How to set up a secure FTP server?

Karan Bajaj

Filezilla is a powerful Open Source FTP server with a host of features that any organization will find useful. Among other things it supports secure SSL/TLS connections, per user speed limit, user groups and much more. In this article, we will tell you how to setup your own FTP Server using Filezilla and configure it for secured access using SSL and Anti FXP.

Installation
FileZilla Server is just a 2.5MB download. Once you start setup, you have to choose between the standard, full or service only suite. You can also choose how FileZilla server should be started; whether as a service automatically started with windows, as a service started manually, or not as a service but a direct server. Here, the port where the admin interface of FileZilla listens to is also needed (which is 14147 by default).

Setting up & configuring User accounts
Once the Installation is done, and the server application is started, you have to enter the IP address of your FTP server alongwith the port number and admin password. From the user interface go to the edit menu tab and click on users. Here, you can add/remove/rename or copy user accounts and set specific shared folders with data access options such as Read only or read and write, or delete and append accessibility for various account users. You can also set speed limits and IP filters for various users within these settings.

Configuring Anti-FXP
Filezilla comes with many advanced FTP features such as Anti FXP. Here, FXP stands for file exchange protocol; it's a method that transfers data from one FTP server to another. The problem with allowing FXP is that the server becomes vulnerable to FTP bounce attack. In this attack, an attacker can use the “PORT” command to access unwanted FTP server ports indirectly and transfer data directly to his/her own FTP server. By default Anti FXP is enabled when Filezilla is started. It can be disabled by going to the security settings, but it is recommended that it should remain enabled, unless you're using multiple FTP servers yourself and need to transfer data between them.

Configuring SSL/TSL
Another important advanced feature is SSL/TLS support. By default SSL support is disabled but it can be enabled from the settings to enhance server security. If the SSL/TLS support is enabled a private key file and certificate file must be provided for the setting to be accepted alongwith the key password. There is an option to force start SSL/TLS on all the connections and if SSL is to be enabled on specific connections only, then the port to be used for such connections can also be specified. In case a certificate is unavailable, FileZilla has its own new certificate generation provision available in the SSL settings box. To generate a certificate, simply click on the generate new certificate button, a new window will pop up with options for key size and various information boxes such as Locality, Organization, Contact email, server address and a key/certificate file name. Out of the above just select the key size and put in the name of the key/certificate and click on generate certificate. It will automatically generate a certificate and associate it with the server.

In the settings menu itself you can change various settings of the server. The passive mode setting allow you to enter your external IP or select the option to retrieve the IP from a website which is helpful if you are behind a firewall or a router and have a dynamic IP address. There are also setting to enable GSS support for Kerberos, if you have it installed. When enabled, all data transfers between FileZilla server and client will be encrypted. Other than these, you can enable or disable connections logging and transfer, transfer speed limits and setup File transfer compressions using Mode Z .When enabled, it compresses files on the fly when transferring them. To conserve CPU power, Mode Z compression is not recommended inside Local Area networks .

Source: PCQuest