password is considered very strong. And I completely agree with you, that Weak and Medium shouldn’t be there at all.
But what’s more is that the password process seem to have problems with some characters.
I have been trying many combinations on a FTP account and found that characters like ? are breaking things, at least in my quick tests with Total Commander. Can anyone confirm this on his system and maybe with another FTP client? E.g. abc123?GFH doesn’t work for me.
We will be going for FTPES/SFTP for all FTP accounts anyway, but maybe this is a bug so I thought I’d mention it.
Hi Michael
I hope you don’t mind but I think your confusing over special characters the OS uses for certain command or functions.
I’m sorry if I’m wrong
Many thanks
John
It is indeed a bug, but not within iworx-cp but in Total Commander. Other FTP clients have no problem with it. So I’ll be heading over to the TC forum now… 
To add to what IW-Michael said above …
(1) Apparently you (or your client) must reset the password as there is no way to know what it is and the SiteWorx account password doesn’t work.
(2) The default port for unsecured ftp is indeed 21 but for “sftp” you can use port 24. I tried port 24 because I remember seeing it as one of the ports Interworx opens in the firewall.
I don’t know about you guys, but I don’t like having port 21 available to clients. (I enforce using a non-traditional port for SSH which is also used by FileZilla when I FTP into the site… Meaning no “ftp” is available; SFTP has to be used. Even at that, I turn off port 22 and encourage clients to use the built-in File Manager to upload files, set permissions, etc.)
So, it is a bit disconcerting to have IW automatically create an FTP user who can use port 21 after a password change, effectively doing an end run around my carefully crafted security measures.
So for now, I’ve gone into the firewall settings and closed both ports 21 and 24 (port 22 was already closed).
Thanks to OP ChrisGebhardt for starting the thread. Without your question, I wouldn’t have caught this. 
[QUOTE=mdeinhardt;25697]I have been testing this just now and am not completely clear on when a password is considered very strong. And I completely agree with you, that Weak and Medium shouldn’t be there at all.
But what’s more is that the password process seem to have problems with some characters.
I have been trying many combinations on a FTP account and found that characters like ? are breaking things, at least in my quick tests with Total Commander. Can anyone confirm this on his system and maybe with another FTP client? E.g. abc123?GFH doesn’t work for me.
We will be going for FTPES/SFTP for all FTP accounts anyway, but maybe this is a bug so I thought I’d mention it.[/QUOTE]
From what I’ve observed, "very"strong usually displays when the password includes is very long (+15 characters) AND has uppercase/lowercase AND a number. I’ve noticed that the built-in password generator doesn’t usually include any symbol – not sure why (but I usually add in a symbol or two myself).
[QUOTE=strategicmoves;25722]
I don’t know about you guys, but I don’t like having port 21 available to clients. (I enforce using a non-traditional port for SSH which is also used by FileZilla when I FTP into the site… Meaning no “ftp” is available; SFTP has to be used. Even at that, I turn off port 22 and encourage clients to use the built-in File Manager to upload files, set permissions, etc.)
So, it is a bit disconcerting to have IW automatically create an FTP user who can use port 21 after a password change, effectively doing an end run around my carefully crafted security measures.
So for now, I’ve gone into the firewall settings and closed both ports 21 and 24 (port 22 was already closed).[/QUOTE]
I mostly agree with you and I think the automatic creation is nice, but it should be possible to be disabled globally. On the other hand I would like to be able to write a note next to the Sitworx FTP dialog, explaining the need for SFTP and how to use it. This would prevent a lot of confusion.
But why close port 24 if you want to use SFTP?
Hi Michael and strategicmoves
I hope you don’t mind, but there’s 2 thoughts come to mind, as follows
Why not alter client notification used in event hooks to state your requirements and explanations in full
Changing ports from defaults to me does not help or stop attempts from bad users. A simple port scan would show ports open, and it’s not hard to find the service running, but to me it makes life harder for the admin as they have to remember the port assigned for the service, and any external testing from online services may fail, thereby making diagnostic of issues harder. Also, if one of your client are infected, it is no protection.
I know we all have our own ideas but I guess it’s what works best for you.
Many thanks
John
Hi John,
I can only speak for myself, but closing ports always helps, as they are simply not available anymore. Also this seems the only way (correct me if I’m wrong) to disable unsecure FTP. Or is there another way?
Changing some ports, like 22 makes also sense to me, as we prevent script kiddies from doing automated attacks. I concur with you, that security through obscurity is not a real safety measure and a versed attacker will find open ports and know how to misuse them, but the majority of attacks are done by dumb scripts and those are easily fended off by a few renaming and port-changing tricks.
Hi Michael
Many thanks, and yes I understand your points, which are valid, but there are a lot of hosting companies who still allow default unsecured ports, and a lot of dumb scripts which have been change or amended to check various ports/services. Infact, on my mobile, i have quite a few sniffer apps, where I can very quickly check ports open and define the service running - subject to any security measures imposed by the admins.
Also, please don’t forget if you change from default ports, secured or unsecure, then depending upon the users firewall on computer or and router, these may need to be opened at their end, which some users simply do not know how to do. Default ports are normally opened.
Lastly, I missed part of strategicmoves post, and I think the FTP username and password adding or changing would not set it to any port, I believe this is set seperately in proftp.
I hope your enjoying Father’s Day
Many thanks
John
Its been a while since I have been to the InterWorx forum (still a great place!), and since moving away from using InterWorx (its not because InterWorx was/is a bad product, to the contrary, I still love IW)
But I wanted to chime in on a few things.
I do not think there is a unified definition anywhere, but more of a meaning to, weak = don’t even think of using this password for your password. Medium = it’s ok, but not the strongest in the world. Strong = will be hard to crack Very Strong = Hacker should move on to those using weak and medium passwords.
So, needless to say, so relative terms or that just relative, or subjective.
Now not long ago (Fall of 2013), I sat in on a FBI Cyber Crimes briefing. And i found it very interesting what they had to say and are seeing in regards to passwords. First off passwords should be though of blocks of 4 characters (based on the hacking techniques and software being used at the time by professional hackers) No longer is a minimum of 8 characters good enough, the new minimum, according to the FBI Cyber Crime division is 9, and here is why. Lets say 89hY23Zp is my password. Breaking this down into blocks of 4 you would have 89hY as the first block and 23Zp as the second block, so now there only two blocks to crack. Now lets at just one more character to the block doesn’t matter if its a number, alpha, or special character. Lets say I add an ! to it so I have 89hY23Zp! now I have three blocks of four ‘89hy’ ‘23zp’ and the new third block ‘!’. Well yes only one character in the third block but the hacker doesn’t know it.
So when thinking password, yes make sure to multi character types (alpha & numeric and special character) but think blocks of 4, so the more blocks 9 characters = 3 blocks, 13 = 4 blocks, 17 = 5 blocks and so forth and so on, as the more blocks you have the ever increasing difficulty it is to crack any given password.
[QUOTE=strategicmoves;25722]To add to what IW-Michael said above …
(1) Apparently you (or your client) must reset the password as there is no way to know what it is and the SiteWorx account password doesn’t work.
(2) The default port for unsecured ftp is indeed 21 but for “sftp” you can use port 24. I tried port 24 because I remember seeing it as one of the ports Interworx opens in the firewall.
I don’t know about you guys, but I don’t like having port 21 available to clients. (I enforce using a non-traditional port for SSH which is also used by FileZilla when I FTP into the site… Meaning no “ftp” is available; SFTP has to be used. Even at that, I turn off port 22 and encourage clients to use the built-in File Manager to upload files, set permissions, etc.)
So, it is a bit disconcerting to have IW automatically create an FTP user who can use port 21 after a password change, effectively doing an end run around my carefully crafted security measures.
So for now, I’ve gone into the firewall settings and closed both ports 21 and 24 (port 22 was already closed).
Thanks to OP ChrisGebhardt for starting the thread. Without your question, I wouldn’t have caught this. :)[/QUOTE]
This is good advice, back in the day of using InterWorx we never used the default ports for FTP and SSH/SFTP. They where always changed and the standard ports closed. Even Port 25 we blocked, and we only allowed our dedicated anti-Spam/Anti-Virus server IP address to access 25, this help tremendously with SPAM. (Our Dedicated Anti-Spam server would filter and send back the email to the server). But now days we do not even allow email on the same server as web sites. I was using way to much pain killer from all the headaches that causes. 
Hope you found this info useful.