48617 2 3 econsultancy_xml <p>FTP isn't perfect; one of its biggest flaws is that usernames and passwords are sent in clear text. </p> <p>That means that every time you use your website's FTP server, there is the possibility that a hacker could intercept your username and password and gain access to your website.</p> <p>Secure FTP (SFTP) is a file transfer protocol based on the <a href="http://en.wikipedia.org/wiki/Secure_Shell">Secure Shell</a> protocol, and as its name suggests, it is designed to provide a more secure means to transfer files between computers.</p> <p>Because of this, I personally advise all my clients to ditch FTP and set up SFTP.</p> <p> <strong>Setting Up the Server</strong> </p> <p>To use SFTP, it needs to be set up on your server. A competent system administrator should be able to do this with ease.</p> <p>There are a number of ways to implement SFTP. <a href="http://www.openssh.com/">OpenSSH</a> is probably the most popular, but there are others, including paid options such as <a href="http://www.crushftp.com/index.html">CrushFTP</a>.</p> <p> <strong>SFTP Clients</strong> </p> <p>To use SFTP, you need to use client software that supports it. Fortunately, many of the most popular FTP clients also support SFTP. Here are a few:<a href="http://www.cuteftp.com/"><br /></a></p><ul><li><a href="http://www.cuteftp.com/"><strong>CuteFTP</strong></a></li><li><a href="http://www.vandyke.com/products/securefx/"><strong>SecureFX</strong></a></li><li><a href="http://winscp.net/eng/index.php"><strong>WinSCP</strong></a> (Free) </li><li><a href="http://www.ipswitchft.com/products/ws_ftp_professional/">WS_FTP Professional</a></li></ul><em>Here are a few additional tips</em>:<br /><ul><li>Consider setting up your SFTP server to use a port other than 22. Port 22 is the standard port for SFTP so by using a different one, you can help prevent lazy hackers from determining that you're running an SFTP server simply by scanning for an open port 22. Note that this is a good technique to implement with standard FTP as well (which uses port 21 as a default).<br /><br /></li><li>Be sure to set up your SFTP server so that it supports strong encryption. <a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard">AES</a> is my cipher of choice.<br /><br /><a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard"></a></li><li><a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard">Consider using more secure authentication. Since passwords alone can be guessed, if you need a higher level of security, note that SFTP supports </a><a href="http://sial.org/howto/openssh/publickey-auth/">public key authentication</a> and <a href="http://en.wikipedia.org/wiki/Kerberos_(protocol)">Kerberos</a>, amongst other authentication methods.</li></ul><p></p> <FormattedContent xmlns="http://www.e-consultancy.com/schema/formattedContent/"> <Paragraph>FTP isn't perfect; one of its biggest flaws is that usernames and passwords are sent in clear text. </Paragraph> <Paragraph>That means that every time you use your website's FTP server, there is the possibility that a hacker could intercept your username and password and gain access to your website.</Paragraph> <Paragraph>Secure FTP (SFTP) is a file transfer protocol based on the <Link URL="http://en.wikipedia.org/wiki/Secure_Shell" Window="Self">Secure Shell</Link> protocol, and as its name suggests, it is designed to provide a more secure means to transfer files between computers.</Paragraph> <Paragraph>Because of this, I personally advise all my clients to ditch FTP and set up SFTP.</Paragraph> <Paragraph> <Emphasis>Setting Up the Server</Emphasis> </Paragraph> <Paragraph>To use SFTP, it needs to be set up on your server. A competent system administrator should be able to do this with ease.</Paragraph> <Paragraph>There are a number of ways to implement SFTP. <Link URL="http://www.openssh.com/" Window="Self">OpenSSH</Link> is probably the most popular, but there are others, including paid options such as <Link URL="http://www.crushftp.com/index.html" Window="Self">CrushFTP</Link>.</Paragraph> <Paragraph> <Emphasis>SFTP Clients</Emphasis> </Paragraph> <Paragraph>To use SFTP, you need to use client software that supports it. Fortunately, many of the most popular FTP clients also support SFTP. Here are a few:<Link URL="http://www.cuteftp.com/" Window="Self"><LineBreak /></Link><List Type="Disc"><ListItem><Link URL="http://www.cuteftp.com/" Window="Self"><Emphasis>CuteFTP</Emphasis></Link></ListItem><ListItem><Link URL="http://www.vandyke.com/products/securefx/" Window="Self"><Emphasis>SecureFX</Emphasis></Link></ListItem><ListItem><Link URL="http://winscp.net/eng/index.php" Window="Self"><Emphasis>WinSCP</Emphasis></Link> (Free) </ListItem><ListItem><Link URL="http://www.ipswitchft.com/products/ws_ftp_professional/" Window="Self">WS_FTP Professional</Link></ListItem></List><Quote>Here are a few additional tips</Quote>:<LineBreak /><List Type="Disc"><ListItem>Consider setting up your SFTP server to use a port other than 22. Port 22 is the standard port for SFTP so by using a different one, you can help prevent lazy hackers from determining that you're running an SFTP server simply by scanning for an open port 22. Note that this is a good technique to implement with standard FTP as well (which uses port 21 as a default).<LineBreak /><LineBreak /></ListItem><ListItem>Be sure to set up your SFTP server so that it supports strong encryption. <Link URL="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard" Window="Self">AES</Link> is my cipher of choice.<LineBreak /><LineBreak /><Link URL="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard" Window="Self"></Link></ListItem><ListItem>Consider using more secure authentication. Since passwords alone can be guessed, if you need a higher level of security, note that SFTP supports <Link URL="http://sial.org/howto/openssh/publickey-auth/" Window="Self">public key authentication</Link> and <Link URL="http://en.wikipedia.org/wiki/Kerberos_(protocol)" Window="Self">Kerberos</Link>, amongst other authentication methods.</ListItem></List></Paragraph> </FormattedContent> 2008-07-27T16:43:00+01:00 1 1 econsultancy_xml <p> <strong>If you run a website, you're almost certainly familiar with FTP, the file transfer protocol that enables you to upload files to the server that hosts your website.</strong> </p> <FormattedContent xmlns="http://www.e-consultancy.com/schema/formattedContent/"> <Paragraph> <Emphasis>If you run a website, you're almost certainly familiar with FTP, the file transfer protocol that enables you to upload files to the server that hosts your website.</Emphasis> </Paragraph> </FormattedContent> false 2644 366050 Using Secure FTP false 2008-07-30T08:40:00+01:00 using-secure-ftp 2009-04-29T21:53:24+01:00 2009-04-29T21:53:24+01:00 711