Secure File Transfer Protocol
Secure File Transfer Protocol (hereafter, Secure FTP) or SSH File Transfer Protocol uses the SSH2 protocol to secure file transfer. As the client sends a username and a password in an open text format to the server, FTP is by no means a secure fashion of data transfer. Furthermore, FTP does not encrypt data between the client and the server.
In response to the security weaknesses of FTP, Secure FTP (SSH2) adopts two layers. One is Transport Layer, and Authentication Layer is the other. When the client connects the server, the server sends a public key to the client, who then uses it to generate an encrypted session key and sends it back.
| After a session is opened between the client and the server, the server next tries to authenticate the client. There are two methods. One is Public Key Authentication. And Password Authentication is the other. When you use Public Key Authentication, you must generate private and public keys using public digital signatures like RSA and DSA. Once you create keys, you upload the public key to the server. (.ssh/) Then the client needs to use the private key to connect the server. As for Password Authentication, the client simply uses a username and a password in a non-encrypted form to connect the server. |
|
Figure 1 - Cyber Duck Login Screen |
There are many ways in which you can create authentication keys. If you are a Mac user, you can use Terminal to create pairs. There is a freeware title called SSHAgent, which allows you to create keys in GUI. And some hosting companies offer SSH Telnet (SSH1) so that their clients can generate keys.
Figure 2 - SSHAgent
|
|
Figure 3 - CPanel
|
Use of Secure FTP is a good way to secure data transfer. If you are a website owner, you should disable FTP, if you could, and switch to Secure FTP as soon as possible. Whether you wish to switch to Secure FTP, your web hosting company must supports it in the first place. And not all of them support it. Here is our list.
| Hosting Companies |
|
Support or no support |
|
Remarks |
| |
|
|
|
|
| Lunarpages |
|
Only available for dedicated servers |
|
Shared server users can instead use FTP over TLS with no extra charge. |
|
|
|
|
|
| HostMonster |
|
Supported |
|
HostMonster also says supports FTP over TLS although they admit that it now doesn't work. |
|
|
|
|
|
| midPhase |
|
Extra charge ($14.95/yr) |
|
|
|
|
|
|
|
| StartLogic |
|
Not supported |
|
"We use Smart FTP." "I would advise in PURCHASING an SSL secure socket layer." |
|
|
|
|
|
| IX Web Hosting |
|
Not supported |
|
Not supporting SSH2 for security reason |
|
|
|
|
|
| POWWEB |
|
Not supported |
|
Not supporting SSH2 for security reason |
|
|
|
|
|
| Host Excellence |
|
Not supported |
|
|
|
|
|
|
|
| iPowerWeb |
|
? |
|
We asked three times by Livechat and by e-mail. They never stopped talking about FTP. |
|
|
|
|
|
| HostRocket |
|
Supported |
|
|
|
|
|
|
|
| DOT 5 Hosting |
|
Not supported |
|
|
|
|
|
|
|
| Globat |
|
Not supported |
|
|
It's very sad to note that one of the hosting companies above doesn't just support Secure FTP but also doesn't know what it is. I was evetually asked to call them up. Their control panel is such that we know they can't support SSH.
So why are some of them saying they don't support SSH for security reason? Our guess is that they cannot confirm the identity of the user. For example, I presented a scanned photo ID to our web hosting company to get SSH enabled. But they could never tell that my ID were a fake.
There are a few things you want to do before or after having Secure FTP enabled.
- Disable anonymous FTP. Anoymous FTP is evil. Spammers use anonymous FTP to upload and post spam messages.
- Disable FTP. You probably cannot completely disable it. So if you could, use the control panel and set the data quota to zero. If you have SFTP, there is no point of leaving FTP on so that crackers can knock on the back door to enter your site.
- Make username and password for contorl panel (and Secure FTP) very complicated. You can use capitalized characters and even Greek letters like
µ ® ß
If you use lowercase, uppercase letters as well as Greek characters and special characters (!, *, %...), it will be very hard for Internet crackers to guess your password. For example, if you have a combination of 12 characters, then the number of combinations will be
784,716,723,734,800,000,000,000.
That'll be about 784 sextillion combinations.
Figure 4 - Password example
|
|
Figure 3 - CPanel, FTP Manager
|
|
