Secure Copy (SCP) has become a preferred method of transferring files by security professionals. SCP uses SSH to transfer data between two computers, and in doing so provides authentication and encryption. A client connects to a server using SSH, and then connects to an SCP program running on the server.The SCP client may also need to provide a password to complete the connection, allowing files to be transferred between the two machines.
The function of SCP is only to transfer files between two hosts, and the common method of using SCP is by entering commands at the command prompt. For example, if you were to upload a file to a server, you would use the following syntax:
scp sourcename user@hostname:targetname
For example, lets say you had an account named firstname.lastname@example.org, and were going to upload a file called myfile.txt to a server, and wanted it saved in a directory called PUBLIC under the same name. Using SCP, you would enter:
scp myfile.txt email@example.com:PUBLIC/myfile.txt
Similarly, if you were going to download a file from an SCP server, you would use the following syntax to download the file:
scp user@hostname:sourcefile targetfile
Therefore, if you were going to download the file we just uploaded to a directory called mydirectory, you would enter:
scp firstname.lastname@example.org:/PUBLIC/myfile.txt /mydirectory/myfile.txt
While users of SCP commonly use the command-line, there are GUI programs that also support SCP. One such program is WinSCP, which supports FTP, S/FTP and SCP.This program is open source, and available as a free download from www.winscp.net. It provides a means for users who aren't comfortable with entering commands from a prompt to use SCP, or those who simply prefer a graphical interface to perform actions over the Internet or between intranet hosts where security is an issue.
FTP servers that allow anonymous connections do so to allow users who do not have an account on the server to download files from it.This is a common method for making files available to the public over the Internet. However, it also presents a security threat.Anonymous connections to servers running the FTP process allow the attacking station to download a virus, overwrite a file, or abuse trusts that the FTP server has in the same domain.
Blind FTP involves making files available to the public only if they know the exact path and file name. By configuring FTP servers so that users are unable to browse the directory structure and their contents, the user is only able to download a file if they know where it is and what it's called. For example, if a user were going to download a file called blinded.zip that's stored in the PUBLIC directory on a Web server called ftp.example.com, they would use a link to the file that points to ftp://ftp.example.com/public/blinded.zip.
FTP attacks are best avoided by preventing anonymous logins, stopping unused services on the server, and creating router access lists and firewall rules. If anonymous logons are required, the best course of action is to update the FTP software to the latest revision and keep an eye on related advisories. It is a good idea to adopt a general policy of regular checks of advisories for all software that you are protecting.
In this tutorial:
- Web Based Services Security
- Web Security
- Managing Access Control
- Handling Directory and Data Structures
- Eliminating Scripting Vulnerabilities
- Logging Activity
- Finding Rogue Web Servers
- Stopping Browser Exploits
- Web Spoofing
- Web Server Exploits
- SSL and HTTP/S
- Instant Messaging
- Text Messaging and Short Message Service (SMS)
- Web-based Vulnerabilities
- Dangers Associated with Using ActiveX
- Protection at the Network Level
- Programming Secure Scripts
- Understanding Code Signing
- Buffer Overflows
- Making Browsers and E-mail Clients More Secure
- Securing Web Browser Software
- Resulting from Weak CGI Scripts
- FTP Security
- Secure Copy
- FTP Sharing and Vulnerabilities
- Directory Services and LDAP Security
- Securing LDAP