Information Security Office

Securing FTP

FTP (File Transfer Protocol) is a network protocol for transferring files between a client and server. Unfortunately FTP is was not developed with security in mind and can reveal personal information and file contents to unauthorized users.  It is strongly recommended to examine other secure file transfer technologies that are available.

Security issues with FTP:

  • Usernames and passwords are transferred in plaintext. These can be intercepted by unauthorized users.
  • FTP login screens can reveal server information versions and other information. This can lead to directed attacks to gain unauthorized access.
  • Anonymous logins can lead to information exposure and system compromises if not properly maintained, logged and periodically updated to address vulnerabilities.

Recommendations to secure FTP:

  • If FTP is required, only enable when necessary & disable immediately after user.
  • Change banner message not to show FTP software version.
  • Disable anonymous user access.  Often attackers will look for this to hijack server.
  • Enable logging to determine account is being used as expected.
  • Enable Access Control Lists (ACL’s) if available
  • Set up FTP as “blind put.” This allows user only to place files if needed and does not display the file directory.
  • Enable disk quotas.
  • Enable logon time restrictions.
  • Restrict access by IP. This will greatly reduce exposure to unauthorized access.
  • Audit logon events.
  • Enable strong password requirement.
  • Enable account lockout and account lockout threshold.
  • Install SFTP – Secure FTP that applies encryption on messages between client and server.
  • Configure FTPS – FTP over SSL (Secure Sockets Layer)

More information:

Port 20/21 FTP  - SANS Internet Storm Center