If your SFTP server protocol is not required, disable it

Tips 1, 2, and 3 of this series described techniques to prevent attackers from getting access to your SFTP server's machine, and features such as IP filtering and auto-banning that make it more difficult for them to obtain an unauthorized login. Here, we'll cover disabling unused SFTP server protocol.

There are some other simple configuration changes that can be made that make your server considerably more secure.

The most important group of changes is at the protocol level. If your SFTP server protocol is not required, disable it. Quite simply, if a protocol that your server supports is not required, disable it.

For example, CompleteFTP server supports FTP, FTPS, SSH, SFTP, SFTP, HTTP and HTTPS. If you only require, for example, FTP, FTPS and SFTP, then disable HTTP and HTTPS, as well as SCP and SSH logons.

Ideally, FTP and HTTP should always be disabled as they are insecure protocols that can be easily hacked. FTP is the worst offender in this regard, as it sends usernames and passwords unencrypted. Always use FTPS rather than FTP (if this is possible). Of course, you may have to support certain protocols depending on what clients are accessing your server.

Also, it might be that particular users require certain protocols, but most do not. In that case, ensure that only users who require those protocols are able to access them - disable protocols at the user level for all other users.

There are also some protocol-specific settings that should be considered.

If plain FTP must be supported, consider whether anonymous users are required. Traditionally, FTP servers have supported anonymous logins with read-only access to certain public directories. If you don't need anonymous logins, disable them.

If FTPS or HTTPS is required, make sure SSL 3.0 is disabled so that the POODLE vulnerability cannot be exploited. If your server version doesn't support this, upgrade to a version that does or change servers - if your server vendor has not issued a patch for this by now your data is not safe on their server.

Finally, enforce strong permissions on your directory structure. Make sure that shared directories only permit the right users access to them, and that users are locked into their home directories by default. Test and review permissions regularly, and remove or disable old logins that are no longer in use.

Back to Blogs

Blog Categories

Download
Subscribe to updates
Pricing
Download Free Trial