How to Securely Copy Files Using SCP
A computer common task required is to copy files securely from one location to another, usually across a network or the internet. Want to know how to do it securely?
FTP is Easily Sniffed!
FTP protocol sends passwords and data in clear text, so it is out of the question, though it is commonly used.
Wireshark Demo of Capturing FTP Passwords
Wireshark is a free tool should be in every IT professional (and hacker) toolkit. With it, you are able to see data on the wire which means you can tell, at the packet level exactly what is wrong, or in this example, exactly what the passwords are.
SSH and SCP
Obviously we don’t want to show anyone our passwords, or allow them access to our data, so lets look at a secure copy tool.
Most Linux systems have SSH though, and if it’s a windows system, there is always cygwin or windows ports of SSH (I like cygwin when I work on windows). With SSH we can use the scp command to transfer one or more files.
Once a server is setup, here are the simple commands to get or put files using scp, which is a secure protocol:
Get Files Securely Using SCP
To get a file from 192.168.0.1 called “remotefile.txt” and put it in the current directory:
scp email@example.com:/home/username/remotefile.txt .
To get an entire directory from 192.168.0.1 called “remotefiles” and put it in the current directory (-r means recursive):
scp -r firstname.lastname@example.org:/home/username/remotefiles/ .
Put Files Securely Using SCP
To put a single file from your localhost to the 192.168.0.1 in /home/username/passwords.xls:
scp passwords.xls email@example.com:/home/username/
To put an entire directory of mp3 files from localhost to 192.168.0.1 in the /home/username/mp3s/ folder(-r means recursive):
scp -r *.mp3 firstname.lastname@example.org:/home/username/
How to Reduce CPU Load While Using SCP
The disadvantage to encryption is the CPU load. The default encryption for scp is AES, which is plenty strong. But blowfish is also available, and is strong enough for most of our uses. The reason why you might use blowfish instead of AES is because of the HUGE CPU hit AES requires.
I was transferring several Gigabytes of data across a network and it kept the servers pegged on CPU during the transfer. Using other ciphers allows you to reduce the load on the CPU.
Throttling Bandwidth With SCP
So, I fixed the CPU spike, but others were getting washed out in the bandwidth traffic. Basically it was sending data as fast as the pipe could handle it and the network wasn’t up to speed (pun intended). But SCP has another trick up it’s sleeve. The rabbit scp pulled out of it’s hat is a command to throttle the bandwidth to tamer levels.
SCP Commands to Reduce CPU Load and Throttle Bandwidth
Here is the command to securely send a bunch of tgz files, while limiting CPU and respecting the network:
nice -19 scp -l 76800 -c blowfish -r *.tgz email@example.com:/home/username/
Note, that I’m using “nice” to limit my own cpu, but using blowfish reduces cpu on both ends of the encryption.
Is Blowfish Encryption Strong Enough?
Technically, AES is a much stronger encryption. But in reality, blowfish is plenty strong enough. It’s also a very old cipher, which means the community has had plenty of time to review, crack, and try to poke holes in it. Blowfish has stood the test of time.
The level of encryption is only one stage of your defense. It is more likely that one of these scenarios will cause the machine/files to be compromised:
- An unpatched vulnerability allows access to the machine, which gets your security keys and/or installs a rootkit
- An employee is careless and allows themselves to be socially hacked
- Someone is blackmailed or for profit gives up the data
- A keylogger is installed on one of the machines that connects
There are far greater threats to worry about than if blowfish can be cracked by an NSA grade computer system, in my opinion.
James Fraze is an IT Security Consultant with 20+ years in IT who contracts through Romack Inc and also writes IT related articles and can be reached at http://digitalcrunch.com/contact.