How to Secure FTP Server

[XDRoX]

The File Transport Protocol, or FTP, TCP is a protocol of an old design, created to transfer files across the network. Because all transactions with the server is unencrypted, including user authentication, it is considered an insecure protocol and should be carefully configured. FTP includes internet protocol that allows you to transfer files of any type between different sites. Access to an FTP site can be of two types: valid, i.e. in a way that prompts the user to enter name and password, or that is anonymous in a way that does not require any authentication, and that usually is used to have access to areas that the operator of the server has defined as public.

This mode is most used for the retrieval of files shareware or public domain. FTP is short, the protocol which is classically the exchange of programs and documents via the Internet (a bit as it happens with e-mail), however, unlike e-mail that allows the exchange of files between a limited number of users (typically two, the sender and receiver) FTP is a service that a single entity or a provider, make available to the entire Internet community. In an anonymous FTP site, typically you will find software updates and documentation. Although access to an anonymous FTP site is not required to enter name and password, you must still respect a fundamental rule of netiquette and enter anonymous (spelled exactly like that) as the username, then your email address as the password. The figure is a typical example of the mask as an anonymous user connection to an FTP site. The password field contains the email address, however many programs the mask as you type directly for security reasons.

Here is some easy wasy to Secure your FTP Server :

Stopping Access to Anonymous clients : In Windows Server Anonymous login is setup by default. The FTP services comes with those settings. In this method the users can gain access to the server without the need of a user account. You can stop the same by clearing out the option of Allow Anonymous form the connection box. You can find the same in the Security Accounts column. Try to locate the same in the FTP Properties.

Logging Practice

You can setup a logging on your FTP so that you can track the record of logins on your server via ip address sand user account. This practice is much more better and helps you to identify the pattern of threats. The settings can be enabled from same properties tab of FTP Site.

Restricting the Disk Usage

You can use Disk Quota to control the usage of disk space. This can be effectively configured by reducing the amount of disk space that a user has on your system. I will recommend you to limit the amount of the same. You can enable the same from the disk partition properties.

IP Access

You make your server much secure if you can use IP Address filter. That means you can limit your server usage by IP Address. You can reduce exposure to your server and on the same hand unauthorized access is also stopped.

[XDRoX]

There are different options you can work on. Like Windows Server. Below is the way you can secure your FTS Server if you platform is Window Server.

• The administration console of the IIS FTP module is available in Administrative Tools, IIS Manager, and in the management of the computer, thanks to right-click the desktop, manage.
• Rights management will allow users access to restricted files when a user has a user group for example.
• Double click on the FTP server provides access to these configurations.
• Server security based on NTFS permissions of directories and files to allow or deny access.
• When using the anonymous account, use the Windows user is the user specified in the following tab:
• This window allows you to specify users allowed to connect to the server authenticated. It is more flexible to create a group UtilisateursFTP including all users may connect.
• After you specify the users allowed to connect, you must specify the permissions on the directories.
• At this stage, check that box is checked in the writing the Directory tab to allow anyone to edit a file.
• Right click on the FTP server, explore opens the file explorer on the right directory. Right click property, security specifies the security settings you want.

Authentication

The FTP specification allows for up to a simple user authentication, the ID and password without encryption between the client and server , transmitted from any security. To address the many security risks that affect the file transfer, security-specific extensions have been introduced. You are in RFC 2228 (FTP Security Extensions) is defined. These extensions provide a variety of security functions, especially for user authentication, integrity, confidentiality of data and control channels by encryption of commands and data Reply's.

The focus of the security enhancements is the user authentication. It begins when the client tells the server what security mechanism it wants to use. For this, the AUTH command is used. The server accepts this mechanism, or rejects it, if he does not support it. The client can test several mechanisms to find a method supported by both sides. Depending on the security protocol requires the server further information from the server. This protocol-dependent information, the client transmits to the ADAT command to the server. Depending on the protocol, the ADAT command used several times, until all the necessary parameters are exchanged between client and server.

This negotiation is only the vote of the implemented security features. For example, if the FTP server using an RSA key pair, the client, but not so indeed authenticate the client to the server, the server not the client against it. The two sides have agreed on a common encryption system that can also secure transmission channels for transmission of control commands and data are generated.

Attacks :

Attacker can paralyze an error in the function glob () in the C library Gnu Libc remotely FTP server. The error will be the processing of certain wildcard pattern also means that the memory fills an uncontrolled manner and thus slows down the server or crash. Most FTP globbing support, such as the search command stat called globbing, search using wildcards, which serves files with the. txt to search all for example. Normally limits the function GLOB_LIMIT for the allocated memory. The function does not apply if the attacker specifies multiple directories of wildcards and searching for a nonexistent file. Manipulated by the query, the memory from filling up the server and eventually bring the server to crash. FTP servers that provide anonymous access are particularly vulnerable. SFTP access are also affected by the problem.

Some FTP programs allow even the option, the globbing on or off. Most, however, access to the function of the system library Gnu Libc to be patched accordingly. The discoverer of the DoS vulnerability on OpenBSD, NetBSD, FreeBSD, Oracle, Sun Solaris 10 and the GNU libc contain the vulnerability. Thus affected are the FTP server from Adobe, HP and Sun. Oracle has fixed the affected Solaris version now. For OpenBSD and NetBSD are also available patches . Other distributions, such as Linux, there is no evidence as to whether they are affected or whether patches are ready.

[XDRoX]

FTP Support on Mac

The latest versions of web browsers (Internet Explorer 4 and Navigator or Communicator 4) allow access to FTP directories directly from the browser window. This greatly simplifies access to files on FTP for the novice user, but those who want to use the best tools will give serious consideration to the FTP programs on the management of this protocol. Having had access to an FTP server from the web browser you can load the file in your site by simply dragging (drag the folder containing them) in the browser window from. Among the most popular programs dedicated to doing FTP (FTP Client such) are Apple Mac Anarchie FTP and Fetch on the Macintosh and PC WS_FTP and

CuteFTP. These are shareware products, based on the concept that is the first test and then pay and can be found at various sites on the network (including of course our own). Using a web browser, FTP access is established by writing the protocol ftp:// in the address bar followed by your site, for example ftp:// is the address of our anonymous FTP site. Using the browser does not have to enter anonymous as your name and email address as your password, we think the browser using what you have entered in your preferences.

Pages with the FTP directory in Communicator may appear formatted in a somewhat 'Spartan. Whenever possible, the window will show the type, size, date and brief description of each file included in the directory. The directory is presented as a list of links where each link is preceded by an icon indicating another directory or other file. If you click on the link to a directory, will see its sub-directories. Usually, the beginning of the sub-directory contains a link to the root. Having had access to an FTP server can be taken or upload files sends a file on the site by dragging and dropping the file from the desktop in the browser. Note that you must write privileges on the FTP server (that is to enter a password and not anonymous users) to send the files.

Using Fetch, Anarchie or CuteFTP to access the FTP directory is very similar. When the program is presented the New FTP Connection which will be included in the information required for connection. In the window below shows an example of the window to the new connection of Anarchy. The figure shows how to establish an FTP connection validated by name and password. The password in this case is the same password used to log in to our PPP server. In the case of anonymous access simply enter, as well as the Host, "anonymous" as username (usually it can also leave the field blank) and your email address as password. Some FTP clients allow you to save the state of a file transfer without completing the download (although this does not always work) and can therefore not having to start over the removal of a document in case the connection is interrupted.