Do you need to secure your FTP server? Here are 5 steps that you can take towards a secure FTP server and ensuring your data and users are protected.
1. Encrypt the connection
The first step towards a secure FTP server is to encrypt the connection since an unencrypted connection means your data and user credentials are sent over the Internet without any protection. When using the FTP protocol this can be done using implicit FTPS running on port 990 or by using explicit FTPS running on port 21. Both of these protocols use SSL/TLS to secure both the command and data channels protecting both the commands and data exchanged between the client and server. The difference between these is that in implicit FTPS the connection is always secure, whereas in explicit FTPS the client must explicitly tell the server to switch to a secure connection. If you decide to use explicit FTPS then it is recommended that you configure the server to force users to switch to a secure connection, otherwise your users may connect insecurely.
2. Define user accounts and permissions
Each user should have their own user account and unique login directory. This ensures that users cannot access the files of other users. This does not mean that you cannot have one or more directories that are shared by multiple users in your system, but providing access to these directories should be done explicitly rather than allowing all users to have access to all directories by default. Additionally, each user should have their own set of permissions which limits their functionality to only what they should be doing. For example, if a user only needs to upload files then other permissions like downloading files and deleting files should be disabled.
3. Enforce password compliance
One of the biggest holes in FTP servers are weak passwords. Users often choose weak passwords that are easy to remember and are typically based on dictionary words. Brute force password attacks against FTP servers are common and with enough time can grant unauthorized users access to your FTP server. Enforcing strong passwords with a minimum of 8 characters including alpha-numeric, uppercase and lowercase characters is highly recommended. It is also recommended to implement some sort of password aging mechanism so users are required to change their passwords on a regular basis.
4. Detect and respond to password attacks
As described above, brute force password attacks are very common. If you take a close look at your FTP server logs you will likely see clues of these attacks being launched against your system. Not only do these attacks risk unauthorized access to your system but they also can put a heavy load on your system that will affect other users. Your best defense is to implement software that will recognize these attacks and automatically block the source IP of the attack from further connections.
5. Enable time and IP limits
While not required an extra step you can take towards a secure FTP server is to limit the times and client IP’s that can access your FTP server. For example, if your server should only be accessed Monday – Friday from 6AM to 6PM EST by IP’s in the subnet of 233.233.233.* then configure your FTP server to block all other incoming connections. This of course requires that you know where your users are connecting from and when. This is particularly useful in handling cases where a users credentials may be stolen, possibly without the users knowledge. If the user can only connect at certain times from certain IP’s then the stolen credentials may be useless to the attacker.
Summary
In this article, you learned how to secure an FTP server. We hope that you have enjoyed this article. Are you looking for an easy to use and platform-independent secure FTP server?