FileZilla is a free software, cross-platform FTP application, consisting of FileZilla Client and FileZilla Server. This article is written based on FileZilla Server version 0.9.59 to provide some effective security hardening solutions.
Note: Most of the following configurations are made at Edit > Settings > FileZilla Server Options in FileZilla Server.
By default, the server administrator password is empty. We recommend that you set a complex password (including at least two of the following types of characters: uppercase letters, lowercase letters, numbers, and special symbols).
By default, the server version information is displayed in the welcome message when a client accesses an FTP server. If the server version information is hidden, it can increase the time cost for malicious attacks.
Go to General settings > Welcome message.
Remove the %v variable from the Custom welcome message input box on the right, or replace all the text with your own text.
In addition, we recommend that you check the Hide welcome message in log option to reduce useless information in logs.
We recommend that you enable FTP service for only one address. For example, when you only need to use the FTP service in the intranet, you must not enable the FTP service for the Internet address bound to the server.
Go to General settings > IP Bindings.
Change the default value (*) in the right window to a specified address (such as 127.0.0.1).
We recommend that you use the global IP filter to restrict access.
Go to General settings > IP Filters.
Enter the IP addresses to be blocked in the upper-right window, and enter the allowed IP addresses in the lower-right window.
Usually you can use the default value (*) to block all IP addresses, and then add a small number of IP addresses to allow access. For example, in the following figure, only the 192.168.1.0/24 segment is allowed to access the FTP service.
In addition, FileZilla Server also supports user-level and user-group-level IP address filters.
Go to Edit > Users/Groups, and open the corresponding settings page.
Find IP Filters on the page, select the users, and then set the IP addresses to allow or deny access. The setting method is the same as that for the global IP filter.
FTP Bounce attack is an attack that uses the FXP feature. Unfiltered PORT commands can be used for bounce attacks.
We recommend that you enable the bounce attack mitigation option. By doing this, FileZilla Server checks that the peer IP address of the data connection matches the peer IP of the control connection, disallowing the transfer on address mismatch. The control connection is set in Configure access control.
Go to General settings > Security settings.
For Protection level, check Require matching peer address of control and data connection.
By default, the server disconnects from the client after user authentication fails for multiple times, but no strict policy exists. You can block a client IP address that has multiple failed logon attempts with the following settings to block further brute-force attempts.
- Go to Autoban.
The settings in the following figure blocks the IP addresses after 10 consecutive logon attempt failures within one hour. The blocking time is one hour.
FileZilla Server does not provide an option to set the password complexity, and its server users are added by the administrator through the management interface. Users cannot modify the password through the FTP command.
Therefore, we recommend that the administrator uses complex passwords when adding users.
FileZilla supports directory-level access permission settings. You can grant users the following permissions for a directory: (Files) Read, Write, Delete, and Add Files, and (Directories) Create, Delete, List, and Add Subdirectories.
We recommend that you assign the permissions for folders adhering to the principle of least privilege (POLP) to limit access to the minimal level that allows normal functioning.
Note: You must add an account and group first to perform the authorization operation.
FileZilla Server supports TLS encryption. If you do not have a certificate, you can use the built-in certificate creation feature to create one.
In addition, you can enable force TLS encrypted access for user logon.
FileZilla Server does not enable the logging feature by default. To facilitate tracking various events, we recommend that you enable logging and use a different logfile each day to avoid a single file becoming too large.
In addition, check the Don’t show passwords in message log option in Miscellaneous to avoid password leaks.