Figured I would post up some very basic security tips for working with ftp and web sites. This is in light of the fact that many of my clients tend to run into vunerabilities due to the fact that they simply don't follow these rules.
FTP. This is probably the most important part. Did you know that with a network packet sniffer anyone can see what is coming in and out of your IP? Did you know that regular FTP sends your username and password in plain text.
To avoid having someone watch whats going on the best solution is to use sFTP. This method connects via an encrypted form.
An additional layer of security can be added by using a proxy such as HMA where everything is encrypted to you so it will be very hard to get your ip as it's always changing.
If you can't get sFTP to connect contact your HOST and ask them to enable SSH / Shell access. This will enable sFTP on your account
.
Passwords. This is probably the worst problem of all. How many times i've seen someone use the password '123', 'god' or something else short and easy to hack. Reality is easy passwords are very commonly used. That's right your not the only idiot in the world using 123.
I have found the most reliable passwords come from an random generator. I like to use the cPanel password generator. I just go to email accounts and the password generator will be there. Use numbers and letter and symbols. In rare cases symbols are not accepted. So click advanced options on the generator and select only numbers on the right.
To recap this is bad '123' or '123456' and this is good 'S4Le-4W0;xay.'
How do I expect you to remember that, well I don't, but that leads me to the next point.
Password storage: So one of the ways that so many people get taken for a ride is because they manage to get a keylogger on their computer or a trojan or whatever and these apps although completely hidden record everything you type into your keyboard and send it back to their master.
I find you can avoid this problem by using copy / paste. You can do this by storing your passwords in programs that are designed for that purpose. Most browsers have plugins you can download for that and there are other solutions out there as well. Heck you could even have a google docs account and store them in a doc as plain text if you really wanted (not the safest though, but an improvement over having to type it in each time).
Contract Work: Anytime you get any contract work done. Once they have finished CHANGE YOUR FUCKING passwords. You may not think anything of it, you may trust them, but at the end of the day you don't control their surfing habits and if they are surfing around getting viruses then they could be exposing your passwords without knowing it. Also there are guys out there that are fuck tards and will just mess with you after the job is done just because they are bored, stupid or whatever.
Open Source: Open source software is fantastic and I love the many scripts that are out on the market. It is extremely wise though to keep your script up to date. Remember it's open source. Vulnerabilities are fixed in every release. Also because it's open source, the world has access to strip it down and find it's weak points, once they find the weak point they simply find people with that version and use the vulnerability to mess with your site, inject viruses, etc.
Back-ups: Make sure you keep a backup of your local files and remote files at all times. Backup everytime you upload a new version so you have a revision history but also you at least have files you can go back to and upload if needed. I like to setup a cloud and sync there. Microsoft Mesh and Dropbox are good options. Just as a note media such as music and videos take up lots of space. For most people the most important stuff is their documents. I would suggest keeping a backup of those and if you have lots of media use something like iCloud which provides lots of space for media for free.
I think that covers a few of the most important basics. I'm sure that some of you will have some other suggestions. My intention is not to get into how to harden your server or get into stuff that is VERY technical just stuff that most people here have to do everyday and could help them avoid a ugly problem that could take your site down or worse loose all your files.
FTP. This is probably the most important part. Did you know that with a network packet sniffer anyone can see what is coming in and out of your IP? Did you know that regular FTP sends your username and password in plain text.
To avoid having someone watch whats going on the best solution is to use sFTP. This method connects via an encrypted form.
An additional layer of security can be added by using a proxy such as HMA where everything is encrypted to you so it will be very hard to get your ip as it's always changing.
If you can't get sFTP to connect contact your HOST and ask them to enable SSH / Shell access. This will enable sFTP on your account
.Passwords. This is probably the worst problem of all. How many times i've seen someone use the password '123', 'god' or something else short and easy to hack. Reality is easy passwords are very commonly used. That's right your not the only idiot in the world using 123.
I have found the most reliable passwords come from an random generator. I like to use the cPanel password generator. I just go to email accounts and the password generator will be there. Use numbers and letter and symbols. In rare cases symbols are not accepted. So click advanced options on the generator and select only numbers on the right.
To recap this is bad '123' or '123456' and this is good 'S4Le-4W0;xay.'
How do I expect you to remember that, well I don't, but that leads me to the next point.
Password storage: So one of the ways that so many people get taken for a ride is because they manage to get a keylogger on their computer or a trojan or whatever and these apps although completely hidden record everything you type into your keyboard and send it back to their master.
I find you can avoid this problem by using copy / paste. You can do this by storing your passwords in programs that are designed for that purpose. Most browsers have plugins you can download for that and there are other solutions out there as well. Heck you could even have a google docs account and store them in a doc as plain text if you really wanted (not the safest though, but an improvement over having to type it in each time).
Contract Work: Anytime you get any contract work done. Once they have finished CHANGE YOUR FUCKING passwords. You may not think anything of it, you may trust them, but at the end of the day you don't control their surfing habits and if they are surfing around getting viruses then they could be exposing your passwords without knowing it. Also there are guys out there that are fuck tards and will just mess with you after the job is done just because they are bored, stupid or whatever.
Open Source: Open source software is fantastic and I love the many scripts that are out on the market. It is extremely wise though to keep your script up to date. Remember it's open source. Vulnerabilities are fixed in every release. Also because it's open source, the world has access to strip it down and find it's weak points, once they find the weak point they simply find people with that version and use the vulnerability to mess with your site, inject viruses, etc.
Back-ups: Make sure you keep a backup of your local files and remote files at all times. Backup everytime you upload a new version so you have a revision history but also you at least have files you can go back to and upload if needed. I like to setup a cloud and sync there. Microsoft Mesh and Dropbox are good options. Just as a note media such as music and videos take up lots of space. For most people the most important stuff is their documents. I would suggest keeping a backup of those and if you have lots of media use something like iCloud which provides lots of space for media for free.
I think that covers a few of the most important basics. I'm sure that some of you will have some other suggestions. My intention is not to get into how to harden your server or get into stuff that is VERY technical just stuff that most people here have to do everyday and could help them avoid a ugly problem that could take your site down or worse loose all your files.
