This article was published by Computing Security Magazine.
When Patrick Clark, a network analyst from Greenville, NC, asked fellow analysts and engineers for their thoughts on how FTP servers could be more secure, the prevalent response was: “Don’t use them.” Here follows his own take on this.
The pervasiveness of File Transfer Protocol (FTP) means that not using it is simply not an option for most organisations-it’s an easy, inexpensive way for customers, partners and employees to connect. But there are many things that you can do to make your FTP server more secure:
1. Secure your transfers with an encrypted protocol
Many FTP Servers support either Secure File Transfer Protocol (SFTP), which is a different protocol than FTP and is natively secure, or FTP over SSL (Secure Socket Layer), which is the same FTP protocol we’ve all come to know and love, but it runs through a secure tunnel.
2. If you are using certificates, don’t use self-signed certificates
Using a self-signed certificate is akin to trying to board an international flight with a piece of paper that reads “I am me.” Though you may be 100% certain of who you are, the person at the ticket counter has no way to confirm your identity. Self-signed certificates are also very susceptible to man-in-the-middle attacks. Someone could intercept the connection and present you with their own self-signed certificate, fooling you into thinking that you are using a secure connection with your FTP server, but you are really using a secure connection to an attacker’s server. They now also have your login credentials and anything else you gave them.
A third-party certificate signing authority gives you slightly stronger verification that you are actually using the key that belongs to the server to which you are trying to connect. Self-signed certificates are best used for testing purposes or in-house processes.
3. Don’t use anonymous access
Enabling anonymous access to your server is like posting an open invitation to your housewarming party on every street corner. Anonymous access makes it impossible to track which users are posting or pulling files from your server. You’ve already gone through the trouble of setting up so many user accounts for the express purpose of limiting and tracking access. By enabling anonymous access, you simply void that hard work and provide an unmanned access point.
4. Don’t make it easy for hackers
Most hackers will look for, and inevitably find, easy targets. Though you may not deter the most motivated of hackers, you can make yourself a less attractive victim. The implementation of anti-hacking (password guessing) and anti-hammering (Denial of Service) thresholds and IP blacklists can go a long way in keeping hackers away. Also, keep the firewall locked down, minimise open ports and stay vigilant about installing security patches.
5. Avoid freeware (it’s true you get what you pay for)
Don’t get me wrong: there are lots of great freeware products available. But, if security is really a concern, buy from a reputable company that depends on selling quality products and offering helpful technical support. If the software is free, the person or company providing it has nothing to lose, if you are unhappy with their product or service. Make sure that your vendor has an interest in your success.
We reviewed a number of FTP servers that are in line with recommendations, but ultimately chose and implemented Titan FTP Server Enterprise Edition from South River Technologies. It’s a high performance, stable SFTP server, with a large library of event triggers to derail hackers, and to us it offered the best SFTP server price for performance value.
Ready to try Titan FTP in your own environment?