WEBINAR
GigaOm Radar Report for PTaaS: How to Make a Smarter Investment in Pentesting
WEBINAR
GigaOm Radar Report for PTaaS: How to Make a Smarter Investment in Pentesting

Anonymous FTP Servers: How to Prevent Compromising Your Security

Anonymous FTP servers represent a legacy technology, but they remain in use, and their security vulnerabilities remain with them. Without safeguards to protect you, anonymous users may use your FTP server to gain access to sensitive data, upload malicious files, hijack your site, or disrupt your service.

In this blog, we'll share what you need to know to secure your FTP server against anonymous access vulnerabilities. We'll cover:

  • What an anonymous FTP server is
  • How FTP anonymous access works
  • Common vulnerabilities of an anonymous FTP servers
  • Why it's important to secure FTP anonymous access and how to do it

What is an anonymous FTP server?

Anonymous FTP servers use File Transfer Protocol (FTP) communication standards to let users access files from remote computers without providing assigned usernames and passwords. 

Invented in 1971 by the U.S. Department of Defense for use on ARPANET, FTP has lost popularity partly because of known security vulnerabilities. Notably, it lacks encryption. More on this topic of how FTP is innately vulnerable below.

FTP servers provide a way to transfer files online from one computer to another, with the host computer acting as server to client computers. Users normally provide usernames and passwords to access files, but server and file settings can be adjusted to allow anonymous users. An anonymous FTP server is an FTP server set to let anonymous users download files, upload files, or both.

FTP servers let authorized users perform actions on hosted files and file directories, such as:

  • Reading files and directory contents
  • Editing files
  • Running files
  • Downloading files from directories
  • Adding, renaming, or deleting files
  • Moving files between directories
  • Creating, renaming, or deleting directories
  • Changing permissions for file creators, groups, and public users to define what actions they're allowed to perform

Actions users can perform depend on their permissions. Many FTP servers let general users download files but only allow privileged users to upload them.

FTP programs may consist of standalone software, components of other software programs, or background processes. Web browsers frequently used to integrate FTP programs before FTP was superseded other protocols capable of file transfer, such as Hypertext Transfer Protocol (HTTP), Hypertext Transfer Protocol Secure (HTTPS), Secure Shell (SSH), and Secure File Transfer Protocol (SFTP). Despite its legacy status, browsers and other software still support use of FTP, which is more efficient for transferring files than HTTP when other functionality is not required.

How FTP anonymous access works

Anonymous FTP servers work over an Internet connection by using the FTP protocol as a common language to communicate between the server computer and one or more client computers. The protocol allows the server and clients to exchange requests and responses to exchange files and perform operations on them.

An FTP session begins when a client sends a request to connect to the server computer. Normally, the server computer will require a username and password to authorize the session. However, with an anonymous FTP session, the client can enter "anonymous" or random characters as their username and use a password selected by the user.

Once the session has been authorized, the client can send any requests that their permissions profile allows. Creators of files and folders are classified as owners, while those allowed to access files are organized into groups of users with similar permissions. 

Permissions can be set for owners, groups, and the public. For each of these categories, permissions can be configured to allow any or all of these options for a given file or directory:

  • Read: Users can read files or view names of files in the directory
  • Write: Users can edit file contents or create, delete, or rename files in directories
  • Execute: Users can run files or browse subdirectories and their files

These permissions give FTP server administrators a degree of control over what users can do.

Benefits of Anonymous FTP Servers

Anonymous FTP servers offer a number of advantages that have perpetuated their use:

  • They provide a simple way to share files without requiring password registration.
  • They can support simultaneous multiple file transfers.
  • They can share files more efficiently than HTTP.
  • These benefits make anonymous FTP servers popular for purposes such as sharing large volumes of archived files with many users. 

Software distribution sites, public data sharing sites, technical documentation sites, and open source sites illustrate some of the use cases of anonymous FTP servers.

Vulnerabilities of Anonymous FTP Servers

However, the benefits of anonymous FTP come with significant risks. Permissions controls alone do not provide sufficient safeguards. A 1999 review of FTP security considerations found that FTP servers were vulnerable to numerous attacks, including:

  • Bounce attacks: Attackers use the FTP server to send malicious files to other attack targets or trigger denials of service, making the original attacker difficult to trace and leaving the server liable.
  • Port stealing: Bad actors can predict the next port the server will assign and use it to hijack the port from another client, intercept files meant for other clients, and inject malicious files into the traffic stream
  • Remote command execution: FTP extensions can allow clients to run arbitrary commands on servers, potentially bypassing security controls. This can impact internal or external networks with internal networks having worse consequences from a breach.
  • Active debug code: Some FTP software comes installed with code allowing backdoor entry to developers and technical support, allowing hackers to infiltrate the server.

While this last risk is the focus of this article, note that many of the other risks mentioned can be common to both anonymous FTP servers and those requiring passwords.

Importance of Securing FTP Anonymous Access: Use Cases

These vulnerabilities make security considerations for anonymous FTP imperative in order to avoid severe risks. Best practices for securing FTP servers include:

  • Disabling anonymous access options unless you need them for specific reasons.
  • Serving files only from specific subdirectories, not exposing your root directory or sharing entire disks except ones representing single partitions of data meant to be shared.
  • If you need to allow anonymous access, only allow downloads, don't allow users to upload files.
  • If you do allow uploads, designate a specific upload directory that does not allow downloads, preventing malicious files from being spread.
  • Monitor your FTP server logs for any signs of suspicious activity.

Allowing anonymous users to upload files is highly risky and should be avoided unless truly necessary. To keep your anonymous FTP secure, the best practice is to set permissions so anonymous users can only:

  • Connect to your server
  • List contents of designated directories
  • Retrieve files from these directories

Restricting anonymous users to these actions will help minimize security risks on your FTP server.

Use Pentesting to Secure Anonymous FTP Vulnerabilities

The best practices recommended here will help mitigate FTP vulnerabilities, but sophisticated attackers may find weaknesses you may have missed. For maximum security, use offensive security tests to probe vulnerabilities and mitigate them before attackers discover them.

Cobalt Network Pentesting Services can help you secure your FTP server and digital infrastructure. Cobalt's platform empowers your security team to work with our network of experienced professional pentesters, led by a core team of experts who partner with the Open Worldwide Application Security Project (OWASP) to help industry leaders develop security standards. Our on-demand model lets you scale testing up or down as needed. Connect with Cobalt to discuss how we can help you protect your network.

Back to Blog
About Gisela Hinojosa
Gisela Hinojosa is a Senior Security Consultant at Cobalt with over 5 years of experience as a penetration tester. Gisela performs a wide range of penetration tests including, network, web application, mobile application, Internet of Things (IoT), red teaming, phishing and threat modeling with STRIDE. Gisela currently holds the Security+, GMOB, GPEN and GPWAT certifications. More By Gisela Hinojosa