.

Secure connections to your web server: prevent password theft

Introduction

Since the Internet was originally a place where honesty reigned, or so we're told, most Internet standards are based on trust. This means they send passwords in "clear text" without any attempt to hide them, so if you can tap into a connection, you can get as many passwords as you like. That's especially true if people use wireless technologies. The solutions are --

1) Avoid using public terminals and wireless access, especially in public places, to do your Web site maintenance,

2) Use a different password for e-mail than for file transfer and login, and

3) Use technologies that encrypt your passwords - that is, scramble them in a way that's hard to interpret.

Most of the time, you will be using passwords with your site for three purposes: e-mail, terminal/shell access (not everyone uses this at all), and file transfer. This page describes ways to scramble your passwords in all three cases.

Using command-line (terminal or shell) mode with Linux and UNIX servers

You need are an ISP or server with SSH installed, and shell access. I strongly recommend that, once you get this working, you shut off Telnet access, and change your password. Always use passwords that can't be guessed by a dictionary (that is, not real words), preferably with numbers and odD caSing, and never, never, never make the password the same as your username.

I can recommend three programs for SSH, depending on your computer platform. All three allow a great deal of customization in terms of terminal emulations, fonts, colors, and shortcuts (saving account information).

Windows: I've had my best luck using OpenSSH, a free program that works intuitively under Windows and includes an SFTP client for secure file transfer.

Mac OS X: iTerm - it's easy to use and free, and includes a tabbed interface so you can quickly switch between a local connection and one or more SSH (shell/terminal) connections. You can have one window with one directory open and another window with another directory.

Mac OS 9: MacSSH - it's easy to use and free. It also has special features, e.g. allowing you to set up a tunnel via a graphical interface so if you don't have sftp, which you probably do, or if you have a particular ftp program you need (Retrospect?), you can easily route it through the ssh "tunnel" from MacSSH (see file transfer instructions.) One nice thing about MacSSH is that it can enter your password automatically, saving time albeit at a bit of a security risk (if your computer is stolen or used by someone else).

E-mail

There are two ways to transfer e-mail securely: by specifying SSL or TSL in the appropriate place in your e-mail program's settings/options, or by using a tunnel (see below). The easiest way is SSL or TSL but your ISP has to be set up to handle it. If they don't already have it, or if you can't figure out how to activate it on your dedicated server and want to use e-mail while you figure it out, go to the tunnelling section.

(Another reason to use a tunnel is if you have a specialty e-mail program, like MailSiphon, that doesn't support secure connections, and you want to use it from time to time.)

File transfer

There are a number of easy file transfer programs that use SSH or other secured FTP methods to move files between your computer and your server without revealing your password to casual eavesdroppers. I recommend OpenSSH again on the PC side; on the Mac side, MacSFTP is just about the only Mac OS 9-compatible program, while OS X users have a huge variety of software available. While there are free solutions, I paid for Transmit because it's elegant and does all sorts of other clever things that helps me maintain my server.

One quick aside — you can run into problems if your files or directories have unconventional names - spaces can cause issues. Use hyphens or underlines instead of spaces (search engines apparently prefer hyphens).

Tunnelling

Why would you want to tunnel? Sometimes you need a secure connection, which will keep your passwords away from prying eyes, but you have programs that send clear-text passwords - ftp clients, MailSiphon, etc. A tunnel sets up a secured connection, using SSH, and your insecure traffic travels through it. The programs don't know anything is different, but an eavesdropper will just see nonsense. This is especially useful for older versions of Adobe GoLive and Dreamweaver, which can update web sites via FTP but not SFTP.

Windows

I don't have Windows instructions yet but I suspect they're similar to the Mac instructions.

Under Mac System 7.5 through OS 9

First, I would like to thank Jean-Pierre Stierlin, the writer of MacSSH and MacSFTP, for his extensive help in getting me set up and running - and the people at Esosoft for their help as well.

Under Mac OS 7.5.3 through 9.2.2, the best way to assure secure connections was often via an SSH tunnel, especially when using GoLive and Dreamweaver, which never did get SFTP under pre-OS X systems. So I set up a tunnel using MacSSH. This is not unlike the way you connect to the Internet by dialing your local ISP (or connecting to your cable or DSL); the connection goes through MacSSH to get to its destination.

MacSSH comes with instructions, but I had some issues and questions which I will detail here. I won't duplicate all of MacSSH's instructions, just go over the issues I had.

First, to get FTP to work, you need to use passive mode. In GoLive, this is under Site - Settings - FTP - Advanced. In Fetch, it's under one of the preferences tabs. Passive mode is no problem most of the time, and you probably won't notice the difference.

Second, I set up just two tunnels: one for port 21 (FTP) and one for port 110 (POP3, or incoming mail). If I needed to secure SMTP (outgoing mail), I'd also set up one for port 25. Since MacSSH automatically creates a Telnet terminal, I didn't bother routing that.

To set up the first tunnel (POP3), I modified the default MacSSH connection settings (Favorites / Edit Favorites / Default) (and later set up the preferences to automatically start the default connection when starting up MacSSH, that removes an annoying step).

1. In the General tab, I put in my host name (allpar.com) in General, and left it as Port 22.
2. In the Security tab, I selected ssh2 as the protocol, with my username, password, client username (same as my username), and an lsh argument of -L21:allpar.com:21 which routes local port 21 (FTP) to remote port 21 (FTP) - in short, my local machine's traffic in port 21 goes through the tunnel, and when it comes back, ends up coming out of port 21 again so nobody is confused but me.
3. To add another tunnel here, I could just put in a space and type in the second one, e.g.
   • -L21:allpar.com:21 -L25:allpar.com:25
4. In the SSH2 tab, I set the encryption and authentication and compression (all in order), then set method to local tcp port forward. I set the local and remote ports to 110 for e-mail, and put in my remote host (allpar.com). Then I initalized SSH, using a very long string with lots of numbers.
5. At that point, I went through MailSiphon, Fetch, etc., and everywhere it used to have allpar.com, I replaced it with 127.0.0.1 (localhost worked for a while, but then stopped, so start out right with 127.0.0.1).
6. Strangely, I found this did not work until I closed MacSSH and restarted it.

When you do this, I strongly suggest you also edit the default MacSSH terminal - make the font larger and set it up as a VT100 or VT220 so you can use pico and pine. Also, remember to log out when you're done with a session!

This whole process is much easier to use than it sounds, since all I have to do is open MacSSH and I'm totally secure. Until I open MacSSH, though, none of my file transfers (or non-Eudora e-mail) will work!

SSH tunnelling under Mac OS X

Believe it or not, most of this is from trial and error.

If you are using Classic (legacy, or OS 9, or OS8, etc.) programs

If you are using Classic apps - for example, GoLive 5 or a non-Carbon version of Fetch or MailSiphon - first open the Classic app, then open MacSSH while in Classic, and run it according to the instructions for "SSH under MacOS 7.5 to Mac OS9."

If you are using Carbon or Cocoa (native) programs: method II

This method was sent in by Marc Poirier. The idea here is to keep using your standard ftp software, but to have a secure connection. Frankly, we find Transmit much easier, but if you're wedded to an older version of GoLive or Dreamweaver or have ssh but not sftp access... go for it.

1) Open a Terminal window

2) Type in the following formula:

sudo ssh -l [your remote username] -L 21[the remote site]:21 -L 110:[remote site]:110 [remote site]

For example, for my site, allpar.com, with username macdude, it would be:

sudo ssh -l macdude -L 21:allpar.com:21 -L 110:allpar.com:110 allpar.com

This creates a tunnel in OS X but not in Classic programs.

Then, when you are making bookmarks or connections in Fetch, GoLive, MailSiphon, etc. - in other words, in any program - use 127.0.0.1 as the remote server (as detailed in the OS 9 solution at the top of the page). Otherwise, you won't be using the tunnel!

Note that you can save the command for easy reference either by copying and pasting it somewhere else, or by this method sent in by Marc:

If you are using Terminal or another tcsh shell, then create a file called .tcshrc in your home directory (if you don't already have one) and add this line:

alias tunnel 'sudo ssh -l macdude -L 21:allpar.com:21 -L 110:allpar.com:110 allpar.com'

That will create an alias called "tunnel" and then all you have to do to run that command is enter the word "tunnel" in Terminal. To create that .tcshrc file, probably the easiest way is to use pico (the simplest UNIX text editor), for example:

pico ~/.tcshrc

Troubleshooting

• You can run into problems if your files or directories have unconventional names - spaces can cause issues. Use hyphens or underlines instead of spaces (search engines apparently prefer hyphens).