Securing FTP Running on Your Web Server

I’ve had several questions from clients recently on how they can to secure FTP running on their web servers. The easy and short-sighted response would be “Are you nuts? You need to run FTP on a dedicated server!” However, looking at it from a business perspective considering things like money, politics, business process and third-party system architectures – it’s not that simple of a fix.

Best practice or not, FTP is often running on web servers and it’s certainly something worth poking and prodding for additional security flaws. I often see outdated FTP software and anonymous access enabled to the outside – both of which can be exploited for ill-gotten gains potentially exposing the entire web server to web hacking and public exposure. The biggest risk to me, though, is weak FTP passwords waiting to be uncovered by dictionary or brute-force password authentication attacks. This is an attack that can go unnoticed indefinitely and put critical business information at risk – especially if intruder lockout is not enabled which is usually the case.
Many of my clients use third-party managed firewalls and intrusion detection and are typically alerted (continue reading...)