On Sat, 2004-07-24 at 13:37, Michael Sullivan wrote: > I've been following the "Hack Attempts" thread and I've come to the > conclusion that having my router route port 22 requests through to my > server PC is not safe. Here's my situation. I use my server PC for web > hosting and email. Most of my users access their accounts from outside > the router (my network is based in my apartment and my wife and I are > the only ones who use it here.) I don't users telnetting in because of > the security risk (I don't quite understand this, but I've read about it > in more than one place, so it's probably true), so I've enabled ssh so > that they can log in and change their passwords if need be. They upload > their web pages through FTP, supplying their username and password. > Spammers try to use the mail server every day - I have to read about it > in my daily Logwatch, but I don't think they ever succeed. I should > probably keep a closer eye on the logs. Is there a way for users to > change their passwords through their FTP clients? Or is there a safer > way to allow them to change their passwords? As long as you are using ssh version 2 (normally an option on the server and client) ssh is relatively secure. The benefit of using ssh over telnet is that telnet passes your userid and password over the Internet in clear text. ssh encrypts that data with a fairly good encryption. The weak spot in typical setups is the password used by the user. The vast majority of passwords selected by users are not considered good passwords. A good password is comprised if lower/upper case letters, numbers, and special characters and are not based on any dictionary words. (are your passwords really good? :) ) This makes them susceptible to brute force attacks. The real problem in what you describe above is the use of FTP. It, just like telnet, passes the userid and password in clear text. Since you are using ssh I would suggest you switch to using scp. This has the added benefit that you will only need to have port 22 open for ssh since scp uses the same port. Also there are known problems with some FTP servers which may or may not have been patched in the version you are using. You may also want to pickup the O'Reily book on SSH. It is good you are using ssh. I would suggest using scp or sftp or more secure file transfer program. -- Scot L. Harris webid@xxxxxxxxxx I can give you my word, but I know what it's worth and you don't. -- Nero Wolfe, "Over My Dead Body"
