Managing Files Using FTP

Overview

Data is transmitted in cleartext when FTP is used to manage files, leaving the device vulnerable to DoS, brute force password cracking, and other attacks. As a result, device information may be disclosed, posing great security risks. To mitigate these risks, take the following measures:

Perform authentication.

Configure the FTP server to perform AAA authentication, so that only authenticated users can access the corresponding device and manage files.
Disable the FTP server service.

When the FTP server service is enabled, the socket service is also enabled, exposing the corresponding device to scanning by attackers. As such, ensure that the FTP server function is disabled when not required.

The FTP server function is disabled by default.
Change the FTP server port number.

FTP server port 21 is a well-known port number subject to scanning and attacks. You can change the FTP server port number to a private one to lower the possibility of being scanned and attacked.
Configure FTP server ACL rules.

You can configure FTP server ACL rules in the system view to limit the client IP addresses that can access the corresponding device.
Configure source interfaces.

After you configure source interfaces supported by the FTP server, users must access the corresponding device using the IP addresses of the configured source interfaces. This limits the access range and enhances device security.

Impact on the System

None

Procedure

Configure AAA authentication.
```
system-view
aaa
manager-user user-name
password [ cipher cipher-password ]
level level
service-type ftp
ftp-directory directory
quit
```
Configure the local username and password, set the access type to FTP, and configure the user level and accessible directories. The user level must be set to the management level.
Disable the FTP server service.
```
undo ftp [ ipv6 ] server
```
Change the FTP server port number.
```
ftp [ ipv6 ] server port port-number
```

Configure an ACL for the FTP server.

In the ACL view, configure an ACL rule to specify clients that can log in to the device.

system-view
acl [ number ] acl-number
rule [ rule-id  ] { deny | permit } protocol [ destination { destination-ip-address destination-wildcard | any } | source { source-ip-address source-wildcard | any } | time-range time-name | dscp dscp ]
quit

Configure a basic ACL for the FTP server.
```
ftp [ ipv6 ] acl { acl-number }
```

Configure source interfaces.

Use IPv4 addresses as source interface addresses.

ftp server-source { -a source-ip-address | -i interface-type interface-number }

Use IPv6 addresses as source interface addresses.

ftp ipv6 server-source { -a source-ip-address | -i interface-type interface-number }

Checking the Security Hardening Result

Run the display [ ipv6 ] ftp-server command to check the configuration and status of the FTP server.
Run the display ftp-users command to check FTP user information.