Bobcares
        • Web Hosting

        • Customized web hosting support solutions with 20 years of experience.

        • Cloud Hosting

        • 24x7x365 cloud support services for all major cloud platforms.

        • VPS Hosting

        • Premium support and management solutions for VPS providers.

        • Data Center

        • Enhanced support solutions for small to hyperscale data center providers. 

        • SaaS

        • Efficient deployment, updates, and end-user support for SaaS companies.

        • VPN

        • Premium support solutions for VPN companies.

        • Digital Agency

        • Comprehensive development and marketing solutions for digital agencies

        • ISP

        • Reliable end-user support and technical teams for ISP companies...

        • CDN

        • Reliable support solutions for CDN providers.

        • WE ARE HERE TO HELP
        • Image Description

          If you can't find the service you need, just write to us and we will figure something out.

          Chat with us

Client Area
Emergency Support
FTP | Latest | Server Administration

Best practices to avoid sftp security risks

by | May 17, 2019

It’s loud and clear that uploading files via normal FTP can be risky. That’s the reason why most servers use Secure FTP.

But, does using sFTP alone guarantee secure data exchange?

Unfortunately, No. Even SFTP servers have security risks and can be a target of cyber attackers.

That’s why, we often get requests to setup secure SFTP servers as part of our Server Administration Services.

Today, we’ll see the top 5 things that Bobcares Engineers do to avoid sftp security risks.

 

How does SFTP work

Before all else, let’s get an idea on how SFTP work. Also, how it is more secure than normal FTP.

In simple words, SFTP is a method that allows file transfer using the Secure Shell protocol (SSH). It gets all its security features from SSH. In SFTP, a single port will be used for all SFTP communications. That is, the initial authentication, ftp commands and data transfer all happens via port 22 of the server.

Unlike normal FTP which is text based, the mode of communication in SFTP is packet-based. SFTP encrypts the data using modern methods and protects the integrity of data. Again, as each SFTP communication involves sending of less data, it will be faster too.

 

Things that create SFTP security risks

Now that we understand how SFTP works, let’s check on the possible security risks in SFTP.

One of the key factors that ensure security in SFTP is encryption method. Unfortunately, the encryption method often change based on the settings of FTP client. And, when there is a use of weak or outdated encryption method, it put the data transfer at risk.

Similarly, weak user/password combination, lack of proper firewall on the server, broken programs, etc. put the SFTP server as a target of attack.

 

How we avoid SFTP security risks

Luckily, there are methods to increase security on SFTP server.

Let’s now take a look on the top 5 things that our Support Engineers do on SFTP servers to avoid security risks.

 

1. Harden SFTP server

Just like any other service, securing SFTP should start from the initial server setup itself. Server security is not something that can be added as component. That’s why our Dedicated Engineers always foresee the possible risks in server applications, do a customer requirement check, etc. as part of our initial server setup. This include adding periodic update of server packages, adding proper monitoring tools, configuring firewall, backup setup and so on.

In short, the server hardening process make the entire server more secure and thus SFTP too.

 

2. Avoid outdated encryption

Since SFTP relies mostly on the encryption method, we always ensure that server do not use outdated encryption technologies. It is this encryption algorithm that takes the original data and, encrypt it and transmit the encrypted data along with the key. And, when the server uses weak encryption, SFTP server will be at risk.

That’s why, our Support Engineers always disable outdated ciphers like Blowfish and DES, and only use stronger ciphers like AES or TDES.

 

3. Block direct server access

As another security method, we always block direct access to the SFTP server. In many cases, the SFTP server may be intended for users under an organization. In such cases, there is no need to make SFTP available on a public internet. We recommend setting up SFTP server in a private network, that offers additional security.

And, in scenario where SFTP server need public access, we even setup it behind a gateway. Thus, all hits directly come to the gateway server and SFTP server will be protected.

 

4. IP based restrictions

IP based restrictions always enhance security of any SFTP server. Here, we restrict the IP addresses that can connect to port 22 of the server. For this, we add necessary rules in the server firewall. Again, these rules depend on the type of firewall in use.

However, this comes with additional overhead of maintaining firewall upon new user addition. But, considering the security impact, it proves to be a necessity.

 

5. Strong passwords

Last and not the least, using strong user password is of at-most importance in securing SFTP. For SFTP to work, the user need shell access on the server. Thus, when a user has both Shell and SFTP access over SSH, then it allows to upload a potentially malicious file to the server and execute it.

Therefore, the SFTP server should always ensure the usage of strong passwords. This largely helps to reduce the brute-force attacks on the server. In servers with control panels like Plesk, the password strength for users can be set from Tools and Settings > Security Policy as shown.

[Do you wish to secure SFTP server? Our experts can help you.]

 

Conclusion

In short, avoiding SFTP security risks involve using strong data encryption methods, restricting server access, setting complex password for ftp users and many more. Today, we saw how our Dedicated Engineers secure SFTP server and avoid possible attack.

Related posts:

  1. How to configure SFTP server with chroot ?
  2. FTP 550 No such file or directory- Here’s the quick fix
  3. How to Block IPs in Windows Firewall : Easy method!
  4. Multiple SSL certificates on one IP with Nginx – Set it up now

PREVENT YOUR SERVER FROM CRASHING!

Never again lose customers to poor server speed! Let us help you.

Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.

GET STARTED

var google_conversion_label = "owonCMyG5nEQ0aD71QM";

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

server management

Spend time on your business, not on your servers.

TALK TO US

Or click here to learn more.

Related Articles

  1. How to configure SFTP server with chroot ?
  2. FTP 550 No such file or directory- Here’s the quick fix
  3. How to Block IPs in Windows Firewall : Easy method!
  4. Multiple SSL certificates on one IP with Nginx – Set it up now

Never again lose customers to poor
server speed! Let us help you.

GET STARTED

Privacy Preference Center

Consent Management

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience.

Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Privacy Policy

Required
By using this site, you agree to our Privacy Policy.

Necessary

Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

PHPSESSID - Preserves user session state across page requests.

gdpr[consent_types] - Used to store user consents.

gdpr[allowed_cookies] - Used to store user allowed cookies.

Cookies Used

Required
PHPSESSID, gdpr[consent_types], gdpr[allowed_cookies]

livechat.bobcares.com

Opt Out
PHPSESSID

my.bobcares.com

Opt Out
WHMCSpKDlPzh2chML

Statistics

Statistic cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.

_ga - Preserves user session state across page requests.

_gat - Used by Google Analytics to throttle request rate

_gid - Registers a unique ID that is used to generate statistical data on how you use the website.

smartlookCookie - Used to collect user device and location information of the site visitors to improve the websites User Experience.

Cookies Used

_ga, _gat, _gid

google.com

Opt Out
_ga, _gat, _gid

manager.smartlook.com

Opt Out
smartlookCookie

clarity.microsoft.com

Opt Out
_clck, _clsk, CLID, ANONCHK, MR, MUID, SM

Marketing

Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.

IDE - Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.

test_cookie - Used to check if the user's browser supports cookies.

1P_JAR - Google cookie. These cookies are used to collect website statistics and track conversion rates.

NID - Registers a unique ID that identifies a returning user's device. The ID is used for serving ads that are most relevant to the user.

DV - Google ad personalisation

_reb2bgeo - The visitor's geographical location

_reb2bloaded - Whether or not the script loaded for the visitor

_reb2bref - The referring URL for the visit

_reb2bsessionID - The visitor's RB2B session ID

_reb2buid - The visitor's RB2B user ID

Cookies Used

IDE, test_cookie, 1P_JAR, NID, DV, NID

doubleclick.net

Opt Out
IDE, test_cookie

google.co.in

Opt Out
1P_JAR, NID, DV

google.com

Opt Out
NID

olark.com

Opt Out
hblid

rb2b.com

Opt Out
_reb2bgeo, _reb2bloaded, _reb2bref, _reb2bsessionID, _reb2buid

Security

These are essential site cookies, used by the google reCAPTCHA. These cookies use an unique identifier to verify if a visitor is human or a bot.

Cookies Used

SID, APISID, HSID, NID, PREF

google.com

Opt Out
SID, APISID, HSID, NID, PREF