There’s so much to think about when you’re starting an online business that web server security if often overlooked. If you’re using FTP or Telnet to access your web server then you’re asking for trouble. George Ellenburg of Ellenburg and Associates provides some valuable tips for keeping your web site safe from malicious hackers.There’s so much to think about when you’re starting an online business that web server security if often overlooked. If you’re using FTP or Telnet to access your web server then you’re asking for trouble. George Ellenburg of Ellenburg and Associates provides some valuable tips for keeping your web site safe from malicious hackers.
SSH? SFTP? Telnet? FTP? RLogin? RShell? Sound Greek? Unfortunately, these are all technologies that, if not used, or configured incorrectly, could be silent killers to your adult web business.
Most webmasters who purchase hosting space don’t bother to think to check their servers to see if they’re secured as well as they could be. They blindly trust what’s been given to them by their hosting provider. Unfortunately, a misconfigured web server can have deleterious effects on any eCommerce business, including adult webs.
Telnet is Risky
Are you still using Telnet to access your servers from your cable, DSL or dialup connection? Think twice about doing this in the future. The Telnet protocol provides remote access into a server. It’s tried and true and has been around for decades. Unfortunately though, the Telnet protocol is unencrypted; meaning everything you type on your keyboard is flowing across the wire in clear-text, and very easy for someone to grab and record everything you type, and see, on your screen.
Fortunately there is an alternative. SSH stands for Secure Shell. Through the use of SSH, all communication with your servers is encrypted – including your username and password. If you are currently not using SSH, I highly encourage you to do so immediately. Free and commercial SSH clients are available at popular software archive web sites across the Internet. If your provider does not offer SSH service to you, then I highly encourage you to find another provider. SSH is a basic and fundamental service, and any provider who doesn’t offer it is probably not too concerned about your site’s security.
FTP on the other hand is a protocol that we’re probably all familiar with. Standing for File Transfer Protocol, FTP is the de-facto standard for uploading your web sites to your server. Unfortunately though, FTP has its drawbacks, and fortunately there are alternatives. FTP came out right around the same time as Telnet did when more and more people started to access mainframes and servers remotely. It’s lightweight, fast, and efficient. It’s actually more efficient at the transferring of large files (greater-than 5mb) than HTTP, but few adult webmasters use it to allow their customers to retrieve large MPEGs and AVI’s.
FTP Security Flaws
Unfortunately, FTP is fraught with the same security limitations as Telnet in that every byte that is transferred is sent across the wire unencrypted. What does this mean to you? Well, if you backup your “htpasswd” files and site content (including PHP pages, etc.) a malicious hacker could steal your site’s usernames and passwords, as well as any usernames and passwords you have embedded in your PHP files for connecting to your databases.
Fortunately, there is an alternative! Shortly after SSH was invented, people realized this same protocol could be modified and used to provide secure file-transfers in the same manner that SSH provides secure remote-console access. Voila! SFTP was born. SFTP uses the same encryption technology and authentication mechanisms that SSH does to ensure no one can snoop or sniff your traffic and gain access to information you don’t want them to receive. As with SSH, free and commercial SFTP clients are available from popular software archive sites around the Internet. If your provider isn’t offering SFTP, talk to them and request that they do!
The other two technologies I mentioned at the start of this article, “rlogin” and “rshell”, should never be enabled on your web server. Aside from being unencrypted protocols, they have weak authentication that is easily bypassed, allowing would-be malicious hackers easy pickings of your web server.
George Ellenburg (gellenburg@freedom.net) runs Ellenburg & Associates, a consulting company in Atlanta, Georgia, that specializes in Systems Administration.
