Guest Author - Lisa Shea
Whether you're coding in ASP, HTML or another language, it is critical you keep your FTP account secure. FTP is how users (and hackers) gain access to your website.
FTP stands for File Transfer Protocol and it is how most developers move files from their home system up to their web system. Developers never make changes on the live site - they make changes on a remote system, test them, and then move the changed files onto the live server. This transfer is typically done with FTP.
In IIS, the FTP entity exists to control that online access. There is a log file for FTP which should be checked weekly (if not daily) to see who is trying to break into your system. Every FTP access - successful or non-successful - is recorded in that log file.
It is critical that you take steps to ensure your FTP is not mis-used by a hacker. These include:
* TURN OFF ANONYMOUS ACCESS. This is pretty much the very first step to be taken. Only authorized users should have access to your FTP area. Otherwise, Lord only knows what files will end up on your server or what changes are made to your existing code.
* Turn off standard names. That is, make sure there is no way that a person with the name of administrator, admin, user, or your website name can log in. These are typical names that hackers use.
* Only authorize one name that is a NON-standard name to gain access, and give it an unusual password. That way even if someone guessed at the name, they could probably never guess at the password.
* Change the password frequently. It's not like you are actually typing that password - typically you have a FTP program you use to move your files around. You just change it in that program's settings once a month or so. That way even if someone does figure out the name, they can't figure out the password.
Be sure to check those log files. That way you can find out who is trying to gain access to your server, and to notify their ISP. If someone is actively trying to hack your site, it's important to get them shut down - for your own sanity, and for the sanity of others they may also be harassing.
It's important to remember that FTP is NOT SECURE. Those usernames and passwords are sent to and from the server in a non-secure manner. If you are really interested in server security, look into buying a secure FTP software system. It may cost money up front, but it makes sure that a hacker does not easily sniff out your username/password combo and destroy your entire website.