The FTP server provides enhanced security while sending and receiving files over a untrusted network. FTP server uses Secure Sockets Layer (SSL) to secure passwords and other sensitive data during an information exchange. The FTP server supports either SSL or TLS protected sessions, including client authentication and automatic sign-on (see SSL concepts for additional information about the TLS and SSL protocols).
Most SSL-enabled applications connect a client to separate TCP ports, one port for “unprotected” sessions and the other for secure sessions. However, secure FTP is a bit more flexible. A client can connect to a non-encrypted TCP port (usually TCP port 21) and then negotiate authentication and encryption options. A client can also choose a secure FTP port (usually TCP port 990), where connections are assumed to be SSL. The iSeries(TM) FTP server provides for both of these options.
Before you can configure the FTP server to use SSL, you must have installed the prerequisite programs and set up digital certificates on your iSeries.
Ftp security, ssl
Ftp security, ssl
The FTP server normally enforces the QMAXSIGN system value to prevent a hacker from having unlimited attempts to guess a password and therefore mount password attacks. Here are some options that you should consider using:
Use an FTP server logon exit program to reject logon requests by any system user profiles and those user profiles that you designate not be allowed FTP access. (When using such an exit program, logon attempts rejected by the server logon exit point for the user profiles that you block do not get counted against the profile’s QMAXSIGN count.)
Use an FTP server logon exit program to limit the client machines from which a given user profile is allowed to access the FTP server. For example, if a person from Accounting is allowed FTP access, only allow that user profile FTP server access from computers which have IP addresses in the Accounting department.
Use an FTP server logon exit program to log the user name and IP address of all FTP logon attempts. Review these logs regularly, and whenever a profile is disabled by maximum password attempts, use the IP address information to identify the perpetrator and take appropriate measures.
Computer hacking, Ftp security
Ftp security, hackers
SSL is great for securing the transport pipe. It has been around for quite some time, most people understand it and the interoperability among various implementations have improved significantly. And although it is not as easy as direct HTTP interactions, moving from HTTP to HTTP over SSL or HTTPS requires, in most cases, simple deployment time configuration changes only, avoiding costly redesign or source-code level changes. Given the array of security areas that get addressed by SSL, privacy, integrity and authentication of end points, use of SSL is indeed very attractive.
Problems
You face two problems when you send or receive files to an FTP server. The first is securing files while they are uploading, and second, how to keep them secure while they sit on the FTP server while you wait for the recipient to download. Your second option –creating an FTP server that supports SSL –would allow your hosts to upload the files using an FTPS (FTP over SSL) connection. This would involve the use of an SSL layer below the FTP protocol to encrypt the control and data channels. An alternative to FTPS is the Secure File Transfer Protocol (SFTP), which uses the SSH file transfer protocol to secure an FTP connection from client to server.
However, the problem you have with FTPS and SFTP is although the files are securely transferred to your server, once they’re uploaded, anyone who accesses the server can see them, because they aren’t encrypted. With this in mind, I prefer your first solution, which is to have your hosts encrypt the files using the recipients public PGP key. This option not only ensures the files are encrypted while in transit, and when at rest, but also only the intended recipient can decrypt and view the files. The best solution to your problem, however, is probably a combination of both PGP-encrypted files and a secure FTP connection. Because even if your PGP encrypted files are secure, if your hosts use plain FTP to upload files to your server the username and password used to access the server are sent in the clear. An attacker could potentially steal this information and use it to gain access to the FTP server and upload malicious files or delete existing files.
Ftp security, ssl
Ftp security, ssl