Bobcares

Best practices to avoid sftp security risks

by | May 17, 2019

It’s loud and clear that uploading files via normal FTP can be risky. That’s the reason why most servers use Secure FTP.

But, does using sFTP alone guarantee secure data exchange?

Unfortunately, No. Even SFTP servers have security risks and can be a target of cyber attackers.

That’s why, we often get requests to setup secure SFTP servers as part of our Server Administration Services.

Today, we’ll see the top 5 things that Bobcares Engineers do to avoid sftp security risks.

 

How does SFTP work

Before all else, let’s get an idea on how SFTP work. Also, how it is more secure than normal FTP.

In simple words, SFTP is a method that allows file transfer using the Secure Shell protocol (SSH). It gets all its security features from SSH. In SFTP, a single port will be used for all SFTP communications. That is, the initial authentication, ftp commands and data transfer all happens via port 22 of the server.

Unlike normal FTP which is text based, the mode of communication in SFTP is packet-based. SFTP encrypts the data using modern methods and protects the integrity of data. Again, as each SFTP communication involves sending of less data, it will be faster too.

 

Things that create SFTP security risks

Now that we understand how SFTP works, let’s check on the possible security risks in SFTP.

One of the key factors that ensure security in SFTP is encryption method. Unfortunately, the encryption method often change based on the settings of FTP client. And, when there is a use of weak or outdated encryption method, it put the data transfer at risk.

Similarly, weak user/password combination, lack of proper firewall on the server, broken programs, etc. put the SFTP server as a target of attack.

 

How we avoid SFTP security risks

Luckily, there are methods to increase security on SFTP server.

Let’s now take a look on the top 5 things that our Support Engineers do on SFTP servers to avoid security risks.

 

1. Harden SFTP server

Just like any other service, securing SFTP should start from the initial server setup itself. Server security is not something that can be added as component. That’s why our Dedicated Engineers always foresee the possible risks in server applications, do a customer requirement check, etc. as part of our initial server setup. This include adding periodic update of server packages, adding proper monitoring tools, configuring firewall, backup setup and so on.

In short, the server hardening process make the entire server more secure and thus SFTP too.

 

2. Avoid outdated encryption

Since SFTP relies mostly on the encryption method, we always ensure that server do not use outdated encryption technologies. It is this encryption algorithm that takes the original data and, encrypt it and transmit the encrypted data along with the key. And, when the server uses weak encryption, SFTP server will be at risk.

That’s why, our Support Engineers always disable outdated ciphers like Blowfish and DES, and only use stronger ciphers like AES or TDES.

 

3. Block direct server access

As another security method, we always block direct access to the SFTP server. In many cases, the SFTP server may be intended for users under an organization. In such cases, there is no need to make SFTP available on a public internet. We recommend setting up SFTP server in a private network, that offers additional security.

And, in scenario where SFTP server need public access, we even setup it behind a gateway. Thus, all hits directly come to the gateway server and SFTP server will be protected.

 

4. IP based restrictions

IP based restrictions always enhance security of any SFTP server. Here, we restrict the IP addresses that can connect to port 22 of the server. For this, we add necessary rules in the server firewall. Again, these rules depend on the type of firewall in use.

However, this comes with additional overhead of maintaining firewall upon new user addition. But, considering the security impact, it proves to be a necessity.

 

5. Strong passwords

Last and not the least, using strong user password is of at-most importance in securing SFTP. For SFTP to work, the user need shell access on the server. Thus, when a user has both Shell and SFTP access over SSH, then it allows to upload a potentially malicious file to the server and execute it.

Therefore, the SFTP server should always ensure the usage of strong passwords. This largely helps to reduce the brute-force attacks on the server. In servers with control panels like Plesk, the password strength for users can be set from Tools and Settings > Security Policy as shown.

[Do you wish to secure SFTP server? Our experts can help you.]

 

Conclusion

In short, avoiding SFTP security risks involve using strong data encryption methods, restricting server access, setting complex password for ftp users and many more. Today, we saw how our Dedicated Engineers secure SFTP server and avoid possible attack.

PREVENT YOUR SERVER FROM CRASHING!

Never again lose customers to poor server speed! Let us help you.

Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.

GET STARTED

var google_conversion_label = "owonCMyG5nEQ0aD71QM";

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Never again lose customers to poor
server speed! Let us help you.

Privacy Preference Center

Necessary

Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

PHPSESSID - Preserves user session state across page requests.

gdpr[consent_types] - Used to store user consents.

gdpr[allowed_cookies] - Used to store user allowed cookies.

PHPSESSID, gdpr[consent_types], gdpr[allowed_cookies]
PHPSESSID
WHMCSpKDlPzh2chML

Statistics

Statistic cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.

_ga - Preserves user session state across page requests.

_gat - Used by Google Analytics to throttle request rate

_gid - Registers a unique ID that is used to generate statistical data on how you use the website.

smartlookCookie - Used to collect user device and location information of the site visitors to improve the websites User Experience.

_ga, _gat, _gid
_ga, _gat, _gid
smartlookCookie
_clck, _clsk, CLID, ANONCHK, MR, MUID, SM

Marketing

Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.

IDE - Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.

test_cookie - Used to check if the user's browser supports cookies.

1P_JAR - Google cookie. These cookies are used to collect website statistics and track conversion rates.

NID - Registers a unique ID that identifies a returning user's device. The ID is used for serving ads that are most relevant to the user.

DV - Google ad personalisation

_reb2bgeo - The visitor's geographical location

_reb2bloaded - Whether or not the script loaded for the visitor

_reb2bref - The referring URL for the visit

_reb2bsessionID - The visitor's RB2B session ID

_reb2buid - The visitor's RB2B user ID

IDE, test_cookie, 1P_JAR, NID, DV, NID
IDE, test_cookie
1P_JAR, NID, DV
NID
hblid
_reb2bgeo, _reb2bloaded, _reb2bref, _reb2bsessionID, _reb2buid

Security

These are essential site cookies, used by the google reCAPTCHA. These cookies use an unique identifier to verify if a visitor is human or a bot.

SID, APISID, HSID, NID, PREF
SID, APISID, HSID, NID, PREF