The lack of security in FTP can be traced back to the environment for which it was originally designed. Back in...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
the seventies, when the File Transfer Protocol first appeared, clients and servers interacted with a minimum of restrictions, and packets travelled directly to their destination. FTP was created before the introduction of SSL, like HTTP, SMTP and many other common Internet protocols. Therefore, it is inherently insecure, as data is not encrypted during transit. Usernames, passwords, FTP commands and transmitted files are all sent in plaintext and can be intercepted using a packet sniffer.
If you are looking to provide a convenient way for clients or staff to access non-confidential material, you can use anonymous FTP. Anonymous FTP doesn't require a password for each user, and as the information isn't sensitive, there is no need for encryption. However, there are still some security issues to consider.
To limit access just to the FTP home directory and its subdirectories, create a new, separate account for anonymous FTP users. Also, when users access the FTP site, display a welcome message that explains the terms and conditions they must agree to before using the site. Also log any FTP activity in order to comply with your security audit policies.
If you're running the FTP service solely for staff or a few select clients, set the limit on live connections to an appropriate level. There is no point allowing unlimited simultaneous connections to your server, since this only makes denial-of-service attacks easier. Also, in this scenario, I would recommend restricting access to users from a specific IP range or address, such as a trusted client or subnet of your Intranet. This is easily done by denying access to all computers and then configuring your trusted user's IP address as an exception. If you need to grant write permission to a directory so that users can upload files to your server, grant it on a separate directory that doesn't have read permission.
If any uploaded files or files available for downloading contain sensitive information, then you need to use a secure FTP protocol to keep network sniffers from reading them and your users' passwords upon connection. Read my tip on setting up a secure FTP server for more details on your two main choices, FTPS and SFTP.
Dig Deeper on IPv6 security and network protocols security
Related Q&A from Michael Cobb
A flaw in the open source graphics library libpng enabling denial-of-service attacks was discovered. Expert Michael Cobb explains how the ...continue reading
Flaws in the Apple Notify function and iTunes can enable attackers to inject malicious script into the application side. Expert Michael Cobb explains...continue reading
Facebook's Delegated Recovery aims to replace knowledge-based authentication with third-party account verification. Expert Michael Cobb explains how ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.