Currently set to No Index

Practicing FTP Security

2 minutes 3 comments
Art
Art
Web Hosting Geek

One of the most highly sought after features on the web hosting market is FTP.   Short for File Transfer Protocol, FTP provides a means for transferring data from your computer to the web host’s server.  While the protocol is quite useful, FTP also presents many security risks and making yourself aware of them is crucial.

Beware of FTP Attacks

FTP is ideal for transferring files to a remote location.  However, you should know that in its purest form, this protocol is far from secure.  FTP transmits your data over a network in plain text.  If the transmission is intercepted, the contents of those files can be viewed by unauthorized parties.  Furthermore, a knowledgeable hacker can use the FTP server as an entrance into your website.  This is done by repeatedly trying to logon with an incorrect user password.  In most cases, the profile is disabled after reaching the maximum threshold of three sign in attempts, thus giving the hacker all the ammunition they need to launch the attack.

RELATED:   Data Centers in China to Increase in 2015

The most effective way to protect yourself from an FTP password attack is through the use of an FTP server logon exit program.  This mechanism can provide security in the following ways:

Rejecting logon requests by any user profiles that you have not granted FTP access to.  With the use of an FTP server logon exit program, the logon attempts from the profiles you decide to block are not counted towards the maximum sign in count.

Limiting the number of clients from which a user profile is able to access the FTP server.  For instance, if someone from accounting is granted access, you can make configurations where only users with an IP address from the accounting department have FTP access.

RELATED:   What is Tor? A Closer Look at The Onion Router

Recording the credentials and IP addresses of all FTP logon attempts.  This allows you to regularly view the activity of each FTP logon attempt.  If a profile is ever disabled for reaching the maximum count, you can use their IP address, identify the perpetrator and handle the matter accordingly.

FTP Security Recommendations

Because FTP is naturally insecure, you may want to strongly consider backing it up with a reliable security mechanism.  The most highly recommended is Secure Sockets Layer, or simply SSL.  SSL is an encryption protocol that enables secure communications between the FTP server and client.  It ensures that transmissions are encrypted, maintaining confidentiality and integrity for all data that passes through.  This includes files as well as usernames and passwords.  Most FTP severs support SSL through the use of a digital certificate which also provides additional security with client authentication.

RELATED:   8 Easy Steps to Safeguard an Apache Web Server and Prevent DDoS Attacks

Though some recommend the use of anonymous FTP for the sharing of non-confidential data, this can be an even greater security risk.  With anonymous FTP, anyone can upload to your server without a username or password.   They could be transferring pirated software or malicious files.  Before taking such a gamble, be sure to weigh all the risks and take the appropriate measures to ensure that your FTP communications are secure.

Comments

3 Comments

  • Avatar Paul beddows says:

    BTW when I posted my comment it inserted http:// in front of the 2 file names. that should not be there.

  • Avatar Paul beddows says:

    I was suffering from attacks through FTP, until my web host, ixwebhosting, introduced a simple solution. I upload 2 files to my root called http://ftp.allow & ft.deny. This allows me to name what IP addresses can have ftp access. Since then I have had no attacks. Its great. All hosts should do this.

    If you want to see if it will work on your host which it probably won’t, create these 2 files in this format using any editor and upload them to the root directory:

    http://ftp.deny

    ALL: All

    http://ftp.allow

    ALL: allowed Ip address
    ALL: allowed Ip address

  • Avatar Scott Myers says:

    Consider using FTP/WatchDog (www.softwareassist.net) to monitor FTP usage real-time. It makes it easy to keep tabs on FTP server usage (one to many servers); who’s using it, what they are doing with it, transmission of sensitive data, etc.

Leave a Reply

Your email address will not be published. Required fields are marked *