Discussion on:

Recommend clients using FTP switch to SSL or SSH

3

Comments

Add Your Opinion

Join the conversation!

Follow via:: RSS; Email Alert

Community Preferences

View:

Please Select

Show:

Please Select

0 Votes

+ -

Contributr

Right up there with secure email

Sterling "chip" Camden 18th Nov 2008

It seems that everyone must be told that FTP is
not secure. Good post, Susan.

0 Votes

+ -

Contributr

Unsecured and no standard

ssharkins@... 18th Nov 2008

FTP is great for stuff that doesn't matter, but it always concerns me when I see people using it to exchange crticial information.

it really goes back to standardization and that's where we, as consultants, can help -- if we can get clients to listen.

0 Votes

+ -

SSH now widely supported

Doug Vitale 24th Nov 2008

Popular FTP client applications like Filezilla and Putty support SSH for remote connections, which should be used instead of telnet and FTP. Using telnet is not recommended because logins, passwords and commands are transferred in clear text. An attacker could eavesdrop on telnet sessions and obtain the credentials of other users. The use of FTP is also not a recommended best practice. FTP servers can only handle usernames and passwords in plain text, which means that credentials, FTP commands and transferred files could be sniffed. SSH and SFTP can be used to replace telnet and FTP in a manner almost invisible to the average user.

You should also remember to use SSH v2.0. Versions prior to 2.0 are not completely cryptographically safe, so they should be avoided. SSH version 1 is vulnerable to a well-known security exploit that allows an attacker to insert data into the communication stream.

If you set up an SSH server, remember to set the timeout and maximum denied login attempts. I would suggest a 60 second timeout or less for idle connections and a maximum of 3 unsuccessful login attempts.