Half of Six Million Public FTP Servers Exposed to Security Risks Due to Lacking Encryption

Post Views: 30

File Transfer Protocol (FTP) Security Risks

Approximately 6 million internet-accessible systems utilize File Transfer Protocol (FTP), with nearly half lacking encryption, according to a recent study by Censys.

Prevalence of FTP Servers

Despite a 40% decline in the number of hosts running internet-facing FTP services since 2024, from 10.1 million to 5.94 million, the protocol remains prevalent, representing 2.72% of all internet-visible systems.

According to Censys, “2.45 million of the observed FTP services showed no evidence of encryption.”

The majority of these servers are based in the United States, with notable concentrations also found in China, Germany, Hong Kong, Japan, and France.

Largest Hosting Providers

China Unicom’s CHINA169
Alibaba
OVH
Hetzner
KDDI Web Communications
GoDaddy

Censys’ analysis revealed that Pure-FTPd is the most commonly used server software, followed closely by ProFTPD and vsftpd.

Microsoft’s Internet Information Services (IIS) also runs approximately 259,000 FTP services.

Notably, many of these servers fail to implement authentication via Transport Layer Security (TLS), which is a crucial step in securing data transmission.

Censys notes that the widespread presence of FTP servers lacking encryption points towards the conclusion that many configurations result from commodity hosting and broadband defaults rather than intentional design choices.

Organizations are advised to either replace FTP with more secure alternatives like SSH File Transfer Protocol (SFTP) or transition to FTPS, which supports encrypted file transfers and offers broader client compatibility.

By removing FTP altogether or implementing encryption methods like explicit TLS, organizations can significantly reduce their exposure to potential security risks associated with using FTP.