Michael Sullivan wrote:
I've been following the "Hack Attempts" thread and I've come to the
conclusion that having my router route port 22 requests through to my
server PC is not safe. Here's my situation. I use my server PC for web
hosting and email. Most of my users access their accounts from outside
the router (my network is based in my apartment and my wife and I are
the only ones who use it here.) I don't users telnetting in because of
the security risk (I don't quite understand this, but I've read about it
in more than one place, so it's probably true), so I've enabled ssh so
that they can log in and change their passwords if need be. They upload
their web pages through FTP, supplying their username and password.
FTP suffers some of the same security concerns as telnet; e.g. usernames and passwords are transmitted as clear text, so anyone sniffing the connection could conceivably harvest these for their own purposes. As long as you've got ssh up and running, why not have your users use sftp or scp to transfer their files? These use the same end-to-end encrypted connection as the ssh session, so nothing is ever sent down the wire in unencrypted form.
An alternative might be to compile your ftp server with kerberos support, which would at least encrypt the authentication exchange. But setting up a kerberos server is no mean feat, and simply using sftp/scp is likely to be much easier.
--
-John (john@xxxxxxxxxxx)