Shulou(Shulou.com)06/01 Report--

This article mainly introduces the example analysis of FileZilla FTP Server security reinforcement, which has a certain reference value, and interested friends can refer to it. I hope you will gain a lot after reading this article.

FileZilla is a free cross-platform FTP application made up of FileZilla Client and FileZilla Server. Based on FileZilla Server version 0.9.59, this document provides you with a series of simple and effective reinforcement schemes to help you use FileZilla safely.

Note: most of the configurations mentioned in this article are implemented through the Edit > Settings > FileZilla Server Options menu of the FileZilla server.

Set administrative password

The administrative password for the server is empty by default, so it is recommended that you set a more complex password. For example, it should contain at least two of the uppercase and lowercase letters, numbers, and special symbols.

Modify Banner information

When accessing the FTP server, the version information of the server is displayed in Banner by default. By blocking the display of version information, the time cost of malicious attacks can be increased. The steps are as follows:

Go to General settings > Welcome message.

Remove the% v variable from the Custom welcome message input box on the right, or directly replace all text with custom text.

It is recommended to check the Hide welcome message in log below to reduce spam in the log.

Set listening address and port

It is recommended that you enable the FTP service on only one address. For example, if you only need to use the FTP service in the private network, you do not need to open the FTP service on the public network address bound to the server. The steps are as follows:

Go to General settings > IP Bindings.

Change the default * sign to the specified address in the right window.

Use access control

Set the global IP filter to restrict the IP addresses that are allowed to access. The steps are as follows:

Go to General settings > IP Filters.

Fill in the IP range to block access in the upper right window and the allowed IP range in the lower right window.

Note: effective restrictions are usually imposed by blocking all IP (fill in *) and then allowing only part of the IP. For example, in the following figure, only the 192.168.1.0 Universe 24 network segment is allowed to access the FTP service.

In addition, the FileZilla server supports user-level and user-group-level IP filters. Go to Edit > Users/Groups to open the corresponding settings page, find the IP Filters in the settings page, then select the user you want to set, and set the allowed and denied IP. The setting method is the same as the global IP filter.

Enable FTP Bounce attack protection

FTP Bounce attack is a form of attack that makes use of FXP features. By default, the server does not turn off the relevant functions. It is recommended to set the relevant features to block.

If the server needs to use this feature with a server of a particular IP, it is recommended to use the IPs must match exactly option, and then restrict access to the IP through IP Filters (see using access Control). The steps are as follows:

Go to General settings > Security settings.

As shown in the following figure, the default option has been enabled to precisely match the connection address, and it is not recommended to modify it.

Configure user authentication policy

By default, when there are multiple user authentication failures, the server disconnects from the client, but there is no strict restriction policy. With the following settings, you can block the client IP that fails to log in several times in a row, interfering with its continuous attempt behavior.

Go to General settings > Autoban.

The settings in the following figure block IP with 10 consecutive login failures within an hour for a period of 1 hour.

Increase user password complexity

The FileZilla server does not provide the option to limit password complexity, and the server user is added by the administrator through the administrative interface, and the user cannot change the password through the FTP command. Therefore, it is recommended that administrators configure complex passwords for users when adding users.

Minimize access authorization

FileZilla supports directory-level access settings, which can set file read, write, delete, add, directory creation, deletion, enumeration and other permissions for a directory. It is suggested that according to the actual application needs, combined with the principle of user rights minimization to assign the permissions of the folder.

Note: this operation can only be configured after adding accounts and groups in advance.

Enable TLS encryption authentication

The FileZilla server supports TLS encryption, which can be created by users if they do not have a certificate.

It also supports enforcing TLS encrypted access for a single user.

Start logging

Logging is not enabled by default on the FileZilla server. To facilitate the tracking of various events, it is recommended to enable logging and set the log to one log file per day to avoid single file being too large.

By default, the log is set not to record user passwords, but check this option when hardening to make sure it is enabled to avoid password disclosure.

The supplements of other netizens below are very good.

FileZilla Server runs as a system service by default, and the running account is SYSTEM, which is very dangerous. Need to reduce the right and give it.

Give appropriate read and write permissions.

1. Set up a system account running FileZilla Server

1) add a new user named FileZilla_HWS

2) set user FileZilla_HWS to belong to Guests group only

2. Set the permissions of the FileZilla Server directory

1) find the FileZilla Server execution directory (obtained from the system service. The service name defaults to FileZilla Server)

Give FileZilla Server "full control" permissions to execute directory Administrators and SYSTEM; give

FileZilla_HWS full Control permission

2) find the directory where the FTP files are stored (obtained in the FileZilla Server management console)

Give FTP files directory Administrators, SYSTEM "full control" permissions; FileZilla_HWS "read / write"

Enter / delete permission

(if there are multiple FTP files in the directory, you need to add FileZilla_HWS "read / write / delete" permission;)

3. Set up FileZilla Server service

1) set the FileZilla Server service startup account to FileZilla_HWS

2) restart the FileZilla Server service

4. Test results

1) the running account of FileZilla Server is FileZilla_HWS, and the right is successfully reduced.

2) FlashFXP connection test

"read / write / delete" is normal

5. Other protective measures

If your FileZilla Server can not reduce the power, but also to solve the security problem; you can use the Guardian anti-tamper system (professional version) to solve the problem.

Through the "process restriction" module of the Guardian tamper-proof system (Professional Edition)

Setting FileZilla Server can only have relevant operation permissions on FileZilla Server home directory and FTP directory.

In this way, hackers cannot hack into the server through FileZilla Server.

Thank you for reading this article carefully. I hope the article "sample Analysis of FileZilla FTP Server Security reinforcement" shared by the editor will be helpful to you. At the same time, I also hope you will support us and pay attention to the industry information channel. More related knowledge is waiting for you to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.