Screencast: Using sFTP with SSH, and why FTP is Insecure
As a developer, your world might crumble without using FTP (File Transfer Protocol). Oh how we love our port 21, uploading and downloading everything in plain text. However, if you are at all worried about security and integrity of your (and your clients) data and information, you would be much better suited using an encrypted file transfer method like sFTP- the “s” standing for “SSH”, or “secure”.
In our video we talk about the importance of data encryption across the wire, as well as over the air, and show how attackers can take advantage of non-encrypted data transfer. Our alternative to FTP is sFTP, which utilizes the SSH (Secure Shell) protocol for file transfers, providing a fully [public key] encrypted path for the data to flow. We are essentially mitigating any MITM (Man in the Middle) attacks, or network sniffing; where an attacker simply jumps onto your network and steals confidential information as it flows. By using encrypted data transfer, the data can still be sniffed and logged, but it is nearly impossible to make useful. Some of our tips for using sFTP are as follows:
Consider moving your primary SSH port to non-standard location and block the use of port 22.
Never use the root account to log into sFTP (or SSH). Create users with sufficient privileges for particular needs.
Use a client like FileZilla, WinSCP, or Putty for all your sFTP and SSH needs.
As always, security is only as strong as the weakest link, so the first step is to not allow attackers onto you network. Use strong, randomized passwords, and if your router isn’t already using WPA2 for the encryption type, either change the setting, or get a new router! If you are [still] using WEP encryption, you will get cracked faster than a whip on a horses behind. Check the links below for some more info:
Chroot SFTP user on Ubuntu Intrepid
Comments