Secure FTP access; best practices

although @mahbubut-r-aaman mentions it in passing, I thought I'd expand on the bit about SSH. The answer I'd say for securing FTP is don't use FTP. The reason being that it (by default) sends usernames and passwords in the clear, which isn't considered a very secure approach.

Instead you could look at SFTP (which uses the SSH protocol) or FTP(S) which uses the FTP protocol with SSL for encryption.

Additionally I'd suggest looking at a solution like fail2ban to help block password guessing attempts.

changing the port that it listens on is a bit helpful in avoiding the noise in your logs of random attacks, but you shouldn't rely on it.

locking down access to specific source IP addresses is a good idea if it's practical as it'll limit who can attempt to access the site.


The problem with standard FTP

The standard FTP protocol is unsecured. Anybody on the network (any "man in the middle", as it's called, who can read and/or modify the data on the connection) can see what you are sending, and modify the sent data. A typical FTP login goes like this:

* TCP connection is made to the server
220 Welcome to this FTP server!
USER <username>
331 Password required for <username>
PASS <password>
<a positive or negative response>

As you can see, there is no protection of the password whatsoever. As anyone on the network can read this, an attacker can easily log in with a stolen username and password.

There are multiple ways to fix this. You could use something other than FTP, but since that's off-topic here I won't go into this. FTP itself knows two popular secured versions: FTPS and SFTP. You can keep them apart as follows: FTPS has an S in the end, just like HTTPS. And indeed, it works exactly the same as HTTPS, which is by the SSL/TLS protocol. SFTP, with a prefixed S, uses SSH to connect and is more popular on Linux servers.

In this post I'll focus on FTPS.

About the measures you've taken so far

First of all, it's a good thing that you're actively seeking to secure this. Many people would simply not care!

  • Changing the port number

    This helps in two ways, though both are not really worth it.

    1. Using an alternate port makes it a little bit less obvious that it's FTP traffic, but it is still very trivial to notice when anyone is actively looking to hack you and can monitor your network.
    2. I regularly see people scanning random servers on port 21 to see if there are unsecured accounts active, but a password like "1Q3XX" would already not be guessed by them (they mostly do dictionary attacks). So it's not really advantageous to change the port if your passwords are better than "admin" or "123456".
  • Upload can be done from a fixed (our local) IP

    This helps a little more, but it also limits you. If you are at home and notice a huge security hole in your website, you would need to drive over. With a decent password, limiting the IP should not be needed, especially if you have a server that supports automatic banning after too many invalid login attempts.

    You could setup a VPN to avoid having to drive over, but what's the point if you could simply choose a strong FTP password?

Software suggestion

Since you didn't mention it, I'll assume you're open to any FTP client and server implementation available for any OS.

Although I haven't tested many FTP servers, FileZilla Server works well for my purposes, and I guess it would work good for any small organisation. Features include:

  • Multiple users and user groups
  • Allowing or denying access from given IPs, both per-user and globally for the server
  • FTPS. Like HTTPS is secure HTTP, FTPS is secure FTP. It works entirely over SSL/TLS and secures the data being sent. The data (the login and the code) cannot be read or changed by someone in the middle (like a hacker on a public wifi network, or even your government or ISP). You can simply install your own certificate.
  • You can force the use of FTPS per user, and also force encrypting files being sent (some clients only encrypt the login data)
  • Automatic banning after too many invalid logins is possible (it bans the IP for some time, which you can set)
  • Logging is supported, and you can set how long logs are stored, how large they may become, etc.
  • Many more non-security-related features like speed throttling/limiting, limiting the number of concurrent client, setting which port it listens on, setting a welcome message, etc.
  • The configuration is in XML, and there is an admin panel (the admin panel can be connected to remotely, and is protected by a password). This means that you can also automate adding users to the XML file if you want to.
  • One disadvantage is that it is Windows-only.

If you are using a Linux server, you could look for FTP servers with similar options. By far the most important feature to look for in a server is FTPS or SFTP, and the possibility to force that so that nobody can accidentally connect without encryption. Besides that, autobanning and logging are rather important.

Then for the client, I again think that FileZilla is a very good option.

  • It supports FTPS and SFTP, and even client certificates for authentication.
  • You must explicitly trust the certificate sent by the server, optionally storing and trusting the certificate. If a certificate is forged by a hacker, you will know because it asks you again "do you want to trust this unknown certificate?".
  • Multi-platform (runs on Windows, Mac and Linux)
  • Many more options like synchronised directory browsing, a site manager (store logins for different servers), compare files in the local and remote directory listing based on size and modification date, limit speeds and concurrent transfers, etc.

Following steps will help you to secure FTP access

  • Disable Anonymous Access
  • Setup your FTP site as Blind Put
  • Enable Disk Quotas
  • Use Logon Time Restrictions
  • Restrict Access by IP
  • Audit Logon Events
  • Enable Strong Password Requirement
  • Enable Account Lockout and Account Lockout Threshold
  • Make SSH access compulsory

EDIT :

  • A nice research at IBM regarding FTP Security

EDIT : Example of Implementation

  • Integrating SFTP into FreeBSD production servers using the public key cryptography approach

  • Secure FTP

EDIT : I like @Rory McCune's Answer. Nice and Great explanation.

Instead of using FTP, better if you could look at SFTP (which uses the SSH protocol) or FTP(S) which uses the FTP protocol with SSL for encryption.

fail2ban is a nice solution to help block password guessing attempts.

Changing the port that it listens on is a bit helpful in avoiding the noise in your logs of random attacks.

EDIT : I prefer @Rook's Comment

don't use ftp! Your password and your code in in plain text!

Tags:

Ftp

Defense