Is ssh not safe?

[Mike Klinke]

On Saturday 24 July 2004 12:37, Michael Sullivan wrote:
> I've been following the "Hack Attempts" thread and I've come to the
> conclusion that having my router route port 22 requests through to
> my server PC is not safe.  Here's my situation.  I use my server PC
> for web hosting and email.  Most of my users access their accounts
> from outside the router (my network is based in my apartment and my
> wife and I are the only ones who use it here.)  I don't users
> telnetting in because of the security risk (I don't quite
> understand this, but I've read about it in more than one place, so
> it's probably true), so I've enabled ssh so that they can log in
> and change their passwords if need be.  They upload their web pages
> through FTP, supplying their username and password. Spammers try to
> use the mail server every day - I have to read about it in my daily
> Logwatch, but I don't think they ever succeed.  I should probably
> keep a closer eye on the logs.  Is there a way for users to change
> their passwords through their FTP clients?  Or is there a safer way
> to allow them to change their passwords?

You will have people trying to break in to any service you offer; 
telnet, ftp, ssh, smtp, etc, etc, etc......  If that service has 
username:password access then you will see people trying well known 
attacks in order to gain access.  Some services customarily transmit 
usernames:passwords in clear text for anyone capturing data to see; 
ftp and telnet, for example.  Some services offer the ability to 
configure for encrypted logins in order to make it much more 
difficult to capture and read; ssh and smtp, for example.  In either 
case, once a user account name has been discovered an account with an 
easy to guess password (any word found in a dictionary, for example) 
is easily cracked and your machine is at the mercy of the cracker at 
the other end of the connection.

Regards,  Mike Klinke