FTP SERVER – USE SFTP FOR

SECURITY AND ROBUSTNESS

An FTP server runs on a computer to provide basic, unencrypted file transfer
capability for connecting users. It is most commonly used for anonymous FTP,
basically providing public files to anyone.

FTP uses cleartext passwords for authentication. Password sniffing

attacks collecting user names and passwords from the network were common
already in the mid-1990s. The FTP protocol has been largely replaced
by SFTP and SSH. Today, FTP should only be used on extreme legacy
systems and for public access anonymous FTP. Even for anonymous public
access, HTTPS and web servers have largely replaced FTP. Since FTP is
unencrypted, man-in-the-middle attacks can and have been used to inject
malware into software downloaded using FTP.

SECURE ALTERNATIVE (SFTP)

We strongly recommend switching away from FTP as soon as possible. It is
seriously not secure. Secure File Transfer Protocol (SFTP) is the alternative
the world has moved to. Practically all commercial file transfer tools now
support SFTP. It is supported on all modern operating systems. It also makes
configuring automation much easier and supports secure key-based
authentication.

It is practically impossible to achieve regulatory compliance in regulated

industries, such as financials or health care, when using FTP. Public
companies are also required to protect financial data.

Consequently, the use of FTP should be restricted to totally closed and

trusted environments and anonymous access.

IMPLEMENTATIONS
We do not recommend configuring FTP servers. However, if one is needed,
all Unix and Linux systems come with built-in FTP servers. For
Windows, FileZilla Server is a possible alternative.
We recommend using SFTP. OpenSSH is a free open source server for
Unix/Linux, and comes standard with every modern Unix, Linux, and Mac
system. Tectia SSH is a widely used server for Windows. It is commercially
supported, with 24x7 support available. It is also available for z/OS.