Is ssh not safe?

Scot L. Harris webid at cfl.rr.com
Sat Jul 24 17:55:47 UTC 2004 

On Sat, 2004-07-24 at 13:37, Michael Sullivan wrote:
> I've been following the "Hack Attempts" thread and I've come to the
> conclusion that having my router route port 22 requests through to my
> server PC is not safe.  Here's my situation.  I use my server PC for web
> hosting and email.  Most of my users access their accounts from outside
> the router (my network is based in my apartment and my wife and I are
> the only ones who use it here.)  I don't users telnetting in because of
> the security risk (I don't quite understand this, but I've read about it
> in more than one place, so it's probably true), so I've enabled ssh so
> that they can log in and change their passwords if need be.  They upload
> their web pages through FTP, supplying their username and password. 
> Spammers try to use the mail server every day - I have to read about it
> in my daily Logwatch, but I don't think they ever succeed.  I should
> probably keep a closer eye on the logs.  Is there a way for users to
> change their passwords through their FTP clients?  Or is there a safer
> way to allow them to change their passwords?

As long as you are using ssh version 2 (normally an option on the server
and client) ssh is relatively secure.  The benefit of using ssh over
telnet is that telnet passes your userid and password over the Internet
in clear text.  ssh encrypts that data with a fairly good encryption.  

The weak spot in typical setups is the password used by the user.  The
vast majority of passwords selected by users are not considered good
passwords.  A good password is comprised if lower/upper case letters,
numbers, and special characters and are not based on any dictionary
words.  (are your passwords really good? :)  )

This makes them susceptible to brute force attacks.

The real problem in what you describe above is the use of FTP.  It, just
like telnet, passes the userid and password in clear text.  Since you
are using ssh I would suggest you switch to using scp.  This has the
added benefit that you will only need to have port 22 open for ssh since
scp uses the same port.  Also there are known problems with some FTP
servers which may or may not have been patched in the version you are
using.

You may also want to pickup the O'Reily book on SSH.   

It is good you are using ssh.  I would suggest using scp or sftp or more
secure file transfer program.

-- 
Scot L. Harris
webid at cfl.rr.com

I can give you my word, but I know what it's worth and you don't.
		-- Nero Wolfe, "Over My Dead Body"

More information about the fedora-list mailing list