G+_Carlos Sevillano Posted June 19, 2015 Share Posted June 19, 2015 Hi All. I have a quick question. Should I be backing up files from my computer via ftp to my business website? Is this safe? If I should not be doing so, can someone suggest a better method of offsite backup. Thank you. Link to comment Share on other sites More sharing options...
G+_Larry Havenstein Posted June 19, 2015 Share Posted June 19, 2015 standard FTP should be avoided. Its not encrypted so you are letting the world see your files technically. SFTP is encrypted and would work. You want to use an encrypted protocol now days either HTTPS or SFTP. Link to comment Share on other sites More sharing options...
G+_Warren Knight (whk) Posted June 19, 2015 Share Posted June 19, 2015 Two quick considerations: Protocol: Don't use FTP. Your credentials and data travel in the clear and can be intercepted. Use SFTP, SCP or RSYNC over an SSH tunnel (not rsync direct). Use SSH keys rather than username/password. And set the account to only allow login via ssh key. Attack surface: An http server is usually accessible to the entire internet and potentially exploitable. If you are on a shoestring budget be sure to encrypt your backups before upload to the server (a good idea no matter what provider you use to host your data) with a key that is not available on the backup server. Just make sure the key is backed up somewhere. Otherwise set up a second server (with iptables restricting access), VM, container, Amazon S3 or glacier account, etc. to store your (encrypted) backups. Link to comment Share on other sites More sharing options...
G+_Larry Havenstein Posted June 19, 2015 Share Posted June 19, 2015 With host based firewall rules you can change what the receiving server will talk to. This adds another layer of security also. By hardening the firewall, HTTPS can be as secure as any of the other protocols. I would recomend zipping the files up and using a password on the zip (involving encryption). This will make access to the files secure at rest on the endpoint server. Link to comment Share on other sites More sharing options...
G+_Michael Heinz Posted June 19, 2015 Share Posted June 19, 2015 I second the suggestion of using rsync. Link to comment Share on other sites More sharing options...
G+_Ben Reese Posted June 20, 2015 Share Posted June 20, 2015 I'm not familiar with rsync, but I'm sure it's a good solution. Definitely do not use plain FTP. As others noted, the transmission is not encrypted and neither is the authentication. If that UN/PW is used for other services in the website, FTP will put them at risk too. SFTP (FTP over SSH) is an excellent choice and if the web server is on Windows it probably supports FTPS (FTP over SSL). Both are good choices. Also consider cost though. Your business website may charge per GB for storage and may charge per GB for data transmission. There may be other cheaper options. Link to comment Share on other sites More sharing options...
Recommended Posts