Comprehensively improve Serv-U Security Configuration

I. Two points of attention during installation

When installing Serv-U, try not to install Serv-U in the default C: Program FilesServ-U directory. replace a directory that is not easy to guess. When installing the component, you can select "Server program files" and "Administrator program files, in addition, "ReadMe and Version text files" and "Online help files" indicate that Online help does not need to be installed. In the same way, when installing other application software, especially server software, the "sufficient" principle should be observed, that is, only the components that need to be installed can be installed.

TIPS: In the latest version, no instructions are provided and online help items are provided for the user to choose to install.

2. Initial setting is especially important

When Serv-U is installed for the first time, the wizard window for creating domains and accounts is automatically displayed. The Account Created by using the wizard may cause unknown security issues. Therefore, we recommend that you click "cancel" to create an account manually.

When Serv-U is running, we need to modify the default management password. Because the default password is blank, you need to click "set/Change Password" on the main interface. In the "set or change administrator password" window that appears, in this case, enter the password you want to set continuously in the "New Password" and "repeat new password" windows. Be sure to set the password more complex (figure 1 ). In this way, you must enter a password when setting some local services.

500) this. width = 500; ">

Iii. account settings must be carefully configured

1. Account expiration time

For new accounts, you must carefully set their permissions. First, if your account has a time limit, you must set the automatic "Remove" Time for the account in the "Account" tab. This is mainly for some temporary account users.

2. prevent large-capacity file attacks

Second, we need to limit the maximum speed to prevent large-capacity file attacks. Switch to the "regular" tab. We can see that the "maximum upload speed" and "maximum download speed" are blank by default, which means there is no limit, in this way, hackers can exploit this vulnerability to send large-capacity files, resulting in FTP processing failure to stop the program from responding or automatically shutting down the program. Therefore, you can enter a limited speed (unit: KB/second) as needed. Generally, it is recommended that you enter about KB/second. In addition, we recommend that you set a value for "idle time-out" and "session time-out" in about 10 minutes (figure 2 ).

500) this. width = 500; ">

3. directory access permission

In general, we do not need to grant excessive permissions to users. Therefore, select the corresponding operation type in the "Directory Access" tab Based on the Account type. However, we recommend that you do not grant the "run" permission to any user, after obtaining the webshell, attackers can easily run the attack program to destroy the normal operation of Serv-U.

4. Restrict access sources

Generally, when a user logs on to FTP, the IP address is relatively fixed. Even if the user uses a dynamic IP address such as ADSL, the IP address used for automatic allocation has a relatively fixed range. In this regard, we can switch to the "IP Access" tab, set "Edit rule" to "Allow access", and then enter the IP addresses or IP address segments allowed to access the rule, after entering the rule, click Add to add multiple rules.

In addition, we can also find clues from the system logs to find unknown IP addresses, and add them to the "Access Denied" list.

4. Enable SSL

By default, Serv-U data is transmitted in plain text, which is easily captured by some sniffing tools. For this purpose, we can enable SSL encryption.

First, select "Settings" under "local server" on the left side of the Serv-U Management window, and select the "SSL Certificate" tab on the right, enter the actual FTP address in the "common name" and fill in other items as needed. Then, click "Apply" to create the SSL certificate.

Next, you can select the domain you have created in the domain list, and then select the "allow SSL/TLS process only" option in the "Security" drop-down menu on the right, click the "application" button to enable the SSL encryption function for the current domain.

Note that, after SSL encryption is enabled, the default FTP port 21 will be changed to 990. You need to be notified of this; otherwise, you will not be able to connect to the FTP server.

5. Carefully check logs

When a user accesses the FTP server, Serv-U will faithfully make detailed records, including the IP address, connection time, disconnection time, and uploaded and downloaded files. In the management window, select the domain to be viewed on the left, select the "activity" item, and select "Domain log" on the right. The detailed log information is displayed here. This log information can be used to determine whether a malicious attack exists.

Vi. Upgrade

Every patch release can make up for some defects. Therefore, we recommend that you pay attention to security news whenever possible, and pay attention to patch upgrade in a timely manner. This is also a common rule in network security.