Securing FTPI’ve had several questions from clients recently on how they can to secure FTP running on their web servers. The easy and short-sighted response would be “Are you nuts? You need to run FTP on a dedicated server!” However, looking at it from a business perspective considering things like money, politics, business process and third-party system architectures – it’s not that simple of a fix.

Best practice or not, FTP is often running on web servers and it’s certainly something worth poking and prodding for additional security flaws. I often see outdated FTP software and anonymous access enabled to the outside – both of which can be exploited for ill-gotten gains potentially exposing the entire web server to website hacking and public exposure. The biggest risk to me, though, is weak FTP passwords waiting to be uncovered by dictionary or brute-force password authentication attacks. This is an attack that can go unnoticed indefinitely and put critical business information at risk – especially if intruder lockout is not enabled which is usually the case.

Many of my clients use third-party managed firewalls and intrusion detection and are typically alerted to such attacks against FTP. Yet still, any login hacking attempt can make you nervous especially knowing that manual cracking is likely to fly under the radar of these controls. So the question becomes, is there anything you can do to be more proactive and prevent FTP password-cracking attempts from occurring in the first place?

The ultimate control is to remove FTP from public access but that’s often not a reasonable option. Managed firewall and IPS is another great option. Ditto with any in-house firewall/IPS you may have. Changing the default FTP ports can help prevent automated attacks. This will provide minimal value and may end up being more trouble than it’s worth but it’s an option nonetheless. Otherwise, the best you can do is ensure that complex passwords are in place and enforced and intruder lockout is enabled on the FTP server.

All of this starts with knowing how your Web/FTP servers are currently at risk. Running a simple port scan of your external-facing systems can uncover FTP that you may not have known about – or have forgotten about. I recommend going a step beyond that running a good vulnerability scanner of the host itself to see what FTP-centric flaws it uncovers. In the end, you’ve got to look at your Web servers from every angle. All it takes is one seemingly benign weakness to undermine everything you’ve worked so hard to harden and protect.

Kevin Beaver

Kevin Beaver, CISSP is an independent information security consultant, writer, and professional speaker with Atlanta, GA-based Principle Logic, LLC. With over 32 years in IT and 26 years in security, Kevin specializes in vulnerability and penetration testing, security program reviews, and virtual CISO consulting work to help businesses uncheck the boxes that keep creating a false sense of security.