Secure FTP access; best practices

  • We have several web applications (B2B, B2C eCommerce) to which developers have access in order to upload files.

    I need to ensure FTP part is well secure.

    What is the best way(s) to go about it?

    Currently, I've:

    • Changed port number, and
    • Set a static IP (our local IP only) for the uploads

    Is that enough to make FTP access secure?

  • Rory McCune

    Rory McCune Correct answer

    9 years ago

    although @mahbubut-r-aaman mentions it in passing, I thought I'd expand on the bit about SSH. The answer I'd say for securing FTP is don't use FTP. The reason being that it (by default) sends usernames and passwords in the clear, which isn't considered a very secure approach.

    Instead you could look at SFTP (which uses the SSH protocol) or FTP(S) which uses the FTP protocol with SSL for encryption.

    Additionally I'd suggest looking at a solution like fail2ban to help block password guessing attempts.

    changing the port that it listens on is a bit helpful in avoiding the noise in your logs of random attacks, but you shouldn't rely on it.

    locking down access to specific source IP addresses is a good idea if it's practical as it'll limit who can attempt to access the site.

License under CC-BY-SA with attribution

Content dated before 7/24/2021 11:53 AM