The lack of security in FTP can be traced back to the environment for which it was originally designed. Back in the seventies, when the File Transfer Protocol first appeared, clients and servers interacted with a minimum of restrictions, and packets travelled directly to their destination. FTP was created before the introduction of SSL, like HTTP, SMTP and many other common Internet protocols. Therefore, it is inherently insecure, as data is not encrypted during transit. Usernames, passwords, FTP commands and transmitted files are all sent in plaintext and can be intercepted using a packet sniffer.
If you are looking to provide a convenient way for clients or staff to access non-confidential material, you can use anonymous FTP. Anonymous FTP doesn't require a password for each user, and as the information isn't sensitive, there is no need for encryption. However, there are still some security issues to consider.
To limit access just to the FTP home directory and its subdirectories, create a new, separate account for anonymous FTP users. Also, when users access the FTP site, display a welcome message that explains the terms and conditions they must agree to before using the site. Also log any FTP activity in order to comply with your security audit policies.
If you're running the FTP service solely for staff or a few select clients, set the limit on live connections to an appropriate level. There is no point allowing unlimited simultaneous connections to your server, since this only makes denial-of-service attacks easier. Also, in this scenario, I would recommend restricting access to users from a specific IP range or address, such as a trusted client or subnet of your Intranet. This is easily done by denying access to all computers and then configuring your trusted user's IP address as an exception. If you need to grant write permission to a directory so that users can upload files to your server, grant it on a separate directory that doesn't have read permission.
If any uploaded files or files available for downloading contain sensitive information, then you need to use a secure FTP protocol to keep network sniffers from reading them and your users' passwords upon connection. Read my tip on setting up a secure FTP server for more details on your two main choices, FTPS and SFTP.
Dig Deeper on IPv6 security and network protocols security
Related Q&A from Michael Cobb
WhatsApp vulnerabilities can enable hackers to bypass end-to-end encryption and spoof messages. Expert Michael Cobb explains how these attacks work ... Continue Reading
Disabling Google location tracking involves more than turning off Location History. Learn how to manage your account settings to stop tracking ... Continue Reading
Compared to TLS 1.2, TLS 1.3 saw improvements in security, performance and privacy. Learn how TLS 1.3 eliminated vulnerabilities using cryptographic ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.