Filezilla Server Configuration

Reference: https://www.alibabacloud.com/help/faq-detail/49564.htm

Harden FileZilla FTP Server

Last Updated: May 08, 2018

Configure access control.

  1. Go to General settings > Security settings.
  2. For Protection level, check Require matching peer address of control and data connection.

    fxp

Enable automatic bans

By default, the server disconnects from the client after user authentication fails for multiple times, but no strict policy exists. You can block a client IP address that has multiple failed logon attempts with the following settings to block further brute-force attempts.

  1. Go to Autoban.
  2. The settings in the following figure blocks the IP addresses after 10 consecutive logon attempt failures within one hour. The blocking time is one hour.

    au

Use complex user passwords

FileZilla Server does not provide an option to set the password complexity, and its server users are added by the administrator through the management interface. Users cannot modify the password through the FTP command.

Therefore, we recommend that the administrator uses complex passwords when adding users.

Configure least privilege

FileZilla supports directory-level access permission settings. You can grant users the following permissions for a directory: (Files) Read, Write, Delete, and Add Files, and (Directories) Create, Delete, List, and Add Subdirectories.

We recommend that you assign the permissions for folders adhering to the principle of least privilege (POLP) to limit access to the minimal level that allows normal functioning.

Note: You must add an account and group first to perform the authorization operation.

ac

Enable TLS encryption authentication

FileZilla Server supports TLS encryption. If you do not have a certificate, you can use the built-in certificate creation feature to create one.

TLS

In addition, you can enable force TLS encrypted access for user logon.

tls2

Enable logging

FileZilla Server does not enable the logging feature by default. To facilitate tracking various events, we recommend that you enable logging and use a different logfile each day to avoid a single file becoming too large.

log

In addition, check the Don’t show passwords in message log option in Miscellaneous to avoid password leaks.

pic2