The hosting service for one site I manage seems to accept connections using FTP and SFTP using the same connection information. Because this site was hacked, likely through sniffing FTP, I want to be especially careful that setting client apps to use SFTP actually results in secure connections, and especially so because the hosting service –a very well-known company– does a very poor job at documenting the availability and use of SFTP for customers.
Is there a simple, client-app-independent way of verifying that there is or isn't an active SFTP connection with a particular server on Windows (XP or newer)? On MacOS 10.5+, GUI or unix shell?
"Simple": cheap (preferably a standard OS tool), easy to use, obvious results, preferably by lo-tech users.
TIA
Epilog
Blocking FTP access entirely may not be feasible for some users, but it certainly has promise as a simple, fairly definitive method of transiently proving that a particular connection isn't FTP, if FTP and SFTP are the only alternatives. Establish and verify that the connection works, then block FTP. These days, it's generally very simple to do so at the OS firewall. If the connection stops working, then the connection is obviously SFTP. (Or vice-versa.) That's a great answer to my basic query.
I'm aware that SFTP is a completely different protocol. Awkwardly, an important client application –web-authoring s/w from a major vendor– strongly implies the similarity by listing SFTP as a minor option beneath FTP. It is probably only a UI mis-design, but that's the source of my worry that SFTP connection failure might cause the app to fall back on FTP. Plus, my worry is increased by the fact that the hosting services uses exactly the same setup for SFTP, specifically "ftp.example.com". (Is that common? I expect a distinct host for SFTP, e.g., "sftp.example.com") As I said, having been hacked, I'm paranoid.
Thanks all!
Best Answer
I think you might be coming at this with a misconception that SFTP is somehow derived from FTP and that an SFTP client might "fall back" to plain ol' FTP in the event that SFTP isn't being offered by a server computer.
SFTP is the SSH File Transfer Protocol, and it is transported over SSH (TCP port 22 on the server, by default). If the remote server isn't listening on TCP port 22 (which you can verify w/ TELNET) then, odds are, you're not going to be doing SFTP (unless they're running their SSH daemon on some non-standard port).
On *nix OS's and, presumably MacOS X (since it's all Unix-ey), you can use the command-line
sftpclient from the OpenSSH project.On Windows, the WinSCP client is a very nice graphical SFTP client.
The SFTP page on Wikipedia provides some links to various SFTP clients.
Securing an SFTP server is, mostly, just securing an SSH server. Not using password authentication, not allowing remote root logons, limiting the IPs that can make connections, etc.