What is it?
File Transfer Protocol (FTP), first introduced in 1971, is one of the oldest Internet protocols. It is used to transfer files from one computer to another on a network. FTP uses ports 20 and 21.
FTP does not encrypt file transfers OR login credentials. Recently, major browser vendors have disabled FTP support; it now requires a separate, dedicated FTP client program.
File Transfer Protocol SSL (FTPS) allows the encryption of either the command channel, the data channel or both. De/encryption is performed by Transport Layer Security (TLS), the latest incarnation of Secure Socket Layer (SSL). It uses ports 989 and 990.
Secure File Transport Protocol (SFTP) provides the same security protections as FTPS, but in an entirely different manner. SFTP (like Secure Shell – SSH) uses port 22.
Each of these protocols have numerous features; for example, an FTP client may request a secure connection or an SFTP server might be set up to grant access to anonymous users.
Why is it a risk?
FTP, by default, performs no encryption allowing an attacker to eavesdrop on a connection to collect login credentials and files.
All file transfers inherently create the risk that a file could be transferred that contains malicious content.
Careless management of an FTP server may provide an attacker with access to execute code or overwrite important files.
By its very nature, FTP is susceptible to DoS and DDoS attacks. A Denial of Service attack is when an attacker tries to overwhelm a victim’s server by flooding it with requests. In a Distributed Denial of Service (DDoS) attack, the attacker uses an army of unwitting third party servers to all attack the victim at the same time.
How can you mitigate the risk?
- Disable FTP unless you need it. Some server setups have FTP enabled by default.
- Disable standard FTP, use FTPS or SFTP instead.
- Update your SSH software to use strong ciphers and the lastest version of TLS (no SSL).
- Disable anonymous FTP if possible.
- Isolate your FTP server, don’t store anything on that server that you do not intend to share.
- If you can, use firewall rules to limit access to trusted IP addresses or MAC addresses.
- Be careful with file permissions of shared files.
- If your customers upload data to your FTP Server, use extra validation when reading it.
The HelpSystems blog and Cerberus articles, linked below, contain more recommendations and details.
HelpSystems Tips for Securing FTP
Cerberus Securing and FTP Server