Secure your SFTP server: Tip 3 - SFTP server autobanning and IP filtering

The previous tip in our series on securing your SFTP server involved utilizing the resources of the corporate network to bar intruders, primarily via the corporate firewall. Now that we've done our best to keep intruders away from our server machine, it's time to ensure that those who attempt to log onto your SFTP server are only those permitted to do so. How do SFTP servers like CompleteFTP typically prevent unauthorized users from gaining access? Via three security mechanisms - SFTP server autobanning, IP filtering, and strong password policies.

IP filtering means setting up the server's IP filter rules so that only users from permitted IP addresses are able to access the server. IP addresses that do not pass the rule set have their connection terminated immediately. It is best to use a whitelist rather than a blacklist. A whitelist bars all IP addresses except for those listed. This means external IPs must be explicitly added. This is tedious, but safer - although it may not be possible if all the permitted IP addresses are not known. A blacklist is a list of banned IP addresses or address ranges. Given the vast range of IP addresses that an attacker may use, blacklists are not usually practical.

SFTP server autobanning is the second useful security mechanism. It works by automatically banning IP addresses from connecting (for a period of time) to your server, if they have failed to authenticate a certain number of times within a time period. For example, an attacker from a given IP address might fail to guess a password correctly 10 times within a 60 second period. With SFTP server autobanning, their IP address would be banned from connecting to your SFTP server for the next hour. After an hour has elapsed, the ban would be automatically lifted.

Why is autobanning helpful? It helps to prevent dictionary attacks - cycling through an entire dictionary of passwords and trying them out one by one. Because the IP address is banned after only a few attempts, dictionary attacks are discouraged, as they are made extremely time consuming. And of course autobanned IP addresses can be permanently banned by adding a new IP filter rule.

It is important that strong password policies are enforced in conjunction with autobanning. If an attacker can guess a user's password after a few tries by using common default passwords, SFTP server autobanning will be ineffective. Most servers allow password policies to be enforced so that a minimum password length and a mix of characters, case and digits must be used.

If IP filtering, autobanning and strong password policies are suitably configured and their performance is regularly reviewed, the chances of an attacker successfully logging in (and subsequently stealing corporate data) will be minimized.