FTP weak password and anonymous logon vulnerabilities generally involve an FTP-ready user enabling the anonymous logon functionality, or using a system password that is too short or not complex enough (only containing numbers or letters), which makes the system vulnerable to hacker attacks, unauthorized file uploading, or more serious intrusions.
Hackers exploit the weak passwords or anonymous logon vulnerability to directly log on to the FTP service and upload malicious files to take system privileges, which causes data leaks.
Different FTP service software have different daemons for the FTP service. This resolution uses the FTP service in Windows Server 2008 and the vsftpd service in Linux as examples of how to harden the FTP service.
Make sure that you use the latest version of the FTP service software. We recommend that you pay attention to official patch releases and apply the updates in time.
Open Internet Information Services (IIS) Manager, check all the hardening features for the FTP service.
Disable anonymous logon.
Create an FTP account.
Click Start > Management Tools > Computer Management > Local Users and Groups, create a user, and then configure a strong password for the user (We recommend that you use a password that contains eight or more characters, uppercase and lowercase letters, special characters and numbers. Do not use birthdays, names in Pinyin and other common strings as the password). Set the user to the Guests group.
Disable the anonymous logon functionality.
Disable the Anonymous Authentication mode in FTP Authentication in Internet Information Services (IIS) Manager.
Enable a strong password security policy.
In Windows, the strong password policy is managed by a group policy. You can open Local Group Policy Editor (gpedit.msc), click Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy, and then enable the Password must meet complexity requirements option.
After enabling the Password must meet complexity requirements option, the complexity policy check is executed when you change or create a user password. The password must meet the following minimum requirements:
- The password cannot contain an account name.
- The password cannot contain more than two consecutive characters in the user name.
- The password must have at least six characters.
The password must contain at least three of the following four types of characters: English uppercase letters (A-Z), English lowercase letters (a-z), ten numbers (0-9), and special characters (such as “!”, “@”, “#” and “%”).
Note: We recommend that you implement this password policy for all authentication services in Windows.
Enable the policy for handling account logon failures.
This policy enforces failure handling for accounts to prevent brute force password cracking.
Enable the FTP directory isolation feature.
This feature prevents unauthorized access to other user directories and files, and defends against data leaks.
Specify accessing IP addresses.
Enable the authorization policy.
You can configure rules for user access and permissions based on your business requirements.
Enable SSL encryption for data transmission.
Create a server certificate.
Apply the created certificate.
Enable the logging feature.
By default, the FTP logging feature under IIS Manager is enabled, and you can configure the log space size and other policies based on your available disk space.
FileZilla Server is a popular open-source free FTP client and server program. Many users use the software to build their FTP services. FileZilla Server provides relevant security features to facilitate safe usage of FTP services. See FileZilla FTP server security hardening for FileZilla Server hardening solutions.
Install the patch.
Back up the vsftp application configuration and contact your operating system vendor to get the latest version of the vsftp software package. To upgrade and install the software, go to http://vsftpd.beasts.org/#download to download the latest version of VSFTP source package for compilation and installation. Or you can use the
yum update vsftpdcommand to update the software.
Disable the anonymous logon feature.
Add a new user “test” and configure a strong password for the user.
useradd -d /home -s /sbin/nologin <test>
- Specifically, the
/sbin/nologinparameter indicates that you cannot log on to the Linux shell environment.
testis the sample account.
Configure a strong password. The password must contain eight or more characters and is comprised of uppercase and lowercase letters, special characters and numbers. Do not use birthdays, names in Pinyin and other common strings as the password.
- Specifically, the
Modify the vsftpd.conf configuration file.
anonymous_enable=NO. The anonymous logon feature is disabled and you have to create a user, and then log on to the system through the authentication for the user account.
Disable displaying banner information.
Modify the VSFTP configuration file vsftpd.conf. Modify the statement as
ftpd_banner=Welcomein the configuration file, and then restart the VSFTP service.
After the service restarts, the banner information is displayed as follows:
Connected to 192.168.10.200.
Limit users that can log on to FTP services.
Users listed in the “ftpusers” and “user_list” files are not allowed to access FTP services, such as root, bin, and daemon. Users other than those who need to log on to the FTP service is added to these files.
Limit accessible directories for FTP users.
Modify the vsftpd.conf configuration file as follows:
Then, create the
/etc/vsftpd/chroot_listfile, and add user names to the file. For example, add user1 to the file, that means after user1 logs on to the FTP service, the user is only allowed to perform actions in the “home” directory.
Modify the listening address and the default port.
For example, modify the vsftpd.conf configuration file to set the 8888 port of IP 188.8.131.52 for listening.
Enable the logging feature.
Modify the vsftpd.conf configuration file as follows to enable the logging feature.
To customize the log storage path, modify the configuration file as follows.
Enable other security configurations in the file.
\\Limit the number of connections.
\\Limit the transmission speed.
If you do not need the service, we recommend that you disable the FTP service.