10 Essential Tips for Securing FTP and SFTP Servers

Securing FTP and SFTP Servers

Most organizations use FTP or SFTP servers to exchange files and other critical business documents with their trading partners. Unfortunately, these servers have become a primary target for hackers, putting your FTP or SFTP server at risk of a costly data breach. Bob Luebbe, Chief Architect for GoAnywhere MFT (formerly of Linoma Software and now Fortra) hosted a webinar to help you ensure your FTP or SFTP server is secure and compliant. He was joined by Steve Luebbe, Director of Engineering, and Dan Freeman, Senior Solutions Consultant.

The Three Tenets of Information Security

Since we’re talking about keeping our servers secure, we should define what that means.

Information security can be discussed in the terms of the CIA. No, not that CIA - in this case, the acronym CIA stands for confidentiality, integrity, and availability: 

• Confidentiality - Maintaining confidentiality means that information is never disclosed to unauthorized individuals. 
• Integrity - This refers to making sure your data remains accurate and unchanged. 
• Availability - This means that the system is available to authorized entities without disruptions. 

Major Compliance Standards and Regulations

Compliance with industry security standards is an issue that puts pressure on organizations of all sizes. Which compliance challenges you’re facing will depend on both your industry and location. In the U.S., the most common regulations include:

• Health Insurance Portability and Accountability Act (HIPAA): Requires the protection of any communications containing PHI (Protected Health Information) which is transmitted electronically over open networks from being intercepted by anyone other than the intended recipient.
• Gramm-Leach-Bliley Act (GLBA): Requires financial institutions to implement safeguards to protect the security, integrity, and confidentiality of customer information, no matter how it is stored or transmitted.
• State privacy laws: Most states have notification laws, while others are more specific on how personal data must be protected.
• Federal Information Security Management Act (FISMA): Defines a comprehensive framework to protect government information, operations, and assets against natural or man-made threats.
• Payment Card Industry Data Security Standard (PCI DSS): Developed for companies that are responsible for processing debit or credit card information in order to protect the privacy of customer account data.

Like the other regulations on the list, non-compliance with PCI DSS can result in fines or even the termination of your ability to conduct business. The consequences levied by the banks and credit card institutions can range up to $500,000. Although PCI DSS was designed for companies processing cardholder data, its detailed security requirements are a great reference for anyone looking to protect sensitive data. Throughout the webinar, Bob and team reference how each security tip relates to PCI DSS.

The latest version of PCI DSS had a couple notable changes. You can read more about them and how they affect your business in this free guide.  

If you’re in the EU or if you process data for EU residents, the most important change in data privacy regulations in 20 years is the General Data Protection Regulation (GDPR), which was adopted in 2016 and enforced on May 25, 2018. It was designed to replace the past Data Protection Directive and consolidate data privacy laws within Europe. Fines for non-compliance with GDPR can be up to 20 million Euros or 4 percent of the company’s revenue in the preceding financial year.

Top Tips for Securing FTP and SFTP Servers

Poor FTP implementation practices are widespread and leave many businesses at risk of a data breach or a hefty non-compliance fine. Want to make sure your servers are both secure and compliant? Here are our top 10 tips:

#1. Disable Standard FTP

If standard FTP is running on your server, you should disable it as soon as possible. FTP is over 30 years old and just isn’t meant to withstand the modern security threats we face today. FTP lacks privacy and integrity and makes it fairly easy for a hacker to gain access and capture or modify your data while it’s in transit. We suggest you switch to a more secure alternative like FTPS, SFTP, or both.

#2. Use Strong Encryption and Hashing

Encryption ciphers are used in both SFTP and FTPS protocols to protect data in transmission. The cipher is a complex algorithm that takes the original data and, along with the key, produces the encrypted data to transmit. The first thing you should do is disable any older, outdated ciphers like Blowfish and DES, and only use stronger ciphers like AES or TDES.

Hash or MAC algorithms are used to verify the integrity of the transmission. Again, you should disable older hash/MAC algorithms like MD5 or SHA-1 and stick with strong algorithms in the SHA-2 family.

#3. Place Behind a Gateway

The DMZ is a common segment of the network for organizations to store their FTP servers. The problem with the DMZ is that it faces the public internet, making it the most vulnerable segment to attack. If the FTP server is in the DMZ, trading partners’ data files and user credentials are usually also stored there, which is a big risk even if the files are encrypted.

Other organizations have taken the step of moving files and user credentials into the private network, which is safer. The problem with this method though is that this requires you to open ports into the private network, which creates a path for an attack and may not meet compliance requirements.

An approach which is growing in popularity is to use a DMZ Secure Gateway, or an enhanced reverse proxy. The Gateway is software that you install on a server in the DMZ. A special control channel is then opened up from the private network into the DMZ at startup. Your trading partners connect to the Gateway, and the Gateway will send the session over the control channel to the FTP server on the private network. Files and user credentials stay in the private network, and no inbound ports are required.

#4. Implement IP Blacklists and Whitelists

An IP blacklist denies a range of IP addresses from accessing the system, either temporarily or permanently. For example, you may want to block certain countries from access. You can also have the FTP server perform auto-blacklisting for certain types of attacks, like DoS attacks.

Another method is to whitelist only specified IP addresses to access the system, such as your trading partners. The difficulty is that this only works well if the trading partner uses fixed IPs.

#5. Harden Your FTPS Server

If you’re using an FTPS server, there are a few measures you should take to keep it secure, including:

• Do not use Explicit FTPS unless you force encryption for the authentication and data channels

• Do not use any version of SSL or TLS 1.0

• Use Elliptic curve Diffie-Hellman key exchange algorithms

#6. Utilize Good Account Management

It’s risky to create OS-level user accounts for trading partners because it creates a pathway to gain access to other resources on the server. Also, user credentials should be kept separate from the FTP application. Do not allow anonymous users or shared accounts. Set some rules, like account user names should be at least 7 characters in length and accounts should be automatically disabled after 6 login failures or 90 days of inactivity.

#7. Use Strong Passwords

Passwords should be at least 7 characters in length, contain both numeric and alphanumeric characters, and include at least one special character. Make sure admin passwords change every 90 days. Don’t allow the last 4 passwords to be reused, and store user passwords using strong hashing encryption algorithms like SHA-2.

#8. Implement File and Folder Security

A trading partner should only have the folder access they absolutely need. For example, just because a partner needs permission to download something from a folder doesn’t mean they need total rights to that folder. Needing to upload files to a folder doesn’t require them to have read access to the folder. Encrypt files at rest, especially if they’re stored in the DMZ, and retain files on the FTP server only as long as needed.

#9. Lock Down Administration

Administration of your server should be tightly controlled. Restrict admin duties to a limited number of users and require them to use multi-factor authentication. Instead of storing passwords on the server, store them in an AD domain or LDAP server. Don’t use common admin user IDs like “root” or “admin” – that’s the first thing a hacker will try.

Related Reading: How to Think Like a Hacker and Secure Your Data

#10. Follow These SFTP Best Practices

In the webinar, Bob and the team had several recommendations to follow in regards to securing FTP, these include

• Keep the FTPS or SFTP server software up-to-date

• If working with U.S. government data, use only FIPS 140-2 validated encryption ciphers

• Do not use the default SFTP software version that is shown when you first log in – that will give hackers a clue how to exploit the server

• Keep any backend databases on a different server

• Require re-authentication of inactive sessions

• Implement good key management

For two bonus tips on how to secure FTP that were not included in this blog post, jump to 44:01 in the video.

Secure File Transfer with GoAnywhere MFT

GoAnywhere Managed File Transfer can address all of the compliance and security requirements outlined in the webinar. It also offers powerful automated workflows to streamline the movement of files within your network and with your trading partners.

GoAnywhere can be installed on most operating systems including Windows, Linux, and IBM i, and can also be deployed in a virtual environment. It supports numerous protocols and encryption standards, including SFTP and FTPS, and guarantees delivery with connection retries and file auto-resume. If you're looking for an MFT Linux, Windows, IBM i, Azure, or AWS solution specifically, GoAnywhere is not restricted by platform and can easily run on all of them.

Keeping your file transfers compliant is simple with GoAnywhere’s detailed audit logging. You can even use the Advanced Reporting Module to quickly check if your GoAnywhere installation meets PCI DSS requirements.