Multiple security issues/options with uploading and admin access


#1

Sorry, this is going to be long. I’m investigating security before I upload up my site.

There are many, many security features on the DreamHost panel. I want to be as secure as possible in uploading and maintaining my small biz website on DH. This is all new to me, and I don’t want to set up conflicting features that might even lock me out of my own site. I’m already needing to keep up with lots of passwords. And, I understand the importance of occasionally changing passwords.

If I want to upload my files (for the first time) and want to be as secure as possible without getting as technical as using a shell, isn’t the https feature already providing some security?

Also, I see that there are options in the panel under “user account type” for SFTP account - allows SFTP (SSH ftp)/FTP file transfer access. Would that make the upload more secure? Does this only work with a shell? I see that shell access is a different option so I’m guessing this does not require a shell.

There is also the “enhanced security” which seems to make sense in my situation since I’m the only official user.

Then there is the “Require email confirmation before allowing a new IP to log in to your web panel (more secure)” option under panel preferences which seems like a good thing. I assume that this means that since my local IP address is always changing (I think this is the case with my cable internet provider), I’ll get an email every time that I try to login. But, that’s OK, because if I get an email at another time that means that someone else is trying to get in… Would you recommend using this feature also?

Any simple explanations or suggestions would be much appreciated.


#2

While no form, or even combination of security is perfect, here are some best practice suggestions:

– Use secure FTP. Standard FTP is not secure at all and transmits all information over plain text, including passwords. If you are using Windows, WinSCP is a good client, use Cyberduck for Mac. Shell access is not required to use secure file transfer protocol. If you don’t know what shell access is, or don’t think you will need to use it, don’t enable it.

  • Use separate usernames and passwords for everything. This includes, but is not limited to, your panel account, each shell user, MySQL users, and any other user account related to your web hosting. If you don’t want to have to remember all the different combination, use a secure password storage program such as KeePass. these programs can also generate secure passwords. However, when using such programs is important to realize that if someone gets a hold of your data on your computer, they could potentially locate these credentials, depending on the strength of the key and/or passphrase which protects the password storing database. It’s also a good idea to change all of your credentials regularly.

  • Checking enhanced security is highly recommended because it prevents other DreamHost users from looking at your files.

– Requiring e-mail confirmation for new IP’s provides an additional layer of security. In general, additional layers of security on a bad idea. However, if the IP address assigned to you by her Internet service provider keeps changing, this may become annoying. However, DreamHost panel sessions tend to last a long time unless you explicitly log out, so that shouldn’t be a problem.

  • If you are using the website backend such as WordPress, Drupal, or Joomla!, ensure that your backend system, plug-ins, and themes are kept up-to-date. These systems are very powerful and are also very popular, and therefore are prime targets for automated exploitation.

Of course there are other security considerations to keep in mind with web hosting, far too many to list here. But, if you have any other questions, feel free to ask.


#3

Great suggestions and explanations!

I am on a Mac, and my spouse and I set up the test site in MAMP, (which was hard enough!!) so I think we can handle using Cyberduck. (if it’s a free program!) We’ve also been doing a lot of research on the transfer of files/db from local MAMP to DH, and we’re feeling OK about all that technical stuff. So, we’ll give all this security a try and get the site up!

Thanks!


#4

cyberduck is free open source software, it does have a nag window every time you quit the program which asked for a donation. If you donate any amount, the developer will send you a key which removes the donation request message, similar to shareware. I guess you could classify it as donationware.

http://cyberduck.ch/

there is also an unofficial port of keepass for mac, keepasx. it is also open source software.

http://www.keepassx.org/