Ftp/ee 2-step verification?


#1

Hi people

how do you handle the security part? What do you do with FTP? in my case, I use Filezilla, which keeps the passwords in its files, which is quite scary for me As well, passwords to various parts in the stack are saved on the disk, accessible to anyone who can log in via FTP or otherwise.

What do you do with all that?

Thanks


#2

I never store passwords locally. But this is all about your preferences, level of risk etc.


#3

Thanks

  1. But what FTP software are you using? Do you remember all your passwords?
  2. The Mysql root password, for example, is stored on the server when you install EE

#4

I sftp in as www-data with keys. I use nautilus and atom editor or just ssh with nano depending on what I want to do.

I haven’t used filezilla in a while but I know it does sftp.


#5

SFTP is fine and that’s what I’m doing, but are the passwords saved anywhere? or do you remember them all in your mind?


#6

I use ssh keys without passwords. So yes the public keys to my servers are stored locally. If you are worried about your local machines security I don’t think there is much difference between passwords and keys. If ‘they’ pwn your box they have your keys/passwords. Maybe someone else can help setting up some other solution for you. The whole point of keys is to make automation easier and save you from typing in a password over and over.

7 years using Ubuntu as my local machine so the days of malware and all those headaches/worries with Windows are just not an issue.

I don’t know maybe I am too lax, especially with www-data. If someone where able to get the key for my server they would still need to know my sudo password to do any real damage. If they got www-data’s key they could really make a mess of everything under /var/www/.

If I had a Windows machine I would be worried about these things…


#7

Well, I’m not knowledgeable, but according to the press of the last years, there are enough security holes, some known to be exploited, for example

I had some security problems in the past, for example with gmail (though I don’t right the passwords at all, not even on paper) and it happened twice, day after day, even after I’ve changed my password… the 2-step verification is really the only measure that prevented them from taking control of it

Maybe I should consider some Linux and it would be probably better, but still, there are security holes which are not under your control.


#8

Yes I understand.

I was making breakfast for my 3 year old and you had me thinking. I use 4 passwords. One i don’t care if friends and family know like wifi password, another one for websites again don’t really care if people get. The other two are split between wordpress/digital ocean/sensitive websites like bank and the fourth for sudo and other personal sensitive info. I have the last two written down for my wife if I have a heart attack…lol.

Check out Elementary OS. It is Ubuntu based and has a nice ui. Once you start using some sort of Ubuntu/debian based Linux for your daily driver you will look back and kick yourself for not doing it sooner.

I have no doubt the NSA can own me if they cared to. My concern would be malware that allowed the attacker to create some sort of reverse shell/rootkit into my local box. I have two networks at home and force smartphones and windows machines onto a guest network away from router and other networked devices like nas, Pi projects and my xmpp server. I do not trust Windows for a few reasons and do not want them on my network period.

So you see I am paranoid about security I just do not worry about the regular flash/java browser exploits that seem to plague Windows. So I am fairly confident in the security of my public/private keys.

Good luck with it and definitely check out


#9


#10

Thanks! Appreciates your concern and help!

  1. Hmm, well, the openSSL stuff was also in Linux, for example

  2. How do you put all the other machines on “guest” network? how do you separate them, by frequency? or you actually have two routers?

  3. Less NSA, more of someone to take the control or delete the sites under my control

  4. I understand what you are saying with password. I’m actually responsible for various different account on different hosting and stuff like that. I don’t want to remember and type it in every time.

  5. Maybe indeed it’s better to make a separate Debian machine or something. Thanks!

And lol for the horse password. I wish I had remembered some stuff I loved, but can’t really portray the details no more :frowning:

Thanks again!


#11

I use Lede/OpenWRT. My router has two radios, 2.4ghz and 5ghz. Each radio is on a separate network.

I know there are some opensource password managers for Linux. Windows must have the same. Keep your passwords encrypted on disk with one master password to manage them all. Mozilla makes something to do this if I remember correctly as well.

That image pops into my head whenever I think about passwords. More of a curse, lol

Best of luck.


#12

Thanks man!

I’ll probably use your methods

MS Win10:


#13