Practicing FTP Security
Posted on Tuesday, Mar 17, 2009 in "Security Issues"
One of the most highly sought after features on the web hosting market is FTP. Short for File Transfer Protocol, FTP provides a means for transferring data from your computer to the web host’s server. While the protocol is quite useful, FTP also presents many security risks and making yourself aware of them is crucial.
Beware of FTP Attacks
FTP is ideal for transferring files to a remote location. However, you should know that in its purest form, this protocol is far from secure. FTP transmits your data over a network in plain text. If the transmission is intercepted, the contents of those files can be viewed by unauthorized parties. Furthermore, a knowledgeable hacker can use the FTP server as an entrance into your website. This is done by repeatedly trying to logon with an incorrect user password. In most cases, the profile is disabled after reaching the maximum threshold of three sign in attempts, thus giving the hacker all the ammunition they need to launch the attack.
The most effective way to protect yourself from an FTP password attack is through the use of an FTP server logon exit program. This mechanism can provide security in the following ways:
Rejecting logon requests by any user profiles that you have not granted FTP access to. With the use of an FTP server logon exit program, the logon attempts from the profiles you decide to block are not counted towards the maximum sign in count.
Limiting the number of clients from which a user profile is able to access the FTP server. For instance, if someone from accounting is granted access, you can make configurations where only users with an IP address from the accounting department have FTP access.
Recording the credentials and IP addresses of all FTP logon attempts. This allows you to regularly view the activity of each FTP logon attempt. If a profile is ever disabled for reaching the maximum count, you can use their IP address, identify the perpetrator and handle the matter accordingly.
FTP Security Recommendations
Because FTP is naturally insecure, you may want to strongly consider backing it up with a reliable security mechanism. The most highly recommended is Secure Sockets Layer, or simply SSL. SSL is an encryption protocol that enables secure communications between the FTP server and client. It ensures that transmissions are encrypted, maintaining confidentiality and integrity for all data that passes through. This includes files as well as usernames and passwords. Most FTP severs support SSL through the use of a digital certificate which also provides additional security with client authentication.
Though some recommend the use of anonymous FTP for the sharing of non-confidential data, this can be an even greater security risk. With anonymous FTP, anyone can upload to your server without a username or password. They could be transferring pirated software or malicious files. Before taking such a gamble, be sure to weigh all the risks and take the appropriate measures to ensure that your FTP communications are secure.
