Using Secure Shell and Secure Copy

One way in which web developers and webmaster can further insure secure access to and from their servers is by restricting the use of telnet and where possible ftp.

While ftp can be configured tightly and run under ssl for additional security, it and telnet remain weak points in server security. Alternatives are available.

For starters, by requiring the use of secure shell (ssh) as a replacement to telnet access, user sessions are encrypted and key-based rather than clear text username and password based. SSH is easily available to all platform users with terminals, terminal applications and GUI clients ready-made for Linux, Macintosh and Windows. A majority of *Nix servers have an ssh server installed by default, and telnet can be disabled safely while still insuring access through the command line (terminal) and clients (which the majority support both telnet and ssh).

For Windows-based servers, there are open source ssh servers available, one of the most popular being OpenSSH for Windows (formerly run under the Network Simplicity name). This installs ssh under Cygwin without the need to load a full Cygwin install on a Windows server.

An immediate benefit of using ssh is access to secure copy (scp) and secure ftp (sftp). Both of these offer an encrypted method for transferring files and are full-featured replacements for telnet and ftp.

SSH, scp and sftp can be used from the command line just as users have used telnet and ftp. Some examples are below:

SSH

'ssh user@domainname.com'

‘ssh domainname.com -l user’ (for OS X users). If this is your first login, you are prompted to accept and generate an entry in your local known_hosts file, and provide a password, which is transferred securely. You are then available to access all of the same command line functions as in telnet.

SCP – To transfer a file or files from one system to another. For example, if I have an application to upload and install on my server, I could perform the following:

'scp application.tar.gz user@domainname.com:'

, and I am prompted for a password, and then the file is transferred to my user folder on the server. If I wanted to upload a number of RPM updates for a server, I would insure I am in the directory where the files reside, and send the following –

'scp *.rpm user@domainname.com:'

, and again the files are transferred securely.

One additional benefit of scp is some minor added compression, which shortens the transfer time.

SFTP – Logging in is the same as ftp on the command line,

'sftp user@domainname.com'

, and after answering a password prompt, a secure ftp session is started.

“Passwordless” sessions are available if you setup a key to handle the secure handshake between your system and the server by running ssh-keygen. A good tutorial is found at Fedora News

Clients are available for all platforms such as those listed below.

Linux
-Native terminal shells including Bash, CSH (C Shell) and KSH (Korn Shell)
-SSH capable tools, such as gFTP and KDE ftp tools

Macintosh
-Native terminal shells as on Linux
-MacSSH and MacSFTP

Windows
-OpenSSH for Windows (client included)
-Putty, a favorite to many Windows users.

Free book: Jump Start HTML5 Basics

Grab a free copy of one our latest ebooks! Packed with hints and tips on HTML5's most powerful new features.

  • http://www.phpscripts.com/ donsimon

    There are a few tricks with scp that most people don’t know about until you really try and beat it hard. For example, if you say have 100 mb/s and you are trying to copy a file from one server to another and you don’t go over a backend network, you will use up your entire 100 mb/s. I see it happen all of the time and unfortunately we have not found a way to slow it down. You can use rsync which has a system to limit the amount of bandwidth used. But the best solution and from a security standpoint all box to box traffic should go over a dedicated backend, and then you can use all of the free bandwidth you want.

    Just my 2 cents….

  • M.Webster

    Ensure correct English usage by consulting a reliable dictionary before publication: the word is “ensure”, not “insure”.