We all use File Transfer Protocol(FTP) to upload data to our web sites. Let us take a quick look at how we can improve its security with some simple steps.
1. Use encryption / SFTP
The FTP was not designed to be a secure protocol. It has some weaknesses, which can cause a breach in your server or site, if not used properly. By default, FTP transmits data in an unsecured format. This means that all data, including your access credentials – username and password – are transmitted in clear text. Therefore, an attacker can potentially sniff the network channel and glean out the access credentials after placing himself/herself in the data path. This has become easy with the use of easily available sniffing tools. With the rampant use of wireless networks, this is a big issue. Of course, this kind of eavedropping could happen any where in the data path, as the data hops over multiple points to the server and back.
Fig. 1. The “x” sign is made to symbolize protection against easy data comprehension. Data sniffing can still be done under SFTP.
A good protection against this is the use of SSH ftp or SFTP. SFTP will work on the same port as SSH for your server. In fact SFTP works under the SSH protocol. Now the data is transmitted within a secured layer i.e. it is encrypted and therefore cannot be easily compromised, even though can still be sniffed. The way to do it is to use the same port for FTP as being used for SSH on your server. If 22 is the default SSH port then you can use the same for SFTP. This will, however, be different, if your SSH port is different.
2. Define user accounts and manage promptly
Another step that should (or must) be taken is a more administrative one. Use separate ftp accounts with different access for different individuals. This also makes incident forensics easier. Unused accounts and test accounts created, temporarily, should be deleted. These prove to be a ‘ a low hanging fruit’ as they usually have old or easy passwords.
3. Enforce password compliance
Please have difficult passwords. Easy passwords are easily broken. A good thumb rule is to use at least 8 characters, including alpha-numeric characters, with upper & lower case and possibly also special characters. Names of girl friends/boy friends, spouse, parents, kids or pets should be avoided. This can be a pain at times as difficult passwords are also difficult to remember. You can also do password aging so as to force users to change passwords, periodically.
4. Use an intrusion detection & prevention system
The server/s must have a reasonably good intrusion attempt detection and prevention system. In the absence of one, a brute force method could be employed by an attacker. Given enough resources and time, difficult passwords could also be broken unless protected by a detection system.
The security of any system is like a chain – its strength being its weakest link. The use of FTP in an unsecured fashion by a user of an otherwise well hardened server, can still lead to a breach.
Hope these steps will help you use FTP more securely.