Re: Is ssh not safe?

[Jason Costomiris <jcostom jasons org>]

On Jul 24, 2004, at 1:37 PM, Michael Sullivan wrote:

> I've been following the "Hack Attempts" thread and I've come to the
> conclusion that having my router route port 22 requests through to my
> server PC is not safe.

It's a whole lot safer than telnet and ftp.  What in reality may not be 
"safe" are the practices of your users.  One of the leading causes of 
intrusion is poor selection of passwords.

> Here's my situation.  I use my server PC for web
> hosting and email.  Most of my users access their accounts from outside
> the router (my network is based in my apartment and my wife and I are
> the only ones who use it here.)  I don't users telnetting in because of
> the security risk (I don't quite understand this, but I've read about 
> it
> in more than one place, so it's probably true), so I've enabled ssh so
> that they can log in and change their passwords if need be.

Correct, telnet is not safe.  Every single keystroke (including the 
username and password) pass over the wire in the clear.  Anyone between 
the sites could potentially intercept and use that information to 
compromise your system(s).  Anyone on the local network at either end 
could also observe the information passing on the wire.  Using ssh is 
the only reasonable alternative there - it's encrypted.

> They upload
> their web pages through FTP, supplying their username and password.

Bad move.  Clear passwords.  Use sftp.  Plenty of sftp clients are 
available, many are even free.