The four policies effectively protect the security of FTP server passwords

Because FTP servers are often used for file upload and download, their security is of different importance. If attackers break the attack, not only files on the FTP server may be damaged or stolen, but more importantly, if they are infected with viruses or Trojans, this poses a potential threat to all FTP users. Therefore, it is imperative to protect the security of FTP servers.

To protect the FTP server, you need to protect its password. Here we will talk about some common password security policies for FTP servers to help you improve the security of FTP servers.

Policy 1: Password duration

Sometimes, the FTP server will not only be used by employees, but also be temporarily used by an account for external partners. For example, the Sales Department often fails to send emails because some files are large. Therefore, the files must be transmitted to the customer through the FTP server. Therefore, when the customer or supplier needs some large files, they have to give them a temporary account and password for the FTP server.

The current practice is to set up an account on the FTP server, but its password is valid on the current day and will automatically expire on the next day. In this case, you only need to change the password when the customer or supplier needs to use the FTP server. Instead, you do not need to create a user each time you use it. After you use it, delete it. At the same time, it can also avoid security risks to the server because the temporary account is not canceled in time, because the password will automatically fail.

Most FTP servers, such as the FTP server software that comes with the Microsoft operating system, have the password term management function. Generally, a temporary account can be managed along with the term of the account and password to improve the security of the temporary account. For internal users, the term management can also be used to urge employees to increase the frequency of password changes.

Policy 2: passwords must comply with complexity rules

At present, many banks have performed complex password authentication for the security of user accounts. Passwords such as 888888 are no longer accepted. In cryptography, this form of password is very dangerous. They can use some password cracking tools, such as the electronic dictionary of passwords, to easily crack the passwords.

Therefore, to improve the security of the password itself, the simplest thing is to increase the complexity of the password. On the FTP server, you can use password complexity rules to force users to use passwords with higher security levels. Specifically, you can set the following complexity rules.

1. passwords cannot be pure numbers or characters

If a hacker wants to crack an FTP server account, the time it takes is directly related to the composition of the password. For example, the password is composed of eight digits, one is a pure number, and the other is a combination of numbers and characters. For example, 82372182 and 32dwl98s respectively. The two passwords look similar, but they are very different from the password cracking tool. The above pure-digit password may only take 24 hours to crack through some advanced password cracking tools. However, for the password that is followed by the letter and number, it takes 2400 hours to crack, or even more. The cracking difficulty is at least 100 times higher than the original one.

It can be seen that the password for character and digit combination is quite safe. For this reason, we can set it on the FTP server so that it does not accept password settings with only numbers or characters.

2. The password cannot be the same as the user name

In fact, we all know that, in many cases, server attacks are caused by improper management. The same user name and password are one of the most insecure factors on the FTP server.

Many users, including network administrators, prefer to set the password to the same as the user name for easy memory and management. This is easy to use, but it is obviously a very insecure operation. According to the design idea of the password attack dictionary, it first checks whether the password of the FTP server's account is empty. If not, it tries to use the password with the same username for cracking. If the above two cannot be used, try other possible passwords.

Therefore, in the eyes of hackers, if the password is the same as the user name, the password is not set. Therefore, in the password security policy of the FTP server, we also need to enforce the principle that the password is not allowed to be consistent with the password.

3. password length requirements

Although the password security is not proportional to the password length, the password length is generally better. For a random password, the 7-digit password is dozens of times more difficult than the 5-digit password, although the password length is only increased by two.

Policy 3: Password History

To improve the security of the FTP server, it is also necessary to specify a time interval for the user that cannot repeat the password. For example, a folder in the FTP server is used to store the customer's order information, which allows the relevant personnel to view the content in a timely manner during business trips. The information in this folder is highly confidential. If such content is disclosed, the enterprise may lose a large number of orders, which will have a fatal impact on the Enterprise.

Therefore, for the FTP server that stores such sensitive data, you are not afraid to underestimate the security aspect. Therefore, the password history function is enabled. According to this policy, the user must change the FTP server password every other week. In addition, you cannot use this password again within 60 days. That is to say, after the password history function is enabled, the FTP server records the passwords used by users within two months. If the user's new password has been used within two months, the server will reject the user's password change application.

It can be seen that the password history function can improve the security of the FTP server password to a certain extent.

Policy 4: account locking Policy

Theoretically, complicated passwords may also be broken by the electronic dictionary. In addition to the above policies, we also need to enable the "account lock policy ". This policy can effectively prevent malicious password attacks.

The account locking policy means that when a user fails to log on more than the specified number of logon attempts, the server automatically locks the account and sends a warning to the Administrator. Through this policy, when attackers attempt to log on to the FTP server with different passwords, they can only try three times at most (if the administrator fails to set the number of logon attempts to 3 ), the account will be locked. This will invalidate their password attacks.

When using the account lock policy, pay attention to several aspects.

First, manually or automatically lift the ban. If the account is manually disabled, the account to be locked must be manually disabled by an administrator. If it is set to automatic unblocking, the server will automatically unlock the account when the account is locked for a certain period of time. If you have high security requirements on the server, we recommend that you manually unban the server.

Second, set the number of wrong logins. If this number is set too many times, it cannot be protected. If the number of settings is too small, the user may be negligent in incorrect password input, and account locking is triggered, thus adding a lot of work to the server administrator. Therefore, you can set this number to three to five times. This not only guarantees security, but also provides a certain opportunity for incorrect user passwords.

Third, you must be able to automatically send an alarm to the server administrator when the account is locked. As an FTP server, it cannot identify whether it is a malicious attack or an accidental event. This requires the server administrator to judge based on experience. The FTP server can only provide temporary protection. Therefore, when an account is locked, the server must be able to send an alarm to the Administrator to determine whether a malicious attack exists. If yes, you need to take appropriate measures to prevent this situation from happening again.

The above four policies can basically ensure the security of the FTP server password.