[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On 20/01/11 17:58, Neil Winchurst wrote: > > Getting a bit more security minded. I have Googled SSH and searched > cPanel on my computer and SSH seems rather complicated to me. > > Nobody sends me anything via the web except emails of course. The only > FTP I use is the occasional transfer of a file from my desktop computer > to my website. I am wondering if there is any need to bother with SSH. > > Anyone have any comments etc please? Security is all about managing risk, not necessarily eliminating it (except where that is worthwhile). If FTP is all that is allowed for uploading your website you are stuck with it till you switch providers. FTP provides no confirmation that the server you connect to is the server you intended, and doesn't encrypt the password. So anyone with access to the connection can steal your credentials and compromise your web site (and probably server as well). This may seem a rare threat, but I've seen it happen twice. Admittedly in both cases it was malware on Windows that stole the credentials. The malware listened for FTP traffic, because these days almost all FTP traffic is website updates, and then sent the username and password off to computers which then modify your website to distribute malware, and no doubt do other things if they recognise the type of website - the whole process was entirely automated so you know these folks are doing it on a big scale. It is easier to write code to watch the outgoing traffic to the FTP port, and pick out the credentials that way than it is to try and detect different FTP clients and work out when a username or password is being typed (i.e. key-stroke logging). So if your website security is important you want to switch to a form of file transfer that does encrypt the password, and does verify the servers identity -- like urm sftp (usually shipped with the SSH client, although most website editing tools will do sftp). The server dcglug.org.uk is hosted on does sftp not ftp, because the users are relatively clued-up and getting their hosting gratis. At work we do "ftp" because educating the masses about using sftp (even though it is often just finding the right tick box) is more than their business is worth. It may well not matter much if your website is compromised for a day or two and distributing malware. If it is an ecommerce site, or a government website, your opinion may be different. But you should weigh it up and switch to sftp or similar only if it is worth the effort. Simon -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq