Hardening Checklist

Authentication

  • Change default admin password immediately
  • Prefer SSH public keys for SFTP
  • Disable password for key-only users
  • Rotate credentials quarterly

Authorization

  • Use virtual paths to isolate data
  • Grant least privilege per listener
  • Separate partner and internal listeners

Network

  • Restrict ports by IP allowlists
  • Use reverse proxy for Web GUI TLS
  • Keep passive FTP range narrow
  • Prefer static IPs for admin stations
  • Log firewall accepts/denies where possible

Public Key Management

Generate

  1. ssh-keygen -t ed25519 -C "user@host"
  2. Protect private key with a passphrase
  3. Store keys in a secure profile directory

Enroll

  1. Paste public key in user profile
  2. Test login; confirm logs show auth method
  3. Keep passwords disabled if key-only required

Revoke

  • Remove key entry; save
  • Rotate to a new key after incidents

Logging & Auditing

What is Logged

  • Timestamp, user, listener
  • Action and path
  • Result (success/error)
  • Remote IP and auth method

Exports

  • Copy to clipboard for quick analysis
  • CSV export for audits
  • Retain weekly archives
  • Ship to SIEM via scheduled export

Alerting (planned)

  • Email/Discord webhooks for failures
  • Threshold-based alerts on auth errors

Incident Response Quickstart

Contain

  • Stop affected listener
  • Revoke suspected user keys/passwords
  • Restrict firewall to admin IPs
  • Snapshot VM if virtualization is used

Investigate

  • Export activity logs
  • Correlate timestamps with SIEM logs
  • Check file system changes in virtual paths
  • Compare auth methods used vs expected

Recover

  • Restore from latest clean backup
  • Rotate all credentials/keys
  • Document findings and patch gaps
  • Re-run smoke tests (login, upload, download)