3.4 Security Guidelines

The following security guidelines and best practices are essential to ensure a secure environment for FTP Server.

3.4.1 Security Configuration

Configure the following parameters in the ftpserv.cfg file to protect the FTP environment.

Table 3-8 FTP Parameters and Their Recommended Values

FTP Parameters

Recommended Value

Reason for Recommendation

Default Value

SECURE_CONNECTIONS_ONLY

YES

If this parameter is set to YES, only secure connections from FTP clients are supported. This means that you can only use FTP clients that support secure connections with this setting. The advantage of using this is that control channel information such as usernames and passwords are encrypted and protected from spoofing and sniffing. Optionally, the data channel also can be encrypted, if the client chooses to do so. Refer to Section 3.2.2, Security Extensions for details on security mechanisms supported by NetWare FTP Server.

NO

INTRUDER_HOST_ATTEMPTS

20

If this value is set to 0, host intruder detection is disabled, which is not advisable.

20

INTRUDER_USER_ATTEMPTS

5

If this value is set to 0, user intruder detection is disabled, which is not advisable.

5

MAX_FTP_SESSIONS

30

Setting this to a lower value limits the concurrent FTP connections allowed to the server. This is useful if a denial of service attack is mounted; the scope for exploitation is limited.

30

IDLE_SESSION_TIMEOUT

180

It is recommended to specify a small value because if the system remains idle for a long time, it could result in malicious attacks.

600

ANONYMOUS_ACCESS

NO

To avoid a denial of service attack, if MAX_FTP_SESSIONS runs out of space because the maximum number of anonymous sessions has been exceeded.

NO

It is also recommended that you set restrictions for hosts, containers, users, domains, IP addresses and IP address ranges, in the ftprest.txt file. By default, no restrictions are set.

3.4.2 Security Best Practices

The following best practices can help create a more secure FTP setup:

  • It is a good practice to check the following log files on a regular basis:

    • ftpaudit.log
    • ftpstat.log
    • ftpintruder.log
    • ftpd.log

    These files contain details about user activities, statistics, intruders, and other information and error messages.

  • You should restrict FTP Server access to users by making relevant configuration changes in the ftprest.txt file. To restrict access to remote server navigation for a user, set ACCESS =NOREMOTE.

    NOTE:While using iManager to administer FTP Server, the FTP administrator has access and rights to the configuration and statistics of all the FTP servers in the tree