[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On Thu, 2011-01-20 at 18:40 +0000, Simon Waters wrote: > On 20/01/11 17:58, Neil Winchurst wrote: > > > > Getting a bit more security minded. I have Googled SSH and searched > > cPanel on my computer and SSH seems rather complicated to me. > > > > Nobody sends me anything via the web except emails of course. The only > > FTP I use is the occasional transfer of a file from my desktop computer > > to my website. I am wondering if there is any need to bother with SSH. > > > > Anyone have any comments etc please? > > Security is all about managing risk, not necessarily eliminating it > (except where that is worthwhile). > > If FTP is all that is allowed for uploading your website you are stuck > with it till you switch providers. > > FTP provides no confirmation that the server you connect to is the > server you intended, and doesn't encrypt the password. So anyone with > access to the connection can steal your credentials and compromise your > web site (and probably server as well). > > This may seem a rare threat, but I've seen it happen twice. Admittedly > in both cases it was malware on Windows that stole the credentials. The > malware listened for FTP traffic, because these days almost all FTP > traffic is website updates, and then sent the username and password off > to computers which then modify your website to distribute malware, and > no doubt do other things if they recognise the type of website - the > whole process was entirely automated so you know these folks are doing > it on a big scale. > > It is easier to write code to watch the outgoing traffic to the FTP > port, and pick out the credentials that way than it is to try and detect > different FTP clients and work out when a username or password is being > typed (i.e. key-stroke logging). > > So if your website security is important you want to switch to a form of > file transfer that does encrypt the password, and does verify the > servers identity -- like urm sftp (usually shipped with the SSH client, > although most website editing tools will do sftp). > > The server dcglug.org.uk is hosted on does sftp not ftp, because the > users are relatively clued-up and getting their hosting gratis. > > At work we do "ftp" because educating the masses about using sftp (even > though it is often just finding the right tick box) is more than their > business is worth. > > It may well not matter much if your website is compromised for a day or > two and distributing malware. If it is an ecommerce site, or a > government website, your opinion may be different. But you should weigh > it up and switch to sftp or similar only if it is worth the effort. > > Simon > I use SSH a lot It's very useful to get to the Web Server, and access to other Machines on My Network. I use it just like the old Telnet. Look in your Home Dir (usr Ctrl H) to un hide files and look inside .ssh folder. You will have a File called known hosts This I think is a good security device as it registers host "keys" whom you know of and possibly trust. ie it tells you about spoofing. If any one tries to connect to you they will need user name and password information which is sent encrypted. If you don't use it out-going you could block the TCPIP port 22 and not worry about it. Regards Kevin Lucas Minions Post Master(Sub) Ten Years in the Making! www.minionsbandb.co.uk www.tearooms.minionsbandb.co.uk Po House, Minions, Liskeard Cornwall PL14 5LE 01579363386 -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq