D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] Security and SSH

 

On 20/01/11 17:58, Neil Winchurst wrote:
>
> Getting a bit more security minded. I have Googled SSH and searched
> cPanel on my computer and SSH seems rather complicated to me.
> 
> Nobody sends me anything via the web except emails of course. The only
> FTP I use is the occasional transfer of a file from my desktop computer
> to my website. I am wondering if there is any need to bother with SSH.
> 
> Anyone have any comments etc please?

Security is all about managing risk, not necessarily eliminating it
(except where that is worthwhile).

If FTP is all that is allowed for uploading your website you are stuck
with it till you switch providers.

FTP provides no confirmation that the server you connect to is the
server you intended, and doesn't encrypt the password. So anyone with
access to the connection can steal your credentials and compromise your
web site (and probably server as well).

This may seem a rare threat, but I've seen it happen twice. Admittedly
in both cases it was malware on Windows that stole the credentials. The
malware listened for FTP traffic, because these days almost all FTP
traffic is website updates, and then sent the username and password off
to computers which then modify your website to distribute malware, and
no doubt do other things if they recognise the type of website - the
whole process was entirely automated so you know these folks are doing
it on a big scale.

It is easier to write code to watch the outgoing traffic to the FTP
port, and pick out the credentials that way than it is to try and detect
different FTP clients and work out when a username or password is being
typed (i.e. key-stroke logging).

So if your website security is important you want to switch to a form of
file transfer that does encrypt the password, and does verify the
servers identity -- like urm sftp (usually shipped with the SSH client,
although most website editing tools will do sftp).

The server dcglug.org.uk is hosted on does sftp not ftp, because the
users are relatively clued-up and getting their hosting gratis.

At work we do "ftp" because educating the masses about using sftp (even
though it is often just finding the right tick box) is more than their
business is worth.

It may well not matter much if your website is compromised for a day or
two and distributing malware. If it is an ecommerce site, or a
government website, your opinion may be different. But you should weigh
it up and switch to sftp or similar only if it is worth the effort.

 Simon

-- 
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq