It’s loud and clear that uploading files via normal FTP can be risky. That’s the reason why most servers use Secure FTP.
But, does using sFTP alone guarantee secure data exchange?
Unfortunately, No. Even SFTP servers have security risks and can be a target of cyber attackers.
That’s why, we often get requests to setup secure SFTP servers as part of our Server Administration Services.
Today, we’ll see the top 5 things that Bobcares Engineers do to avoid sftp security risks.
How does SFTP work
Before all else, let’s get an idea on how SFTP work. Also, how it is more secure than normal FTP.
In simple words, SFTP is a method that allows file transfer using the Secure Shell protocol (SSH). It gets all its security features from SSH. In SFTP, a single port will be used for all SFTP communications. That is, the initial authentication, ftp commands and data transfer all happens via port 22 of the server.
Unlike normal FTP which is text based, the mode of communication in SFTP is packet-based. SFTP encrypts the data using modern methods and protects the integrity of data. Again, as each SFTP communication involves sending of less data, it will be faster too.
Things that create SFTP security risks
Now that we understand how SFTP works, let’s check on the possible security risks in SFTP.
One of the key factors that ensure security in SFTP is encryption method. Unfortunately, the encryption method often change based on the settings of FTP client. And, when there is a use of weak or outdated encryption method, it put the data transfer at risk.
Similarly, weak user/password combination, lack of proper firewall on the server, broken programs, etc. put the SFTP server as a target of attack.
How we avoid SFTP security risks
Luckily, there are methods to increase security on SFTP server.
Let’s now take a look on the top 5 things that our Support Engineers do on SFTP servers to avoid security risks.
1. Harden SFTP server
Just like any other service, securing SFTP should start from the initial server setup itself. Server security is not something that can be added as component. That’s why our Dedicated Engineers always foresee the possible risks in server applications, do a customer requirement check, etc. as part of our initial server setup. This include adding periodic update of server packages, adding proper monitoring tools, configuring firewall, backup setup and so on.
In short, the server hardening process make the entire server more secure and thus SFTP too.
2. Avoid outdated encryption
Since SFTP relies mostly on the encryption method, we always ensure that server do not use outdated encryption technologies. It is this encryption algorithm that takes the original data and, encrypt it and transmit the encrypted data along with the key. And, when the server uses weak encryption, SFTP server will be at risk.
That’s why, our Support Engineers always disable outdated ciphers like Blowfish and DES, and only use stronger ciphers like AES or TDES.
3. Block direct server access
As another security method, we always block direct access to the SFTP server. In many cases, the SFTP server may be intended for users under an organization. In such cases, there is no need to make SFTP available on a public internet. We recommend setting up SFTP server in a private network, that offers additional security.
And, in scenario where SFTP server need public access, we even setup it behind a gateway. Thus, all hits directly come to the gateway server and SFTP server will be protected.
4. IP based restrictions
IP based restrictions always enhance security of any SFTP server. Here, we restrict the IP addresses that can connect to port 22 of the server. For this, we add necessary rules in the server firewall. Again, these rules depend on the type of firewall in use.
However, this comes with additional overhead of maintaining firewall upon new user addition. But, considering the security impact, it proves to be a necessity.
5. Strong passwords
Last and not the least, using strong user password is of at-most importance in securing SFTP. For SFTP to work, the user need shell access on the server. Thus, when a user has both Shell and SFTP access over SSH, then it allows to upload a potentially malicious file to the server and execute it.
Therefore, the SFTP server should always ensure the usage of strong passwords. This largely helps to reduce the brute-force attacks on the server. In servers with control panels like Plesk, the password strength for users can be set from Tools and Settings > Security Policy as shown.
[Do you wish to secure SFTP server? Our experts can help you.]
Conclusion
In short, avoiding SFTP security risks involve using strong data encryption methods, restricting server access, setting complex password for ftp users and many more. Today, we saw how our Dedicated Engineers secure SFTP server and avoid possible attack.
0 Comments