Companies are a favorite target of today’s hackers, and one of the most common threat vectors is an organization’s file transfer system. To help you protect your business, we’ve put together these eight essential tips for securing an FTP or SFTP server.
1. Use strong passwords
Too many systems get compromised as a result of overly simple passwords, and password security is the first line of defense against unauthorized access. Any secure password should fit the following criteria:
- Be alphanumeric
- Consist of at least fifteen characters (the longer, the better)
- Include a combination of letters, numbers, and special characters
System administrators should also avoid password reuse. Passwords should also be stored securely, e.g., on an external flash drive secured by a lock. Modern password managers make selecting large, complex, and unique passwords for every site and device easy.
2, Actively manage your account
We recommend active account management for your file transfer system, including the following:
- Never creating user accounts with OS-level access, anonymous or shared-account users
- Separate client credentials from FTP and SFTP application credentials
- Set user access alerts based on unusual activity (e.g. an unknown IP address or unverified device)
- Disable accounts after six months of disuse or three login failures
3. Secure your administrative access
Social engineering attacks can exploit employee negligence, and are some of the most widespread threats companies face. For example, a phishing attack might trick your administrator into resetting their password.
To minimize this threat, limit SFTP server access to necessary administrative personnel only, and require staff with credentials to use multifactor authentication. If you must store passcodes, do so on a secure AD domain or LDAP server for data transfer security.
4. Opt for a SFTP server over an FTP server
The standard FTP protocol is obsolete. Secure file transfer protocol (SFTP) servers work over a secure connection to protect your business and customers from potential threats while your data is in motion.
Try Cerberus SFTP Server with a 25-day risk-free trial. Download Now!
5, Reinforce FTPS protocols
FTPS connections by themselves are not fully secure, as the protocol does allow clients to connect to your network without requesting encryption. This feature should never be enabled on your network. Instead, require implicit encryption for all connections, which prevents data transmission in the clear. As well, update your file server to at least version 1.2 of the TLS protocol, as SSL and TLS 1.0 are outdated.
6. Use strong encryption and hashing algorithms
Increases in computing power have made older hash algorithms more susceptible to brute-force attacks. Outdated ciphers like Blowfish and DES are easily broken, and as a result your network should use the Advanced Encryption Standard (AES). Choose algorithms from the SHA-2 family to protect the integrity of your data transmissions.
7. Use file security
Abuse of file permission access is another way hackers can exploit your system. While clients need permission to upload or download files, they should never be granted exclusive access to an entire directory. Encrypt any idle files stored on a DMZ server, and only keep files on an FTP server as long as needed.
8. Use IP deny and allow lists
Denial-of-Service (DoS) attacks are still common. Programming your FTP or SFTP server to block malicious IP addresses is tedious but remains one of the best countermeasures to these attacks. Similarly, you can explicitly allow clients on your network using allow lists.
Can you make FTP secure?
Yes, you can make FTP secure by following the eight recommendations above:
- Strong passwords
- Actively managed accounts
- Secure administrative access
- Adopt SFTP instead of FTP
- Reinforce FTPS protocols
- Strong encryption and hashing algorithms
- File security
- IP deny and allow lists.
How do I setup a secure FTP?
To set up a secure FTP, you need to create a server, add users, and assign permissions. The server should have firewalls and intrusion detection systems (IDS) in place. You should also opt for SFTP instead of FTP, use strong encryption, and regularly audit the server.
For a deeper dive into setting up a secure FTP, check out our blog post on mitigating risks of FTP.
Is FTP secure over VPN?
While a VPN can add an extra layer of security, FTP over VPN is not entirely secure. FTP was not designed with security in mind, and even over a VPN, the data transmitted can be vulnerable. Instead, use SFTP, which is inherently secure and encrypts both commands and data.
Securing your FTP or SFTP server is a critical step in protecting your company’s data. By following these tips, you can significantly enhance the security of your file transfer systems. Remember, the key to effective cybersecurity is a layered approach – no single technique can provide complete protection. Using an intelligent FTPS server like Cerberus can provide the robust security you need to keep your data safe.
Cerberus SFTP server allows you to immediately upgrade your FTP server to include the security requirements mentioned above and be confident that your network is secured against intrusion. Our reliable file access software offers superior manageability and detailed activity reports with no software plugins required. Cerberus is one of the most versatile, compliant, and reliable FTP servers on the market.
Get started today by downloading your free trial.