Companies are a favorite target of today’s hacker, and one of the most common threat vectors is an organization’s file transfer system. To help you protect your business, we’ve put together these essential tips for securing an FTP or SFTP server.
1. Use strong passwords
Too many systems get compromised as a result of overly simple passwords. Any secure password should fit the following criteria:
- Be alphanumeric
- Consist of at least fifteen characters (the longer, the better)
- Include special characters
System administrators should also avoid password reuse. Passwords should also be stored securely, e.g. on an external flash drive secured by a lock. Modern password managers make it easy to select large, complex and unique passwords for every site and device.
2. Actively manage your account
It is dangerous to create user accounts with OS-level access, and anonymous or shared-account users should never be allowed. Keep client credentials separate from FTP and SFTP applications. We also recommend setting restrictions for user access that will alert an administrator based on unusual activity (e.g. an unknown IP address or unverified device). In addition, don’t forget to disable accounts after 6 months of disuse or three login failures.
3. Secure your administrator
Many of today’s hacks involve a human engineering component that takes advantage of employee negligence. The most common example would be a phishing type attack that asks your administrator to reset their password.
To minimize this threat, limit SFTP server access to only necessary administrative personnel, and require staff with credentials to use multifactor authentication. Passcodes that need to be stored should be restricted to an AD domain or LDAP server.
4. Opt for a SFTP server over an FTP server
The standard FTP protocol is obsolete. Secure file transfer protocol, or SFTP servers, work over a secure connection to protect your business and customers.
5. Reinforce FTPS protocols
FTPS techniques are insecure when used by themselves. Clients can connect to the network without ever requesting encryption. A secure connection is then only possible when the client explicitly requests it. This feature should never be enabled on your network. Instead, choose implicit encryption, so all connections are then required to be encrypted. SSL and TLS 1.0 protocols are outdated, so your file server should be using at least version 1.2 of the TLS protocol.
6. Use strong encryption and hashing algorithms
Increases in computing power are making hash algorithms more susceptible to brute force attacks. The Blowfish and DES ciphers are already outdated and easily broken. Your network should use the Advanced Encryption Standard (AES). Select algorithms from the SHA-2 family to protect the integrity of your data transmissions.
7. Use file security
Hackers can exploit your system by abusing file permission access. While clients do need permission to upload or download files, they should never be granted exclusive access to an entire directory. Any idle files stored on a DMZ server should be encrypted. Files on an FTP server should remain only as long as needed.
8. Use IP deny and allow lists
Denial-of-Service (DoS) attacks are still common. Programming the FTP server or SFTP server to block malicious IP addresses is tedious, but remains one of the best countermeasures to these attacks. Similarly, you can explicitly allow clients on your network using allow lists, but this only works for the few traffic sources that still use static IP addresses.
With Cerberus SFTP server, you can immediately upgrade your FTP server to include the security requirements mentioned above and be confident that your network is secured against intrusion Our reliable file access software offers superior manageability and detailed activity reports with no software plugins required. Cerberus is one of the most versatile and reliable FTP servers on the market. Get started today by downloading your free trial.
