SFTP Server Security Best Practices
Keeping your corporate servers safe is a constant concern for IT professionals. Typically, the first step in SFTP Server security is choosing a secure protocol such as FTP/S or SFTP. Sometimes, that’s not possible, so what other security measures can you take?
The most important thing to focus on is to not be an easy target. Guaranteeing that you’ll never be hacked isn’t likely, but you can make your SFTP server a much less attractive target. Here are 7 ways to do this:
1. Anti-hacking (password guessing) features on your SFTP server should be enabled. Your SFTP/FTP Server should have settings for how many invalid password attempts can be made before the user (or program) is locked out. Ideally, this should be set at about 3, but no higher than 5. This makes the time between attempts much longer and reduces the likeliness of password guessing.
2. Disable anonymous access – or use with extreme caution. In many FTP servers, there is actually a user named “anonymous.” If you use anonymous access, make sure that this user is locked into their home directory and has read-only privileges. Even if you do this, logging in as anonymous may enable the user to determine which port you use for FTP and which version of the SFTP/FTP Server software that you are running. They can easily do research to determine if any security vulnerabilities exist in the software version you are running. The best practice, if you need to offer downloads through anonymous access, is to put those files on a dedicated SFTP server that sits outside your DMZ.
3. Anti-hammering features should also be enabled. This helps to prevent Denial of Service (DoS) attacks. A DoS attack is a way of making a server unavailable to its users by using a program to saturate the target server with communication requests. This makes the server so busy that it cannot process the legitimate file transfer requests. Your SFTP Server should have settings for the maximum number of requests per second that the server will allow. The minimum setting should be about 40 connections per second. If you have very high traffic to your server, you may want to set this number a bit higher, so that you don’t lock out legitimate traffic. Setting it lower will make it more secure, but increases the risk of blocking actual user requests. It’s important to carefully consider this balance, and to look at your server log files to determine normal usage ranges.
Titan FTP Server supports all of the above functions and offers events automation to thwart hackers.
4. Intelligent password policies should be implemented. Users want their passwords to be simple to type and easy to remember. Users like words, especially words that mean something to them – a pet’s name or a child’s name. And users often use the exact passwords on a multitude of sites and services. So while your system may be secure from hacking, if a password on another system is hacked, there’s a good chance that password will work in many places. Your server should allow the administrator to enforce policies on password length and what type of characters must be used. Requiring a password to include both upper and lower case letters, at least 1 number and at least 1 special character will add exponentially to the number of possibilities for what the password can be. And a minimum length of 8 characters also makes the password much more difficult to guess.
5. Keep your server and your operating system up to date. If you have good SFTP server software and it’s working well for you, there is often a temptation to leave it alone. However, new security threats are born every day, and server software companies are working constantly to keep ahead of these threats. Running out-of-date software means that you may be subjecting your server (and your network) to security threats that can easily be avoided with a simple software update. Similarly, the operating system should also be kept up to date. Apply service packs and other updates regularly so that vulnerabilities at the Operating System level are less likely.
6. Don’t use freeware. Most companies that sell SFTP servers will tell you not to use freeware – and rightly so. They have a vested interest in encouraging customers to buy these products. But there are legitimate reasons that you should avoid freeware:
- Development environments may not be secure. This increases the risk of malware in free downloads.
- Developers can make FTP work without strictly adhering to the IETF specifications for protocols. This may leave some functions unimplemented.
- Choose a company that has a vested interest in your success. If your SFTP server fails, how important is it for the company to get you working again? How concerned are they about your protection?
Using SFTP is frequently a technical requirement – perhaps for connecting with partners or legacy systems, or because it’s easy and cost-effective for distributing files. SFTP is more frequently used today than ever before. Use these tips to make sure that your server is as secure as possible.