by Michael Ryan, CEO, South River Technologies
Keeping corporate servers safe is a constant concern for IT professionals. Typically, the first step in Secure File Transfer server security is choosing a secure protocol such as FTP/S or SFTP. Sometimes, that’s not possible, so what other security measures can you take?
The most important thing to focus on is to not be an easy target. Guaranteeing that you’ll never be hacked isn’t likely, but you can make your Secure File Transfer server a much less attractive target. Here are 7 ways to do this:
Control Unauthorized Server Access
It may seem obvious, but your first line of defense against attacks is controlling server access. Keeping non-authenticated users or programs from accessing your servers is an important factor in ensuring that your confidential information stays as secure as possible.
- Anti-hacking (password guessing) features on your SFTP server should be enabled. Your server should have settings for how many invalid password attempts can be made before the user (or program) is locked out. Ideally, this should be set at about 3, but no higher than 5. This makes the time between attempts much longer and reduces the likelihood of password guessing.
- Disable anonymous access – or use it with extreme caution. In many FTP servers, there is actually a user named “anonymous.” If you use anonymous access, make sure that this user is locked into their home directory and has read-only privileges. Even if you do this, logging in as anonymous may enable the user to determine which port you use for FTP and which version of the server software that you are running. They can easily do research to determine if any security vulnerabilities exist in the software version you are running. The best practice, if you need to offer downloads through anonymous access, is to put those files on a dedicated SFTP server that sits outside your DMZ.
- Anti-hammering features should also be enabled. This helps to prevent Denial of Service (DoS) attacks. A DoS attack is a way of making a server unavailable to its users by using a program to saturate the target server with communication requests. This makes the server so busy that it cannot process the legitimate file transfer requests. Your SFTP Server should have settings for the maximum number of requests per second that the server will allow. The minimum setting should be about 40 connections per second. If you have very high traffic to your server, you may want to set this number a bit higher, so that you don’t lock out legitimate traffic. Setting it lower will make it more secure, but increases the risk of blocking actual user requests. It’s important to carefully consider this balance, and to look at your server log files to determine normal usage ranges.
Users are the Weakest Link
Regardless of the measures you take to secure your server, you are at the mercy of your users. Users want their passwords to be simple to type and easy to remember. Users like words, especially words that mean something to them – a pet’s name or a child’s name, for example. And users often use the exact passwords on a multitude of sites and services.
- Two-factor authentication should be an option. As mentioned previously, hacking passwords is the one of the most common ways that unauthorized users gain access to systems. In addition to password policies, one method of drastically reducing the likelihood of password guessing is to implement an additional level of authentication. There are many ways that two-factor authentication can be implemented. A common way of doing this is with a token, such as a Safenet or RSA token. The token displays a numeric string which changes at short intervals. The user is required to enter the displayed numbers. The numeric string is then validated against a remote server or satellite. If it matches, the user progresses to the next level of authentication, which is entering their password.
- Intelligent password policies should be implemented. While your system may be secure from hacking, if a password on another system is hacked, there’s a good chance that password will work in many places. Your server should allow the administrator to enforce policies on password length and what type of characters must be used. Requiring a password to include both upper and lower-case letters, at least 1 number and at least 1 special character will add exponentially to the number of possibilities for what the password can be. And a minimum length of 8 characters also makes the password much more difficult to guess.
Don’t Fall Victim to Your Software
As easy as it is to keep your software up to date, this is one place where many companies cut corners. Ensuring that you are running the best and latest versions of your software is key to staying cyber safe.
- Keep your server and your operating system up to date. If you have good SFTP server software and it’s working well for you, there is often a temptation to leave it alone. However, new security threats are born every day, and server software companies are working constantly to keep ahead of these threats. Running out-of-date software means that you may be subjecting your server (and your network) to security threats that can easily be avoided with a simple software update. Similarly, the operating system should also be kept up to date. Apply service packs and other updates regularly so that vulnerabilities at the Operating System level are less likely.
- Don’t use freeware. Most companies that sell Secure File Transfer servers or Managed File Transfer servers will tell you not to use freeware – and rightly so. They have a vested interest in encouraging customers to buy these products. But there are legitimate reasons that you should avoid freeware:
- Development environments may not be secure. This increases the risk of malware in free downloads.
- Developers can make FTP or SFTP work without strictly adhering to the IETF specifications for protocols. This may leave some functions unimplemented.
- Choose a company that has an interest in your success. If your SFTP server encounters problems, how important is it for the company to get you working again? How concerned are they about your protection and staying current with the newest security standards?
Even though it’s an unsecure protocol, using FTP is often a technical requirement – perhaps for connecting with partners or legacy systems, or because it’s easy and cost effective for distributing files. Use secure protocols if you have the option to do so. FTP is more frequently used today than you might expect. Use these tips to make sure that your server is as secure as possible.