Secure FTP with Windows

Printable View

October 5th, 2004, 10:10 PM
ydobon

Secure FTP with Windows

Hello, I've been using my comcast account as an ftp server. Normally, I access it through network neighborhood by visiting ftp://[email protected]. Recently though, I just noticed the warning dialog box that says "FTP does not encrypt or encode passwords before sending them to the server".

The stuff I have on my FTP server isn't anything important, but I found the no-encryption unsettling. The "click me" help thingy told me about using "secure web folders" but upon checking the microsoft documentation, it told me it only works with https://, and that ftp has no protection.

Anyway, so is there a way I can access my FTP server securely?

P.S. I checked antionline's search function before I posted and didn't find anything. If I missed something, I apologize.
October 5th, 2004, 10:21 PM
SDK

Microsoft change that in a patch a while ago because this feature could be use to spoof the real address.

The patch was MS04-004 that you can read here (Check the Technicial Details)

http://www.microsoft.com/technet/sec.../MS04-004.mspx
October 5th, 2004, 10:28 PM
Tiger Shark

FTP, by it's nature is an insecure protocol.... Thus everything is sent in clear.

Do you control the server itself? I get the feeling you don't because the domain appears to be a subdomain of comcast.net
October 5th, 2004, 10:30 PM
ss2chef

Most FTP is still clear text.

Although there are serveral good secure open source file transfer options available, I choose to use encrypted FTP via commercial server and client software from IPSwitch.
WSFTP Pro Server and Client.

I'm sure others can comment on the OS variety. I don't use it so I won't.
October 5th, 2004, 10:40 PM
MilitantEidolon

Well I feel that you question has been answered in the previous post but here are some free FTP programs to get started on and hopefully get some better encryption on you end.

http://www.snapfiles.com/freeware/network/fwftp.html

- MilitantEidolon
October 5th, 2004, 10:49 PM
rapier57

You can set up a secure FTP server (http://www.ipswitch.com/index.asp, and others) for a price. Using a secure HTTPS site may be the better solution, assuming you can get a certificate from a CA. The problem with most "secure" FTP clients is that the initial connection (which includes your login) isn't necessarily encrypted or protected. There must be a handshake between the server and the client to establish the protocol prior to the login to protect the login exchange. So, just having a "secure" client doesn't solve the problem.
October 5th, 2004, 10:55 PM
sec_ware

Maybe I misunderstood your question, but some answer is following:

Although TigerShark and ss2chef are completely right, you can (virtually)
connect securely to that ftp server. However, it depends on services
comcast offers. IF they have a running SSH daemon and IF they allow for
port tunneling, you might be able to establish a secure ftp control channel
connection (21).

1. Locally, you have to install ssh [1].
2. Locally, make sure the commands "ssh" and "ftp" are known in the shell (cmd.exe)
3. Then: ssh -f -L 1234:upload.comcast.net:21 upload.comcast.net 'exec sleep 10' && \
ftp localhost 1234

That stuff is known as SSH port forwarding. It first creates a connection between your
computer (localhost) and the SSH-server (upload.comcast.net), if available! Then, you
use (being on the comcast-machine) that secure connection on port 1234 to connect to the FTP-server on upload.comcast.net.
The SSH daemon on upload.comcast.net forwards incoming traffic on 1234 to Port 21,
the ftp server.

Note: I hope I did not mess up with the ssh-flags. -f forks the process. I hope the
same option is available on windows OS.

[1] eg. http://www.openssh.com

/edit:
- you might write (immediately after login into the ftp-server): > passive
- [1+] That's what you need: http://prdownloads.sourceforge.net/s..._mirror=heanet
- This solution is a bit "weird": If comcast indeed offers a ssh-connection, they also
might offer and sftp/scp-connection ....
October 6th, 2004, 03:00 AM
nebulus200

Since SSH suit allows tunneling of SFTP/SCP over SSH, I don't think it would be necessary to enable all the port forwarding games suggested by sec_ware. One critical thing that you didn't mention, at least not explicity, was the OS involved (I am going to assume windows by the mentioning of microsoft docs).

There is an SSH server that is free that uses cygwin to run OpenSSH. I have never used it personally but a co-worker says he uses it to tunnel microsoft RDP over it. It can be found here:
http://sourceforge.net/projects/sshwindows/

As far as good clients go, my personal favorite is WinSCP, it is has a very nice graphical front end and is something that I was able to show to my bosses to convince them to do away with FTP and replace it with SSH (because the client was pretty easy to use). It can be found here:
http://sourceforge.net/projects/winscp/

Good luck, the sooner you do away with FTP (which aside from it being clear text can cause other headaches with firewalls), the better.
October 6th, 2004, 12:45 PM
spike054

ssh comes with a secure ftp service anyway so the easyest way is to use thss ssh ftp service instead of port tunneling :)
October 6th, 2004, 01:31 PM
sec_ware

Quote:

Originally posted here by spike054
ssh comes with a secure ftp service anyway so the easyest way is to use thss ssh ftp service instead of port tunneling :)

Jep, absolutely, that's why I mentioned it in the /edit-section. Still, embarassing that
I though about it after writing the post :D

However, it's always good to go through these things from time to time. At least for
some of us.