6 important methods to keep servers safe
Keeping corporate servers safe is a constant concern for IT professionals. Typically, the first step in Secure File Transfer server security is choosing a secure protocol such as FTP/S or SFTP. Sometimes, that’s not possible, so what other security measures can you take? The most important thing to focus on is to not be an easy target. Guaranteeing that you’ll never be hacked isn’t likely, but you can make your Secure File Transfer server a much less attractive target. Here are 7 ways to do this. It may seem obvious, but your first line of defense against attacks is controlling server access. Keeping non-authenticated users or programs from accessing your servers is an important factor in ensuring that your confidential information stays as secure as possible.
1. Anti-hacking (password guessing) features on your SFTP server should be enabled. Your server should have settings for how many invalid password attempts can be made before the user (or program) is locked out. Ideally, this should be set at about 3, but no higher than 5. This makes the time between attempts much longer and reduces the likelihood of password guessing.
2. Disable anonymous access – or use it with extreme caution. In many FTP servers, there is actually a user named “anonymous.” If you use anonymous access, make sure that this user is locked into their home directory and has read-only privileges. Even if you do this, logging in as anonymous may enable the user to determine which port you use for FTP and which version of the server software that you are running. They can easily do research to determine if any security vulnerabilities exist in the software version you are running. The best practice, if you need to offer downloads through anonymous access, is to put those files on a dedicated SFTP server that sits outside your DMZ.
3. Anti-hammering features should also be enabled. This helps to prevent Denial of Service (DoS) attacks. A DoS attack is a way of making a server unavailable to its users by using a program to saturate the target server with communication requests. This makes the server so busy that it cannot process the legitimate file transfer requests. Your SFTP Server should have settings for the maximum number of requests per second that the server will allow. The minimum setting should be about 40 connections per second. If you have very high traffic to your server, you may want to set this number a bit higher, so that you don’t lock out legitimate traffic. Setting it lower will make it more secure, but increases the risk of blocking actual user requests. It’s important to carefully consider this balance, and to look at your server log files to determine normal usage ranges.
4. Two-factor authentication should be an option. As mentioned previously, hacking passwords is the one of the most common ways that unauthorized users gain access to systems. In addition to password policies, one method of drastically reducing the likelihood of password guessing is to implement an additional level of authentication. There are many ways that two-factor authentication can be implemented. A common way of doing this is with a token, such as a Safenet or RSA token. The token displays a numeric string which changes at short intervals. The user is required to enter the displayed numbers. The numeric string is then validated against a remote server or satellite. If it matches, the user progresses to the next level of authentication, which is entering their password.
5. Intelligent password policies should be implemented. While your system may be secure from hacking, if a password on another system is hacked, there’s a good chance that password will work in many places. Your server should allow the administrator to enforce policies on password length and what type of characters must be used. Requiring a password to include both upper and lower-case letters, at least 1 number and at least 1 special character will add exponentially to the number of possibilities for what the password can be. And a minimum length of 8 characters also makes the password much more difficult to guess.
6. Keep your server and your operating system up to date. If you have good SFTP server software and it’s working well for you, there is often a temptation to leave it alone. However, new security threats are born every day, and server software companies are working constantly to keep ahead of these threats. Running out-of-date software means that you may be subjecting your server (and your network) to security threats that can easily be avoided with a simple software update. Similarly, the operating system should also be kept up to date. Apply service packs and other updates regularly so that vulnerabilities at the Operating System level are less likely.
February 4, 2018
February 4, 2018
February 4, 2018