Technical documentation for Hovixa users on provisioning isolated FTP accounts via cPanel and configuring clients to enforce Explicit FTP over TLS (FTPS) for secure data transmission.

Creating and Securing FTP Accounts with TLS

Standard FTP transmits credentials and payload data in plaintext. It is fundamentally insecure and vulnerable to packet sniffing. You must enforce Explicit FTP over TLS (FTPS) to encrypt the control and data channels. This guide details account provisioning in cPanel and the required client-side TLS configuration.

1. Provisioning the FTP Account in cPanel

By default, your primary cPanel account acts as an FTP account with root access to /home/username/. Secondary accounts should be created with restricted directory access (chroot) to limit exposure.

1. Log in to cpanel.hovixa.com.
2. Navigate to the Files section and click FTP Accounts.
3. Log In: Enter the desired username. The system appends your primary domain (e.g., user@example.com).
4. Password: Generate a cryptographically secure password. Do not reuse credentials.
5. Directory: cPanel auto-populates a directory based on the username. Modify this path to strictly limit the user's access (e.g., public_html/specific_folder). The user cannot navigate above this directory tree.
6. Quota: Set a hard limit in MB or select Unlimited.
7. Click Create FTP Account.

2. Enforcing TLS in the FTP Client (FileZilla Example)

cPanel servers are configured to support FTPS (FTP over TLS) natively. Security is enforced at the client level by rejecting unencrypted connections. Do not use the "Quickconnect" bar, as it often defaults to insecure FTP.

Configuration Steps:

1. Open your FTP client (FileZilla is used in this standard implementation).
2. Open the Site Manager (File > Site Manager).
3. Click New Site.
4. Host: Enter your server hostname (e.g., ftp.example.com or the direct Hovixa server IP to bypass DNS latency).
5. Port: 21 (Explicit FTPS uses the standard FTP control port and upgrades the connection via the AUTH TLS command).
6. Protocol: Select FTP - File Transfer Protocol.
7. Encryption: Select Require explicit FTP over TLS. This is the critical step. If the server cannot negotiate a TLS handshake, the connection drops.
8. Logon Type: Select Ask for password or Normal.
9. User: Enter the full FTP username (user@example.com).
10. Click Connect.

3. Edge Cases and Implementation Details

• Certificate Validation: Upon initial connection, the client will prompt you to verify the server's SSL/TLS certificate. Verify the common name (CN) matches your Hovixa server hostname before trusting the certificate.
• Passive Mode vs. Active Mode: FTPS encrypts the control channel, which prevents NAT routers from inspecting the traffic to open dynamic data ports. You must configure your client to use Passive Mode (PASV) so the client initiates the data connection to the server's predefined ephemeral port range.
• SFTP vs. FTPS: Do not confuse FTPS (FTP over TLS) with SFTP (SSH File Transfer Protocol). SFTP operates over port 22 and requires shell access, which is typically restricted to the primary cPanel user account, not virtual FTP accounts.