WinSCP Secure File Transferring
 

I am going to start using WinSCP for FTP'ing files to and from my servers and me. Is anyone else currently using this? I would like to discuss a few things about it.

First question, do you use RSA? Should I use it?

BTW, this is a take off of this thread:
"We Got HACKED!"
http://www.gofuckyourself.com/showth...threadid=77620

If you mean by RSA, using RSA authentication (public/private) keys, then maybe.

They are convienient, no more typing in a password each time. You just simply magically get access. ;) They also may be slightly more secure.

With SCP though (pretty much copying files over SSH), remember you password is encrypted before it's sent. So really you're pretty well off with either.

I tend to use RSA auth just for the convience, and for of course automated file transfers between boxes.

Also, it's a great idea to use SCP, BUT don't expect it to actually foil too much... IMO the importance of packet sniffing in h4x0r1ng Mr. random webserver is highly trumped up. If half the people that preach about over the wire encryption took that time and actually stayed up to date on security vulnerabilities in whatever the latest daemon-with-exploit is, everyone would be far better off. Remember the encryption only helps if someone happens to have a machine on either end of the connection, (like a box next to your webserver, on the same vlan) or if the machine is allready compromised. If the latter is true, I submit they can get that information anyways. :)

That rant being said, it's a VERY good idea to use scp. But also remember the easier things h4x0rs use to fuck with you. Taking the time and effort to obtain a posistion to packet sniff you is about one of the last things they'll try.

i.e. don't use encryption as a security blanket. Keep up on best-practice everywhere else.

peace,

-Phil

Thanks for the informative post. :thumbsup

Just a friendly piece of advise, don't use passwordless RSA. It's not that hard to type the password in every time. :)

Ahhh... so far WinSCP fucking sucks. I was uploading some files, it failed and closed down (on it's own):

Copying file 'xxxxxxxxxxxxxxxxx' fatally failed.
Network error: Software caused connection abort

Argh! The windows/mouse functions in the program fucking suck too. It is impossible to select and upload a group of files without using the space bar or window menus. Very annoying.

Any other FTP program I should use that uses SSH 1?

Van Dyke, who make CRT and SecureCRT, also make SecureFX. It is a a pretty good program that does FTP, SSH over FTP and SFTP. The latest version supports SFTP transfers both in ASCII and Binary mode, which is really nice.

SFTP is great, because all you need running is SSH2. You don't even need an FTP Daemon installed on the server.

However, SFTP may not be what you want since the server supports only SSH1. You might want to considering having that upgraded to SSH2.

I'm pretty sure you can download a 30 Day Trial from the Van Dyke Website.

www.vandyke.com

Yeah, I'm all about vandyke. One of the few shareware-esque programs I actually pay for. :)

I even bought two copies of SCRT for feeling guilty about using it a few years w/o a liscense.

Definitely install ssh2 if you have a dedicated box. If you need help, hit me up I'm so-so free tonight. ICQ in profile.

-Phil