HostPapa (In)Secure FTP

by foolonthehill  

UPDATE: So, I've had an update from HostPapa. I can summarise this post with the following three quotes from support I have had in the last fortnight:
   "FTP over SSL/TLS wont be supported on our servers."
   "We do not provide with SFTP at HostPapa anymore."
   "It appears the only option is to use plain FTP."
Quite incredible.

UPDATE 2: Another update from HostPapa. I appear to have found my way to a more senior member of staff, who finally apologised for the issues and lack of clarity. In what seemed like the best solution at this point, they cancelled my contract and refunded the remainder of the term. So I'm now with another host - the rumours are that this one is just as bad, but it is cheap...!

After a fortnight of frustration with my host, HostPapa, I need to vent my irritation somewhere. A blog post seems the ideal solution!

HostPapa have served me excellently over the past couple of years: 'unlimited' space and bandwidth (presumably not truly unlimited, but certainly more than I currently need), and a relatively complete offer in terms of server functionality. There have of course been issues: their shared servers allow access to a shared /tmp directory, which caused me problems once, when someone else had previously installed a blog package, leaving detritus which prevented my install due to ownership issues.

Other than that it's been a good relationship. Until now.

All webhosts obviously need to offer a mechanism whereby users can upload their files reliably. And securely. HostPapa agree, which is why they recommend Secure FTP (FTPS), using Explicit SSL (sometimes known as FTPES). Good practice. No one wants the files they are uploading sent around the web in unencrypted, let alone their username and password, which gives full, unencumbered access to their cPanel account! Unfortunately, I don't own my own SSL certificate.

Never mind, HostPapa also offers SSH FTP (known as SFTP - and to be clear this is not FTP over SSH, but it uses the SSH protocol to encrypt the session). Excellent. Secure uploading, without certificates. I use it daily to synchronise my local files to this server.

So, when a number of hosts started finding a rather nasty rootkit on their servers, which seemed to be targeting port 22, the finger was understandably pointed at port SSHD. HostPapa blocked port 22. No more SFTP. No notification. No email. Nothing. Just a timeout on port 22. I contact HostPapa through their usually efficient 'ticket' system. After three messages, I (eventually) receive a couple of useful messages:

An exploit was found, so we needed to disable SFTP from all server. We may
re-enable it in the future, once there is a fix for the exploit.
In the meantime, we can only recommend using FTP or File Manager to transfer files.
Tim R.
Technical Support Representative
HostPapa Inc.

If other hosts using cpanel did not disable port 22 then they are at risk.
For your information
S├ębastien VG
Systems Administrator
HostPapa Inc 

Whoa! 2003? That's an exploit that's been around for some time without a fix! Obviously the wrong link, but nevertheless, there is talk of SSHD being the attack vector. Except that cPanel has, by this time, announced that they were the cause of the breach, due to a compromised machine in their support department.

Oh well, I am told just use plain FTP (no thank you), or the cPanel web based file manager. On a side note, it is at this point that I discover that my host uses unencrypted HTTP on port 2082 for their default cPanel interface. There is a HTTPS port on 2083, but it's not advertised. Clearly, security is not a key consideration for HostPapa...

After a few more questions about securing my session, I am told that (contrary to what I had been told previously) FTPES works fine. OK, I'll give it a try. Starting with LFTP from the command line:

me@client ~ $ lftp -d
lftp :~> open -u user,password -p 21
---- Resolving host address...
---- 1 address found: x.x.x.x
lftp> ls
---- Connecting to (x.x.x.x) port 21
<--- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
<--- 220-You are user number 3 of 50 allowed.
<--- 220-Local time is now 16:38. Server port: 21.
<--- 220-This is a private system - No anonymous login
<--- 220 You will be disconnected after 15 minutes of inactivity.
---> FEAT
<--- 211-Extensions supported:
<--- EPRT
<--- IDLE
<--- MDTM
<--- SIZE
<--- MFMT
<--- MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*;
<--- MLSD
<--- PBSZ
<--- PROT
<--- ESTA
<--- PASV
<--- EPSV
<--- SPSV
<--- ESTP
<--- 211 End.
<--- 234 AUTH TLS OK.
---> OPTS MLST type;size;modify;UNIX.mode;UNIX.uid;UNIX.gid;
Certificate: OU=Domain Control Validated,CN=*
Issued by: O=AlphaSSL,CN=AlphaSSL CA - G2
Checking against: O=AlphaSSL,CN=AlphaSSL CA - G2
Certificate: O=AlphaSSL,CN=AlphaSSL CA - G2
Issued by: C=BE,O=GlobalSign nv-sa,OU=Root CA,CN=GlobalSign Root CA
<--- 200 MLST OPTS type;size;sizd;modify;UNIX.mode;UNIX.uid;UNIX.gid;unique;
---> USER user
<--- 331 User user OK. Password required
---> PASS password
<--- 230 OK. Current restricted directory is /
---> PWD
<--- 257 "/" is your current location
---> PBSZ 0
<--- 200 PBSZ=0
---> PROT P
<--- 200 Data protection level set to "private"
---> PASV
<--- 227 Entering Passive Mode (x,x,x,x,228,175)
---- Connecting data socket to (x.x.x.x) port 58543
**** Socket error (Connection timed out) - reconnecting
---> LIST
---> ABOR
---- Closing aborted data socket
---- Closing control socket

Weird. I try with FileZilla from a different client on a different network. Same response. I try with AndFTP from my phone. No dice. I resort to sticking my login details on a random ftp test website which promises to test the server. Couldn't get directory listing!

Meanwhile, HostPapa continue to tell me it is my problem:

I am sorry but this is the extent of the support we can provide you.  We can
use FTP over explicit SSL works for us here so this is an
issue with something on your end.
Please let us know if you have anymore questions.
Daniel R.
Technical Support Representative
HostPapa Inc. 

So that's it. If I want to use my site, then I have to use unencrypted plain FTP. I can't believe it's just me with this problem. Maybe every one of my clients is misconfigured. Maybe infobyip is misconfigured. Maybe this guy is misconfigured. But I'd be surprised.

In fact, I have an idea for what might be going on. I've told HostPapa about it, but it's been ignored so far. I assume they have a firewall to keep nasty people out of their site. That is a problem for FTP servers which use a huge range of ports for their data transfer connections. So the solution I have heard of before is to inspect packets on port 21, and wait for the PASV command. This tells the client which port to connect on, and means the firewall knows which port to open up, for a specific source IP if necessary. Except that it doesn't work for SSL-encrypted packets, as the firewall has no way of knowing what the message says.

Hence, the login goes fine over port 21, but the line goes silent when I connect to the proposed data port. When using plain FTP, the port is opened and the connection is completed. Moreover, for HostPapa behind their firewall, the packet is not captured, so again the connection is successful. I have asked again, but they still assure me that my FTPS login "works for them".

It is this lack of service, and lack of useful communication that frustrates me with HostPapa. Other hosts (and here) have at least let their customers know. HostPapa just shut off a major access port and assume that they don't need to tell their customers. I can recommend the hosting at HostPapa; it's just the service that make it entirely unusable when things go wrong.

Please comment - I'd love to hear from anyone else who is having similar issues

1 comment

User ratings
5 star:
4 star:
3 star:
2 star:
1 star:
1 rating
Average user rating:
5.0 stars
Comment from: MeToo [Visitor]
5 stars


I’ve had to deal with this problem too. It seems to be no secure way of uploading files to my domain at hostpapa.

Also, the server seems to take forever to load sometimes. I guess my “server” is actually one of a bunch of virtual machines stored in a piece of obsolete hardware…

Bad news is, they won’t refund me the money, so I am stuck with them until I finish my paid service time.

09/08/13 @ 21:41

Form is loading...