One of the most common operations performed by a web server is the transfer of files. The primary function of a web server is to deliver web pages (made up of HTML files, image files etc) to a web browser. Naturally these files must be uploaded on to a web browser before they can be downloaded by a web browser.
The problem with the ubiquitous FTP command is that it is unencrypted. This means that all command and data sent to and from the server are send in the clear.
SFTP, or Secure FTP, is a program that uses Secure SHell (SSH) to transfer files. Both commands and data are encrypted allowing passwords and sensitive information to be transferred without the fear that a hacker is listening to your network traffic in an attempt to steal authentication information and negate your website security.
The SFTP protocol offers the full range of file access, file transfer, and file management functionality over a secure channel. SFTP authentication is handled by the underlying secure channel (normally SSH).
It is inevitable that during the configuration of a web server (or its related services like databases or server side scripting) that files containing username and password information will be uploaded to the server. When using FTP it will be possible for a hacker to capture network traffic between your desktop and the web server and so discover these passwords. Once your web site goes live the hacker will be able to access your files (or the database) whenever he wants. This means that your website security is now compromised.
With SFTP everything is encrypted. When the SFTP client establishes a connection with the server two important elements are validated:
The basic elements of configuring an SFTP connection are:
- First the server is validated to ensure that the connection is being made to the correct server. This ensures that no one is eavesdropping using a man-in-the-middle attack. The validation is normally done against the client’s local copy of server’s public keys.
- Secondly the client it authenticated by either username and password, or via public key based authentication.
Once the server has been validated and the client authenticated, the encrypted connection has been created. Files can now be transferred securely and your website security will rename strong.
The SFTP command is simple to use from the command line on Linux, FreeBSD and OS X. To start an SFTP session, at the command prompt, enter:
Some standard commands for command line SFTP include:
- cd Change directory
- lcd Change the directory on the local computer
- get Download file from the remote server
- put Upload a file from to the server
- mkdir Create a directory on the remote computer
- rename Rename a file on the remote host
- rm Delete files from the remote server
- rmdir Remove a directory
© 2011 – ArtSec Group LLC