How to Secure an Externally Accessible FTP Server

You can edit the security settings of an externally accessible FTP server.
  1. Access the server preferences in Server Functions > FTP Configuration.
  2. Click the name of the server you want to edit.
  3. At the bottom of the page, click Security and change the settings.
    Option Description
    Maximum number of simultaneous connections The maximum number of simultaneous connections to the FTP server. Setting it to zero means that there are no limits.
    Maximum number of failed login attempts If a user fails to log in with the specified number of attempts the connection will terminate.
    Login timeout The maximum time in seconds for the user to log in.
    No transfer timeout The connection will be considered idle and will terminate after the specified number of seconds have elapsed on an open connection without a file transfer or directory listing.
    Stalled transfer timeout This is the amount of time a file transfer can spend without sending or receiving any data before it is considered stalled and thus terminated.
    Allow keep-alives: FTP clients use various commands to keep the connection from being idle. When enabled, FTP commands such as CWD, PWD or the ubiquitous NOOP will reset the No transfer timeout counter. If disabled, only an actual file transfer or a directory listing will reset the counter.
    Thread priority You can select the priority of the threads servicing users for the FTP server. If you are running an FTP server on an otherwise busy web server it might be a good idea to set the priority to a lower value than the default Normal setting.
    Allow unsecured FTP connections If this option is disabled the FTP client must support and use SSL connection.
    Allow data connections to go to different IPs than that of the control connection The FTP protocol uses two connections: The control connection and the data connection. The data connection is where all the raw data is sent, the control connection is used to send commands to the server and receive replies. Normally data connections are set up to the same IP address as that of the control connection, but in order to facilitate server-to-server file transfers it may be desirable to allow data connections to go to different IP addresses. If you are not using server-to-server transfers you can safely disable this option.
    Quoted password changes This determines whether the parameters of the SITE PSWD command are in quotes or simply surrounded by a space. (SITE PSWD oldpwd newpwd vs. SITE PSWD “oldpwd” “newpwd”). Which form is used depends on the Hosted FTP client.
    Anti-hammer filter This feature is similar to RemotelyAnywhere’s IP address lockout settings. By default if 4 bad logins occur from an IP address within one minute, the IP address will be locked out for one hour.
    Number of invalid attempts before locking out The number of bad login attempts. The default is 4.
    Reset invalid attempt count after The time before the invalid attempt count is reset to zero.
    Lock out for The duration for which the user is locked out after the specified number of invalid login attempts.
  4. Click Apply.