Common FTP Server Password Security Policy

Since FTP servers are often used as tools for file uploading and downloading, the importance of security is different. Because if they are attacked by unscrupulous attackers, not only the files on the FTP server may be destroyed or stolen; more importantly, if they are infected with viruses and Trojans on these files, they will pose a potential threat to all FTP users. Therefore, it is urgent to protect the security of the FTP server.

To protect the FTP server, you must start with the security of protecting your password. Here I will talk about some password security policies that are common to FTP servers, to help everyone improve the security of FTP servers. //This article transferred from www.45it.com computer software and hardware application network

Strategy 1: password period

Sometimes, the FTP server will not only be used for employees, but also temporarily give an account Used by external partners. For example, when I was managing the FTP server, the sales department often sent some files to the client through the FTP server because some files were large and could not be sent by e-mail. Therefore, when the customer or supplier needs some large files, the author has to give them a temporary account and password for the FTP server.

The author's current practice is to set an account on the FTP server, but the password is valid on the same day and will automatically expire the next day. In this case, when the client or vendor needs to use an FTP server, I only need to change some passwords. Instead of having to create a user each time you use it, delete it after you have finished using it. At the same time, it can also avoid the security risks caused by not logging out the temporary account in time, because the password will automatically expire.

Most FTP servers, such as the FTP server software that comes with the Microsoft operating system, have password-term management. In general, for temporary accounts, you can improve the security of your temporary account with the account and password term management. For internal users, it is also possible to urge employees to increase the frequency of password changes through deadline management.

Strategy 2: Passwords must comply with complexity rules

Nowadays, many banks have performed some password complexity authentication for the security of user accounts. A password such as 888888 is no longer accepted. From a cryptographic point of view, this form of password is very dangerous. Because they can use some password cracking tools, such as password electronic dictionary, etc., it is very easy to crack.

Therefore, in order to improve the security of the password itself, the simplest is to increase the complexity of the password. In the FTP server, password complexity rules can be used to force users to adopt passwords with higher security levels. Specifically, the following complexity rule setting can be performed.

1, can not use pure numbers or pure characters as passwords

If a hacker wants to crack an FTP server account, the time it takes is directly related to the composition of the password. For example, it is now composed of an eight-digit password, one is a pure number, and the other is a combination of numbers and characters. Such as 82372182 and 32dwl98s respectively. These two passwords look similar, but for the password cracking tool, it is very different. The previous purely digital password, through some advanced password cracking tools, may only take 24 hours to crack; however, for the latter combination of letters and numbers, the crack will take 2400 hours or more. The cracking difficulty is at least 100 times greater than the original one.

It can be seen that the password combined with characters and numbers is quite safe. To do this, we can set it on the FTP server so that it does not accept pure numeric or plain character password settings.

2, the password can not be the same as the user name

In fact, we all know that many times the server is broken because of improper management. The same username and password are one of the most insecure factors for FTP servers.

Many users, including network administrators, prefer to set the password to the same username for easy memory and management. Although this is convenient to use, it is obviously a very unsafe operation. According to the design idea of ​​the password attack dictionary, it first checks whether the password of the FTP server's account is empty; if it is not empty, it will try to use the same password to crack. If the above two are no longer possible, then try other possible password components.

So, in the eyes of hackers, if the password is the same as the username, it is equivalent to not setting a password. To this end, in the password security policy of the FTP server, the principle of prohibiting the password from being consistent with the password is also mandatory.

3, the length of the password requirements

Although the security of the password is not proportional to the length of the password, but in general, the password is always shorter than the short. For a random password, cracking a 7-digit password is a dozen times more difficult than cracking a 5-digit password, although the password length is only increased by two. Therefore, in the password policy of the FTP server, the author must force the user's password to reach six digits. If the password set by the user is lower than six digits, the server will reject the application for the user password change.

Strategy 3: Password History

In order to improve the security of the FTP server, it is necessary to specify a time interval for the user to not repeat the password. For example, in the author's enterprise FTP server, there is a folder dedicated to store customer's order information, which is convenient for relevant personnel to see this content in time when they are on a business trip. The information in this folder is highly confidential. If these contents are leaked out, the company may lose a large number of orders, which will have a fatal impact on the company.

So, for the FTP server that stores such sensitive information, the author is afraid to look down on security. To this end, the author has enabled the password history function. According to this strategy, the user must change the FTP server password every other week. At the same time, the user cannot reuse this password within 60 days. In other words, after the password history function is enabled, the FTP server records the password that the user has used in two months. If the user's newly set password is used within two months, the server will reject the user's password change request.

It can be seen that the password history record function can improve the security of the FTP server password to a certain extent.

Strategy 4: Account Lockout Strategy

In theory, complex passwords are also likely to be compromised by electronic dictionaries. To do this, in addition to adopting these strategies, we also need to enable the Account Lockout Policy. This strategy can effectively avoid password attack by criminals.

The account lockout policy means that when a user exceeds the specified number of failed logins, the server automatically locks the account and warns the administrator. Through this strategy, when an unscrupulous person tries to log in to the FTP server with a different password, since it can only try at most three times (if the administrator fails to set up a maximum of 3 logins), the account will be locked. This will invalidate their password attack.

There are several things to keep in mind when using an account lockout strategy.

First, use manual lifting or automatic lifting. If the manual ban is used, the locked account must be manually banned by the administrator. If it is set to be automatically released, the server will automatically unlock the account when the account is locked for a certain period of time. If the security requirements for the server are relatively high, then I suggest that the manual lifting of the ban is better.

The second is the number of incorrect logins. If this number is set too much, it will not be able to protect. If the setting is too small, the user may trigger an account lock due to an inadvertent password input error, thereby adding a lot of work to the server administrator. To this end, the author's opinion is that this number can usually be set to three to five times. This not only ensures the need for security, but also provides a certain opportunity for the user to enter the wrong password.

Third, you should be able to automatically alert the server administrator when an account lockout occurs. Because as an FTP server, it can't tell if this is a malicious attack or an accident. This requires the server administrator to make judgments based on experience. The FTP server can only provide temporary protection. Therefore, when an account lockout occurs, the server should be able to alert the administrator to determine if there is a malicious attack. If it does, you need to take appropriate measures to avoid this happening again.