It seems that most web host advise users to FTP their site but doesn't that put the user's user nmae and password at risk like this excerpt says:
From:
http://www.itc.virginia.edu/desktop/securefx/securefx.html#sftp
>>>>
FTP
by itself is not secure. This means that your login i.d. and password can be "captured" by anyone as it goes from one machine to another. Even if the information that is being transferred is for public consumption, the fact that your login/password pair can be read is a serious risk. If that information is nabbed by a malicious intruder, that individual could not only make a mess of your home directory.
>>>>
Are web host using Secure FTP and SSH to avoid this security vulnerability?

Precisely why it's silly for admins that offer SSH, FTP, and POP3 to turn telnet off.

POP3 passwords are transmitted a lot more frequently than any others, yet those are completely insecure just like FTP and Telnet.

Most hosts that provide shell access provide access via SSH as an option. SCP - secure cp - operates over the same SSH protocol, so if the host offers SSH, you are all set.

Just add client software, and water...

What client software would you recommend for SCP?
WinSCP?
PuTTY?
pscp?

And for SSH itself - what about SecureCRT?

I've been using WinSCP and Putty for SSH. I have putty scripted to upload code from my desktop as well.

Others have their own preferences - SecureCRT seems to get lots of applause.

PuTTY is a fantastic tool, it's simple and best of all, it's free.

SecureCRT is nice too, it has more options but isn't free. If all you need to do is SSH then I'd suggest you use PuTTY.

I like putty alot.

Originally posted by DizixCom
Precisely why it's silly for admins that offer SSH, FTP, and POP3 to turn telnet off.

POP3 passwords are transmitted a lot more frequently than any others, yet those are completely insecure just like FTP and Telnet.


Yup, that's why I use POP3-SSL. No more clear-text passwords when I check mail. :D

The average user is going to be turned off when you tell them you don't offer FTP. Most people don't even like to use a number in their password, how are they going to react when I tell them they can't use their FTP program, or they have to tunnel over SSH?

Also, I don't feel too silly for offering FTP and not Telnet. I don't give anyone a shell, so if someone grabs a FTP password, they'll have to work a bit harder to get shell. If they got a Telent pass, well, shell is a little easier road for them, and root isn't that hard from shell for anyone.

Basically, it's all a tradeoff. The most secure server in the world is turned off, disconnected from any network. And you'll have no customers. It's all downhill from there, security wise.

Originally posted by driverdave
...The most secure server in the world is turned off, disconnected from any network. ...


It may not be secure if it is not in a physically secure location. A powered-down server can be stolen. :D

Also, I don't feel too silly for offering FTP and not Telnet. I don't give anyone a shell, so if someone grabs a FTP password, they'll have to work a bit harder to get shell. If they got a Telent pass, well, shell is a little easier road for them, and root isn't that hard from shell for anyone.
If you read what I said, I specifically stated that it's silly for hosts that offer SSH (read, shell access via ssh) in combination with FTP and POP3 to turn telnet off as their is no point. And if it's easy for anyone to get root just from a shell then you have serious issues to work out. I am fairly confident that if someone gained regular user shell access to any of my servers, they'd not be able to get root no matter how hard they try. Naturally I can't be 100% certain, but I am pretty darned sure.

Using POP3-SSL is an excellent idea for everyone, as well as using SFTP, but that is end user responsibility in my oppinion. Not something we can easily enforce as a hosting provider because they are not mainstream enough to be accepted. :(

Originally posted by DizixCom
...Using POP3-SSL is an excellent idea for everyone, as well as using SFTP, but that is end user responsibility in my oppinion. Not something we can easily enforce as a hosting provider because they are not mainstream enough to be accepted. :(

Doesn't Outlook Distress support POP3-SSL? If so, that about as mainstream as you can get.