Don’t Underestimate the Value of FTP Security
By Daniel Abrams
Special to YNOT
First in a series about securing your online operations.
Before there was the Web, there were hackers. Hackers have always been in the mix, and the birth of the World Wide Web provided hackers another playground to spoil. But if one is careful and vigilant, one can defend oneself against hackers.
One place often left unguarded is a website’s FTP server. It is of critical importance to maintain FTP security in order to prevent unauthorized access by third parties. If a hacker gains access to your FTP server, they can cause many problems:
- Wipe your server: delete files, databases and content.
- Gain access to privileged content like root server passwords and client passwords, client data and content.
- Install a root kit: a collection of computer software, typically malicious, designed to enable access to a computer or areas of its software that would not otherwise be allowed while at the same time masking its existence or the existence of other software.
And they can do even more damage.
FTP intrusion is avoidable. Here are some tips to keep your FTP server locked down:
Change your password on a regular basis. Change your FTP password monthly or when you suspect your server has been hacked. When choosing a password, choose something strong: a random string of alphanumeric characters that also contains special characters works best. A good tool to generate strong passwords is Password Sentry’s PassMeter Tool.
If you provide FTP access to a third party, make access temporary. After they are done, delete the FTP account ASAP. And, grant them access only to the directory(ies) they are working in.
Use an IP whitelist. Only grant FTP access on the basis of a user’s IP address.
Use SFTP instead of FTP. Unlike standard File Transfer Protocol (FTP), SFTP encrypts commands and data both, preventing passwords and sensitive information from being transmitted in the clear over a network.
I recommend you utilize all of the tips. An FTP server cannot be too secure.
Daniel Abrams is the chief executive officer of Password Sentry, developer of a website password protection application that monitors logins to detect and block password sharing.