1. SFTP only – Restrict to port 22 on the firewall.
2. No anonymous access.
3. Each user must have read/write access to their own directories, not shared directories.
4. Account lockout enabled to prevent multiple attempts to login.
5. Implement automated process where the file is uploaded to a directory and is then scanned by AV (Anti virus) application, then moved to another directory.
6. AV must be configured to be automatically updated.
7. Accounts to have a disable function after 5 business days
8. Where possible, use certificate based authentication.
9. If username and password authentication used – complex passwords to be used.
10. All SSH tunnelling options (server and client config) must be turned off, and the associated config files (global or per-user) secured to prevent changes by any user.