Question

How do I secure my server?

Answer 1

FTP servers are always vulnerable to attack from unauthorised people, and a number of steps should be taken to minimize the risks of this occurring:

1. A good firewall is the first line of defence for security, and should be your first port of call in denying/permitting access to certain IP addresses.
2. If your server is not required to be accessible from the Internet, ensure that it is only reachable internally. If it is not accessible externally, the only attacks can be from within your organization, greatly reducing the risk.
3. Use the IP filtering capabilities of CompleteFTP to only permit the IP addresses you want (if this is possible).
4. Ensure that auto-banning is configured correctly (e.g. the defaults) to prevent dictionary attacks on passwords.
5. Regularly review log files for unwanted intrusions and take remedial action (such as banning IP addresses).
6. Disable protocols that aren't being used, e.g. if you are running an SFTP server only, disable FTP, FTPS and SCP.
7. Disable the automatic Windows users feature, so that only explicitly permitted users are permitted.
8. For SFTP disable password authentication, and only permit public key authentication. This means users must have valid private keys and have their public keys registered on the server. This is not always possible of course.
9. For SFTP disable SSH terminal access. This is disabled by default. SSH terminal access permits Windows users who have this feature enabled to execute almost any program or DOS command, and is potentially a significant security hole.