WinSCP Secure File Transferring - GoFuckYourself.com

HQ · 09-21-2002, 09:19 AM

I am going to start using WinSCP for FTP'ing files to and from my servers and me. Is anyone else currently using this? I would like to discuss a few things about it.

First question, do you use RSA? Should I use it?

BTW, this is a take off of this thread:
"We Got HACKED!"
http://www.gofuckyourself.com/showth...threadid=77620

Phil21 · 09-21-2002, 10:21 AM

If you mean by RSA, using RSA authentication (public/private) keys, then maybe.

They are convienient, no more typing in a password each time. You just simply magically get access. ;) They also may be slightly more secure.

With SCP though (pretty much copying files over SSH), remember you password is encrypted before it's sent. So really you're pretty well off with either.

I tend to use RSA auth just for the convience, and for of course automated file transfers between boxes.

Also, it's a great idea to use SCP, BUT don't expect it to actually foil too much... IMO the importance of packet sniffing in h4x0r1ng Mr. random webserver is highly trumped up. If half the people that preach about over the wire encryption took that time and actually stayed up to date on security vulnerabilities in whatever the latest daemon-with-exploit is, everyone would be far better off. Remember the encryption only helps if someone happens to have a machine on either end of the connection, (like a box next to your webserver, on the same vlan) or if the machine is allready compromised. If the latter is true, I submit they can get that information anyways.

That rant being said, it's a VERY good idea to use scp. But also remember the easier things h4x0rs use to fuck with you. Taking the time and effort to obtain a posistion to packet sniff you is about one of the last things they'll try.

i.e. don't use encryption as a security blanket. Keep up on best-practice everywhere else.

peace,

-Phil

HQ · 09-21-2002, 11:37 AM

Thanks for the informative post.

vending_machine · 09-21-2002, 11:40 AM

Just a friendly piece of advise, don't use passwordless RSA. It's not that hard to type the password in every time.

HQ · 09-21-2002, 11:48 AM

Ahhh... so far WinSCP fucking sucks. I was uploading some files, it failed and closed down (on it's own):

Copying file 'xxxxxxxxxxxxxxxxx' fatally failed.
Network error: Software caused connection abort

Argh! The windows/mouse functions in the program fucking suck too. It is impossible to select and upload a group of files without using the space bar or window menus. Very annoying.

Any other FTP program I should use that uses SSH 1?

priest · 09-21-2002, 01:48 PM

Van Dyke, who make CRT and SecureCRT, also make SecureFX. It is a a pretty good program that does FTP, SSH over FTP and SFTP. The latest version supports SFTP transfers both in ASCII and Binary mode, which is really nice.

SFTP is great, because all you need running is SSH2. You don't even need an FTP Daemon installed on the server.

However, SFTP may not be what you want since the server supports only SSH1. You might want to considering having that upgraded to SSH2.

I'm pretty sure you can download a 30 Day Trial from the Van Dyke Website.

www.vandyke.com

Phil21 · 09-21-2002, 05:26 PM

Yeah, I'm all about vandyke. One of the few shareware-esque programs I actually pay for.

I even bought two copies of SCRT for feeling guilty about using it a few years w/o a liscense.

Definitely install ssh2 if you have a dedicated box. If you need help, hit me up I'm so-so free tonight. ICQ in profile.

-Phil

09-21-2002, 09:19 AM	#1
HQ Confirmed User Join Date: Jan 2001 Posts: 3,539	WinSCP Secure File Transferring I am going to start using WinSCP for FTP'ing files to and from my servers and me. Is anyone else currently using this? I would like to discuss a few things about it. First question, do you use RSA? Should I use it? BTW, this is a take off of this thread: "We Got HACKED!" http://www.gofuckyourself.com/showth...threadid=77620

09-21-2002, 11:40 AM	#4
vending_machine Confirmed User Join Date: Jun 2002 Location: Seattle Posts: 1,062	Just a friendly piece of advise, don't use passwordless RSA. It's not that hard to type the password in every time. __________________

09-21-2002, 11:48 AM	#5
HQ Confirmed User Join Date: Jan 2001 Posts: 3,539	Ahhh... so far WinSCP fucking sucks. I was uploading some files, it failed and closed down (on it's own): Copying file 'xxxxxxxxxxxxxxxxx' fatally failed. Network error: Software caused connection abort Argh! The windows/mouse functions in the program fucking suck too. It is impossible to select and upload a group of files without using the space bar or window menus. Very annoying. Any other FTP program I should use that uses SSH 1? Last edited by HQ; 09-21-2002 at 12:13 PM..

09-21-2002, 10:21 AM	#2
Phil21 Confirmed User Join Date: May 2001 Location: ICQ: 25285313 Posts: 993	If you mean by RSA, using RSA authentication (public/private) keys, then maybe. They are convienient, no more typing in a password each time. You just simply magically get access. ;) They also may be slightly more secure. With SCP though (pretty much copying files over SSH), remember you password is encrypted before it's sent. So really you're pretty well off with either. I tend to use RSA auth just for the convience, and for of course automated file transfers between boxes. Also, it's a great idea to use SCP, BUT don't expect it to actually foil too much... IMO the importance of packet sniffing in h4x0r1ng Mr. random webserver is highly trumped up. If half the people that preach about over the wire encryption took that time and actually stayed up to date on security vulnerabilities in whatever the latest daemon-with-exploit is, everyone would be far better off. Remember the encryption only helps if someone happens to have a machine on either end of the connection, (like a box next to your webserver, on the same vlan) or if the machine is allready compromised. If the latter is true, I submit they can get that information anyways. That rant being said, it's a VERY good idea to use scp. But also remember the easier things h4x0rs use to fuck with you. Taking the time and effort to obtain a posistion to packet sniff you is about one of the last things they'll try. i.e. don't use encryption as a security blanket. Keep up on best-practice everywhere else. peace, -Phil

09-21-2002, 11:37 AM	#3
HQ Confirmed User Join Date: Jan 2001 Posts: 3,539	Thanks for the informative post.

09-21-2002, 01:48 PM	#6
priest Confirmed User Industry Role: Join Date: Aug 2002 Location: Los Angeles, California Posts: 139	Van Dyke, who make CRT and SecureCRT, also make SecureFX. It is a a pretty good program that does FTP, SSH over FTP and SFTP. The latest version supports SFTP transfers both in ASCII and Binary mode, which is really nice. SFTP is great, because all you need running is SSH2. You don't even need an FTP Daemon installed on the server. However, SFTP may not be what you want since the server supports only SSH1. You might want to considering having that upgraded to SSH2. I'm pretty sure you can download a 30 Day Trial from the Van Dyke Website. www.vandyke.com

09-21-2002, 05:26 PM	#7
Phil21 Confirmed User Join Date: May 2001 Location: ICQ: 25285313 Posts: 993	Yeah, I'm all about vandyke. One of the few shareware-esque programs I actually pay for. I even bought two copies of SCRT for feeling guilty about using it a few years w/o a liscense. Definitely install ssh2 if you have a dedicated box. If you need help, hit me up I'm so-so free tonight. ICQ in profile. -Phil