edit-icon download-icon

FTP anonymous logon and weak password vulnerabilities

Last Updated: May 08, 2018

Vulnerability description

FTP weak password and anonymous logon vulnerabilities generally involve an FTP-ready user enabling the anonymous logon functionality, or using a system password that is too short or not complex enough (only containing numbers or letters), which makes the system vulnerable to hacker attacks, unauthorized file uploading, or more serious intrusions.

Vulnerability hazards

Hackers exploit the weak passwords or anonymous logon vulnerability to directly log on to the FTP service and upload malicious files to take system privileges, which causes data leaks.

Resolution

Different FTP service software have different daemons for the FTP service. This resolution uses the FTP service in Windows Server 2008 and the vsftpd service in Linux as examples of how to harden the FTP service.

Important:

Make sure that you use the latest version of the FTP service software. We recommend that you pay attention to official patch releases and apply the updates in time.

We strongly recommend that you do not open the FTP service to the Internet. You can use a VPN to connect to FTP servers and use Security groups to manage accessing IP addresses.

Harden FTP service in Windows

Open Internet Information Services (IIS) Manager, check all the hardening features for the FTP service.

FTP hardening features

  1. Disable anonymous logon.

    1. Create an FTP account.

      Click Start > Management Tools > Computer Management > Local Users and Groups, create a user, and then configure a strong password for the user (We recommend that you use a password that contains eight or more characters, uppercase and lowercase letters, special characters and numbers. Do not use birthdays, names in Pinyin and other common strings as the password). Set the user to the Guests group.

    2. Disable the anonymous logon functionality.

      Disable the Anonymous Authentication mode in FTP Authentication in Internet Information Services (IIS) Manager.

      Disable anonymous authentication

  2. Enable a strong password security policy.

    In Windows, the strong password policy is managed by a group policy. You can open Local Group Policy Editor (gpedit.msc), click Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy, and then enable the Password must meet complexity requirements option.

    Enable complexity requirements for password

    After enabling the Password must meet complexity requirements option, the complexity policy check is executed when you change or create a user password. The password must meet the following minimum requirements:

    • The password cannot contain an account name.
    • The password cannot contain more than two consecutive characters in the user name.
    • The password must have at least six characters.
    • The password must contain at least three of the following four types of characters: English uppercase letters (A-Z), English lowercase letters (a-z), ten numbers (0-9), and special characters (such as “!”, “@”, “#” and “%”).

      Note: We recommend that you implement this password policy for all authentication services in Windows.

  3. Enable the policy for handling account logon failures.

    This policy enforces failure handling for accounts to prevent brute force password cracking.

    Account lock out policy

  4. Enable the FTP directory isolation feature.

    This feature prevents unauthorized access to other user directories and files, and defends against data leaks.

    FTP directory isolation

  5. Specify accessing IP addresses.

    Add allow restriction rule

  6. Enable the authorization policy.

    You can configure rules for user access and permissions based on your business requirements.

    Add authorization rule

  7. Enable SSL encryption for data transmission.

    1. Create a server certificate.

      Create a server certificate

    2. Apply the created certificate.

      Apply the server certificate

  8. Enable the logging feature.

    By default, the FTP logging feature under IIS Manager is enabled, and you can configure the log space size and other policies based on your available disk space.

    Configure the FTP logging feature

Harden FileZilla FTP Server

FileZilla Server is a popular open-source free FTP client and server program. Many users use the software to build their FTP services. FileZilla Server provides relevant security features to facilitate safe usage of FTP services. See FileZilla FTP server security hardening for FileZilla Server hardening solutions.

Harden vsftpd service in Linux

  1. Install the patch.

    Back up the vsftp application configuration and contact your operating system vendor to get the latest version of the vsftp software package. To upgrade and install the software, go to http://vsftpd.beasts.org/#download to download the latest version of VSFTP source package for compilation and installation. Or you can use the yum update vsftpd command to update the software.

  2. Disable the anonymous logon feature.

    1. Add a new user “test” and configure a strong password for the user.

      useradd -d /home -s /sbin/nologin <test>

      • Specifically, the /sbin/nologin parameter indicates that you cannot log on to the Linux shell environment.
      • test is the sample account.

      passwd <test>

      Configure a strong password. The password must contain eight or more characters and is comprised of uppercase and lowercase letters, special characters and numbers. Do not use birthdays, names in Pinyin and other common strings as the password.

    2. Modify the vsftpd.conf configuration file.

      #vim /etc/vsftpd/vsftpd.conf

      Set anonymous_enable=NO. The anonymous logon feature is disabled and you have to create a user, and then log on to the system through the authentication for the user account.

    3. Disable displaying banner information.

      Modify the VSFTP configuration file vsftpd.conf. Modify the statement as ftpd_banner=Welcome in the configuration file, and then restart the VSFTP service.

      After the service restarts, the banner information is displayed as follows:

      1. >ftp 192.168.10.200
      2. Connected to 192.168.10.200.
      3. 220 Welcome
      4. User (192.168.10.200:(none)):
    4. Limit users that can log on to FTP services.

      Users listed in the “ftpusers” and “user_list” files are not allowed to access FTP services, such as root, bin, and daemon. Users other than those who need to log on to the FTP service is added to these files.

    5. Limit accessible directories for FTP users.

      Modify the vsftpd.conf configuration file as follows:

      1. chroot_list_enable=YES
      2. chroot_list_file=/etc/vsftpd/chroot_list

      Then, create the /etc/vsftpd/chroot_list file, and add user names to the file. For example, add user1 to the file, that means after user1 logs on to the FTP service, the user is only allowed to perform actions in the “home” directory.

    6. Modify the listening address and the default port.

      For example, modify the vsftpd.conf configuration file to set the 8888 port of IP 1.1.1.1 for listening.

      1. listen_address=1.1.1.1
      2. listen_port=8888
    7. Enable the logging feature.

      Modify the vsftpd.conf configuration file as follows to enable the logging feature.

      1. xferlog_enable=YES
      2. xferlog_std_format=YES

      To customize the log storage path, modify the configuration file as follows.

      1. xferlog_file=/var/log/ftplog
    8. Enable other security configurations in the file.

      1. \\Limit the number of connections.
      2. max_clients=100
      3. max_per_ip=5
      4. \\Limit the transmission speed.
      5. anon_max_rate=81920
      6. local_max_rate=81920
  3. If you do not need the service, we recommend that you disable the FTP service.

Thank you! We've received your feedback.