The following security guidelines and best practices are essential to ensure a secure environment for FTP Server.
Configure the following parameters in the ftpserv.cfg file to protect the FTP environment.
Table 3-8 FTP Parameters and Their Recommended Values
|
FTP Parameters |
Recommended Value |
Reason for Recommendation |
Default Value |
|---|---|---|---|
|
SECURE_CONNECTIONS_ONLY |
YES |
If this parameter is set to YES, only secure connections from FTP clients are supported. This means that you can only use FTP clients that support secure connections with this setting. The advantage of using this is that control channel information such as usernames and passwords are encrypted and protected from spoofing and sniffing. Optionally, the data channel also can be encrypted, if the client chooses to do so. Refer to Section 3.2.2, Security Extensions for details on security mechanisms supported by NetWare FTP Server. |
NO |
|
INTRUDER_HOST_ATTEMPTS |
20 |
If this value is set to 0, host intruder detection is disabled, which is not advisable. |
20 |
|
INTRUDER_USER_ATTEMPTS |
5 |
If this value is set to 0, user intruder detection is disabled, which is not advisable. |
5 |
|
MAX_FTP_SESSIONS |
30 |
Setting this to a lower value limits the concurrent FTP connections allowed to the server. This is useful if a denial of service attack is mounted; the scope for exploitation is limited. |
30 |
|
IDLE_SESSION_TIMEOUT |
180 |
It is recommended to specify a small value because if the system remains idle for a long time, it could result in malicious attacks. |
600 |
|
ANONYMOUS_ACCESS |
NO |
To avoid a denial of service attack, if MAX_FTP_SESSIONS runs out of space because the maximum number of anonymous sessions has been exceeded. |
NO |
It is also recommended that you set restrictions for hosts, containers, users, domains, IP addresses and IP address ranges, in the ftprest.txt file. By default, no restrictions are set.
The following best practices can help create a more secure FTP setup:
It is a good practice to check the following log files on a regular basis:
These files contain details about user activities, statistics, intruders, and other information and error messages.
You should restrict FTP Server access to users by making relevant configuration changes in the ftprest.txt file. To restrict access to remote server navigation for a user, set ACCESS =NOREMOTE.
NOTE:While using iManager to administer FTP Server, the FTP administrator has access and rights to the configuration and statistics of all the FTP servers in the tree