Securing FTP Servers – Best Practices
Let’s acknowledge one thing right off the bat: File Transfer Protocol or FTP servers are not exactly known for their security. For one, the protocol was inherently intended to provide basic, unencrypted file transfer capabilities. And just consider the fact that it uses cleartext passwords and is the first point-of-attack for hackers. It becomes quite clear that it was invented for simple, day-to-day file transfers.
Thankfully, the protocol is considered to be obsolete and mostly used on legacy networks – it has been replaced by SFTP and SSH.
We could go on. But instead, let’s simply focus on the best practices for securing FTP servers – because these servers are still quite common installations in corporate networking environments.
How to secure FTP servers – best practices
Ok; let’s jump right in and have a look at the steps to take that ensure a secure FTP installation:
1. Strong passwords
FTP servers – like any server – should have secure passwords that can’t be guessed easily. But, since FTP servers use cleartext connection strings (E.g.: “ftp://user_name:password@hostname“), the security risks increase in leaps and bounds simply because the credentials can’t be masked.
Therefore, one way of making sure of high FTP server security is by using complex passwords that are changed regularly. Too many attempts are usually a sign of a brute-force attack – and the more complex a password, the more attempts there will be. This makes it easier to spot malicious attacks.
2. Actively managing user accounts
Server access accounts should never be created and then just forgotten about. There needs to be constant auditing of access, roles, and privileges – this applies to accounts on FTP servers too.
Accounts of users who are no longer allowed to access the FTP server need to be removed, for example. Remote clients that no longer need access to data stored on the server also need to have their accounts deleted.
Administrators should keep an eye out for dormant accounts that have suddenly become active. The same applies to accounts suddenly accessing data at suspicious times – during holidays or after hours, for example.
3. Monitoring and logging
Any administrator knows that their log files can be a great source of information. They can use audit trails and activity logs to keep track of “who did what, where, and when”.
These logs can also give insight into any suspicious activities. In case of an attack, the logs can also be used to find out who did it.
4. Securing the administrator account
Special care should be taken with the administrator account; it shouldn’t be the default account used by the system’s owners, clients, and remote workers.
A great example would be a WordPress installation that uses an FTP account to move files. An administrator should take time to create user or client accounts to be shared for day-to-day activities instead of letting everyone use the administrator account.
There are a few third-party tools that make it easy to manage FTP user accounts; it would be wise to take advantage of them.
5. Opt for SFTP server over FTP server
Secure File Transfer Protocol (SFTP) is a more secure version of FTP. It is built on the basic FTP protocol but also includes the Secure Shell (SSH) security components. Of course, it should be noted here that SFTP is not FTP running over SSH, but an entirely new protocol designed from the ground up.
This file transfer protocol works on the assumption that the server that is being accessed has already secured the data stream or channel – by authenticating the client who is trying to connect – and then sharing the information with the protocol.
This way, FTP servers become more secure, without compromising on the service they provide.
6. Reinforcing FTPS protocols
Next, we have FTPS – FTP over SSL. This is an extension of the FTP which adds support for the Transport Layer Security (TLS).
FTPS differs from SFTP in that it uses multiple port numbers: it uses one port when a command or request is made and another one when the reply or transmission is sent back. In contrast, SFTP only uses one port for all communications.
This makes FTPS connections a bit more difficult to secure, due to the number of ports in play. But, it can still be done in two distinct methods called “Implicit” and “Explicit” – both of which have strengths and drawbacks:
- Implicit – the whole connection is protected by an SSL/TLS session. This could complicate things during connections to normal FTP servers as the client needs to make the server aware that they are using the protection every time they attempt to connect.
- Explicit – encryption is turned on using a command after the initial plaintext FTP connection is made. The drawback with this method is that an additional command is required which also changes the protocol and workflows.
7. Using strong hashing algorithms
Nothing would be more stupid than storing passwords in databases without using any sort of encryption. This would be doubly so in the case of FTP server passwords which are stored in plaintext formats – a fact that is quite common.
Any attacker that managed to breach the server would have a field day going through the readable security credentials – both usernames and passwords.
One way of rendering this data unusable to any intruders is by using hashing algorithms to encrypt sensitive information. Passwords that are “hashed” can never be decrypted and there are tools that can be used to do the hashing before the credentials are stored.
8. File security
Security shouldn’t only involve accessing the FTP server – it should also deal with that of the individual data and files that are stored in them.
Examples of what could be done include removing files that are not actively being used. Then, there is setting access control on the folder level where only authorized personnel can access the files in them or upload and download them.
9. Using blacklists and whitelists
One way of making sure only authorized accounts and sites access a server – be it an FTP server, or otherwise – is with the help of blacklists and whitelists.
Examples of IP addresses to be included on a blacklist would be that of a source of non-stop failed login attempts, the address of a user that tried to escalate their privileges, or even a user that failed to log in on numerous sites on the network.
Meanwhile, a whitelist could specifically include local IP addresses and, therefore, block any other attempts to log in from beyond the firewall.
10. Network Intrusion Detection System (NIDS) tools
Administrators can make sure intruders don’t reach an FTP server by spotting, and then stopping, unauthorized users before they reach the server. A great way to do that is using third-party security solutions like Network Intrusion Detection System (NIDS) tools.
A NIDS looks for suspicious and malicious activities on a network. These tools are important because they catch unauthorized users that have managed to bypass the outer firewall (or are even corporate users) before they can access the FTP servers.
A great thing about NIDS tools is that they are highly adaptive and continuously reconfigure to thwart new hacking methods.
11. Don't forget physical security
It’s quite surprising how businesses invest so much in their software security solutions and, yet, forget to keep track of the physical security of their server rooms.
Some measures that apply here are the likes of making sure that the doors to the server rooms have the appropriate security access controls and anyone accessing the servers is monitored to assure they have the appropriate clearances.
Apart from that, the servers themselves need to have a guaranteed supply of backup power in case of outages. They should also have temperature control mechanisms in place to help maintain optimal temperatures.
12. Adopting the cloud
A good way of reducing sleepless nights for administrators is by adopting cloud computing. Moving the FTP server into the cloud comes with numerous benefits. Examples include:
- The service providers are responsible for the security of the cloud FTP server and the data on it; this frees administrators up to focus on other assignments
- The service provider provides security that can drill down to the granular level; this security is usually backed with the latest technology
- There is no need to worry about hardware security or upgrades
- Flexible plans allow for cost-effective customized server resource allocations that are also easily scalable
- Regular backups allow for quick recovery in case of data loss
And there you have it – those were the best practices for properly securing FTP servers.
On a closing note, it needs to be mentioned here that the last tip – adopting the cloud to setup FTP server – requires an expert in data migration. Businesses should therefore make sure they hire data migration professionals before attempting the move.
We hope this article has helped with informing you about how to go about securing FTP servers and the best practices involved in the process. Let us know what you think; leave us a comment below.
