FTP Server – Beware of Security Risks

An FTP server runs on a computer to provide basic, unencrypted file transfer capability for connecting users. It is most commonly used for anonymous FTP, basically providing public files to anyone.

FTP uses cleartext passwords for authentication. Password sniffing attacks collecting user names and passwords from the network were common already in the mid-1990s. The FTP protocol has been largely replaced by SFTP and SSH. Today, FTP should only be used on extreme legacy systems and for public access anonymous FTP. Even for anonymous public access, HTTPS and web servers have largely replaced FTP. Since FTP is unencrypted, man-in-the-middle attacks can and have been used to inject malware into software downloaded using FTP.

We strongly recommend switching away from FTP as soon as possible. It is seriously not secure. Secure File Transfer Protocol (SFTP) is the alternative the world has moved to. Practically all commercial file transfer tools now support SFTP. It is supported on all modern operating systems. It also makes configuring automation much easier and supports secure key-based authentication.

It is practically impossible to achieve regulatory compliance in regulated industries, such as financials or health care, when using FTP. Public companies are also required to protect financial data.

Consequently, the use of FTP should be restricted to totally closed and trusted environments and anonymous access.

We do not recommend configuring FTP servers. However, if one is needed, all Unix and Linux systems come with built-in FTP servers. For Windows, FileZilla Server is a possible alternative.

We recommend using SFTP. OpenSSH is a free open source server for Unix/Linux, and comes standard with every modern Unix, Linux, and Mac system. Tectia SSH is a widely used server for Windows. It is commercially supported, with 24x7 support available. It is also available for z/OS.