Stable FTP server creation I. Operating System Selection
The FTP server first operates based on the operating system. Therefore, the security of the operating system determines the security level of the FTP server. Although the FTP server can be set up in the same way as Windows 98/Me, it is not secure and vulnerable, so it is best not to use it. Windows NT is like a chicken ribs. It is best to use Windows 2000 or later, and remember to patch it in time. Unix and Linux are not discussed.
Stable FTP server build 2. Use Firewall
A port is a logical interface connecting a computer to an external network and the first barrier of a computer. Whether the port is correctly configured directly affects the security of the host. Generally, you only need to open the port you need, it is safer to shield unnecessary ports. There are many ways to restrict ports. You can use a third-party personal firewall. Here, we only introduce the firewall setting method that comes with Windows.
1. Use the TCP/IP filtering function
In Windows 2000 and Windows XP, the system provides the TCP/IP filter function, which allows you to easily set the port. Take Windows XP as an example. Open the "local connection" attribute, find "Internet Protocol (TCP/IP)" in the "General" option, and double-click it to open the attribute setting window for this Protocol. Click "advanced" in the lower-right corner to go to "Advanced TCP/IP Settings ". Select "TCP/IP filtering" in "options" and double-click it to go to its property settings. Here we can set the system to only allow open ports. If the configured FTP server port is port 21, select "enable TCP/IP filtering (all adapters)" first )", select "allow only" in the TCP port option, click "add", enter the port number 21, and click OK. In this way, the system only allows port 21 to be opened. To open other ports, add more ports. This effectively prevents the most common port 139 intrusion. The disadvantage is that the function is too simple. Only open ports can be set, and ports to be disabled cannot be customized. If you have a large number of ports to open, you have to manually add them one by one, which is troublesome.
2. Enable the Internet Connection Firewall
For Windows XP systems, the "Internet Connection Firewall" function is provided, which is more convenient and powerful than the TCP/IP filtering function. In addition to built-in firewall port opening rules, you can also add or delete ports by yourself. Open "network connection" in the control panel, right-click the dial-up connection, and go to the "advanced" tab, enable "Protect my computer and network by limiting or blocking access to this computer from the Internet. By default, the FTP port is disabled. Therefore, you must set a firewall to enable the FTP port used. Click "Settings" in the lower-right corner to go to "Advanced Settings", select "FTP server", and edit it. Because the default port of the FTP service is 21, the IP address column cannot be changed. Fill in the public ip address of the server in the ip address column. After confirmation, exit to take effect immediately. If the set FTP server port is another port, such as 22, you can click "add" under the "service" tab and enter the server name and public IP address, set the external port number and internal port number to 22.
Stable FTP server creation 3. Setting server software such as IIS and Serv-u
In addition to the security measures provided by the system, you must use the settings of the FTP server software to improve the security of the entire server.
1. IIS Security Settings
1) install new patches in time
IIS security vulnerabilities are widely known. On average, one or two vulnerabilities are generated every two or three months. Fortunately, Microsoft will provide corresponding patches Based on the newly discovered vulnerabilities, which requires you to constantly update and install the latest patches.
2) set the installation directory to a non-system disk and disable unnecessary services.
Some malicious users can gain access to the system through the IIS Overflow Vulnerability. Placing IIS on the system partition will cause illegal access to the system file and IIS, making it easy for illegal users to intrude into the system partition. In addition, because IIS is a comprehensive service component, every service opened will reduce the security of the entire service. Therefore, do not install or start unnecessary services.
3) Only anonymous connections are allowed.
The biggest security vulnerability in FTP is that the default transmission password is transmitted in plaintext, which is easy to be sniffed. IIS is managed based on a Windows user account, so it is easy to leak the system account name and password. If this account has certain management permissions, it will affect the security of the entire system. It is set to "only allow anonymous connections" to avoid the risk of leakage during transmission. Go to "Default FTP site" and select this option on the "Security Account" tab of the property.
4) carefully set the home directory and Its Permissions
IIS can set the FTP site home directory as the shared directory of another computer in the LAN. However, in the LAN, shared directories are vulnerable to virus attacks from other computers, in severe cases, the entire LAN may even be paralyzed. It is better to use the local directory and set the home directory to a non-system partition in NTFS format. In this way, you can set permissions for each directory according to different groups or users. Right-click the directory you want to set and enter "share and Security → security". If not necessary, do not grant "write" permission.
5) Try not to use the default port number 21
Enable Logging in case of exceptions.
2. Security Settings of Serv-u
Compared with the FTP service of IIS, Serv-u performs better in terms of security.
1) set "local server"
First, select "intercept FTP_bounce attack and XP ". Generally, when the FTP protocol is used for file transmission, the client first sends a "PORT" command to the FTP server, the command contains the user's IP address and the port number that will be used for data transmission. After receiving the command, the server uses the user address information provided by the command to establish a connection with the user. In most cases, the above process will not cause any problems, but when the client is a malicious user, it may add specific address information in the PORT command, establish a connection between the FTP server and other non-client machines. Although this malicious user may not have the right to directly access a specific machine, if the FTP server has the right to access this machine, the malicious user can use the FTP server as an intermediary, the connection to the target server can still be achieved. This is FXP, also known as cross-server attacks. This can be prevented after selection.
Next, on the "advanced" tab, check whether "encrypted password" and "enable security" are selected. If not, select them. The "encrypted password" uses the one-way Hash function (MD5) to encrypt the user password. The encrypted password is stored in ServUDaemon. ini or the registry. If this option is not selected, the user password will be saved in plain text in the file: "enable security" will enable the security of the Serv-u server.
2) Set servers in the domain
As mentioned above, FTP uses a plaintext transfer password by default, which is easy to sniff. it is not dangerous for an account that only has general permissions. However, if the account has the permissions of remote management, especially the system administrator, the entire server will be remotely controlled by others. Serv-u provides the following three security types for each account's password: the rule password, otp s/KEY MD4, and otp s/KEY MD5. different types of encryption methods for transmission are also different, with the lowest security of the Rule password. Go to the settings of accounts with certain management permissions, find the "password type" drop-down list box under the "General" tab, select the second or third type, and save the settings. Note: When you log on to the server with this account, you need the FTP client software to support this password type, such as CuteFTP Pro. When you enter the password, select the corresponding password type to pass server verification.
Like IIS, you must exercise caution when setting the main directory and its permissions. do not grant write or other permissions to modify server files or directories. Finally, go to "Settings", select "enable record to file" on the "log" tab, and set the log file name, storage path, and record parameters, to query the cause of server exceptions at any time.
- One-stop service: full introduction to Linux FTP server security
- Five steps to configure the ftp service in RHEL4
- Ftp command parameters in linux