The File Transfer Protocol (FTP) allows users to connect to remote systems and transfer files back and forth. FTP is implemented by the ftp client program and the ftpd server program. As part of establishing a connection to a remote machine, ftp relies on a username and password combination for authentication. Use of ftp poses a security problem similar to use of the TELNET protocol because passwords typed to ftp are transmitted over the network in plain text, one character per packet. These packets can be intercepted. Use of versions of ftpd older than the most recent version pose security threats because older versions have bugs that allow crackers to break into a system.
Another problem area for ftp is ``anonymous ftp.'' Anonymous ftp allows users who do not have an account on a machine to transfer files to and from a specific directory. This capability is particularly useful for software or document distribution to the public. To use anonymous ftp, a user passes a remote computer name as an argument to ftp and then specifies anonymous as their username.
One of the problems with anonymous ftp is that there is often no record of who has requested what information. Another problem with anonymous ftp is the threat of denial of service attacks. For deliberate or accidental denial of service attacks, authorized users may be denied access to a system if too many file transfers are initiated simultaneously. It is important to securely set up the anonymous FTP account on the server because everyone on the network will have potential access. If the anonymous ftp account is not securely configured and administered crackers may be capable of adding and modifying files. section 10.2.1 describes techniques which should be used to increase security when using ftp.