Support

UNiTE, Remote CLI, eXtract Wizard

#3627 Remote security question

Posted in ‘UNiTE and Remote CLI’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

PHP version
n/a
Tool
UNiTE
Tool version
n/a

Latest post by nicholas on Wednesday, 14 April 2010 03:19 CDT

user7543
After a recent hack of a client's site that may have been caused by a stored FTP password, I have been working hard to tighten security in numerous ways. (A recent JoomlaPack backup and quick restore via kickstart saved the day -- thank you Akeebo!!)

Is it safe to have FTP usernames and passwords stored in JoomlaPack Remote? I found this on the Akeeba site:

http://www.akeebabackup.com/joomlapack-2x/miscinfo-security.html
"The preferred and suggested method for downloading your backup files - for several reasons - is using FTP in BINARY mode, preferably over an encrypted connection. Alternatively, you can use JoomlaPack Remote (part of our Native Tools package) which uses this approach when downloading backup archives."

But also this:
http://www.akeebabackup.com/akeeba-remote-control/ch02s02.html
"JoomlaPack Remote only supports plain FTP connections. Some more exotic/secure protocols, e.g. SFTP or FTPS, are not yet supported."

Do I need to worry about a) the fact that passwords are stored in JP Remote all the time and/or b) that the download of the backup is unencrypted?

dlb
I'm going to ask Nicholas to respond to your questions. He is more experienced in the security area than I am.


Dale L. Brackin
Support Specialist


us.gifEnglish: native


Please keep in mind my timezone and cultural differences when reading my replies. Thank you!


????
My time zone is EST (UTC -5) (click here to see my current time in Philadelphia, PA)

nicholas
Akeeba Staff
Manager
Yes, the passwords are stored in plain text inside Remote Control's SQLite database. However, if your PC is compromised you can safely assume that ALL your passwords must change. Remote Control supports plain FTP and FTPS (FTP over implicit SSL). Lack of SFTP support is due to restrictions in the networking library used. There is a major rewrite planned, but it will take a long while to be production quality. Another feature planned for 3.1 is adding encryption support for JPA archives, which would further enhance the security of your backup archives, both in transit and when stored anywhere.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

user7543
Nicholas, I'm don't know for sure where or how the attack took place, but I know that my PC is fine now; anti-virus and malware software have been and are up to date, all passwords have been changed, etc.

I'm asking more in general about the security of running JP Remote on a "safe" PC. I know stored FTP passwords are at risk for FTP injection attacks (which are dangerously on the rise) with Dreamweaver and Filezilla ... why would JP Remote be different? Post-hack I'm a little paranoid, so I'm nervous about walking away from my PC overnight while JP Remote is running backups, both while it's actively downloading the backup file from the Internet and while it's just sitting, storing those passwords. Do I need to be worried about this? I guess I could not store the FTP info and enter it manually every time I want JP Remote to take a backup ... and then baby-sit the backup so I can shut down JP Remote the moment it's done ... but maybe that's taking it too far. Can you reassure me?

Also, how important do you think it is to remove the backup files from the server after download? Something everyone should do who is using Akeeba ... or not a big deal? I'm trying to get a sense of best practices here.

Thank you.

P.S. Akeeba backups have probably saved more sites from disaster than you will ever know about. I'm going pro solely as a thank-you for saving my client's site last week, whew!

nicholas
Akeeba Staff
Manager
I share the same security concerns with you. The reason Remote Control's database is not encrypted is that it is supposed to run unattended, i.e. not wait for your input on launching a backup. So, it all comes down to how secure your PC really is.

The first option is having a dedicated system behind a firewall, with a solid antivirus system and where you do not install anything but updates (and visit no sites). Or use Linux. It is extremely hard to attack Linux systems unless you are a real hacker - and the vast majority of attacks is performed by bots, not humans.

If you are even more paranoid than this, you should consider using Akeeba Backup Professional. You can set it up so that it sends its backup files to Amazon's S3 or DropBox upon completion. This is the safest backup storage method, as the backup file is removed from the server as soon as the backup is complete and no credentials are transferred between your site and your PC.

Regarding the importance of removing backup files from your site, I'd say it's of PARAMOUNT importance. Do you leave your door key under the door mat? If you do, you run the risk of someone picking up the mat, taking the key and entering your house. The same thing goes with a backup file. It contains the keys to your site. If one of your installed components suffers a directory traversal vulnerability, a malicious hacker could in theory exploit this to grab your backup file (or just its first few kilobytes) and extract the database connection information. From that point, it's a hacker's joyride cracking your site. That's why I preach that the safest backup is the one which is stored on three different media BUT NOT on your site. My backups are usually stored on cloud storage, an external hard disk and a flash disk. I never leave them on the server.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

user7543
Thank you! I am that paranoid, and I like the idea of sending the files directly to cloud storage, plus a flash drive as an extra. I went Pro (I'm excited!) and will change my process from now on. Thank you, thank you!!

nicholas
Akeeba Staff
Manager
You're welcome :) I think all of us computer people share the same paranoia. And as Dale put it the other day, this paranoia has served us well over all those years!

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!