[techtalk] FTP server

Martin.Caitlyn at epamail.epa.gov Martin.Caitlyn at epamail.epa.gov
Mon Apr 2 11:49:01 EST 2001 

Hi, Julie, and everyone else,

> One of the things about programs like wuftp is that
> they have vulnerabilities because they are being used
> and maintained.  For my $0.02 I'd rather go with
> something like wuftp that is being maintained and poked
> and prodded than with something I've never heard of
> (and I'd never heard of oftpd before just now ...)

oftpd got an excellent write up in the April issue of Linux Journal.  It
provides one thing other ftp daemons don't offer:  a really secure
anonymous ftp server.  Of course, that's all it is, an anonymous server for
downloads only.  It does not support uploads as far as I can tell, nor does
it support individual user accounts.  My understanding is that Keith needed
a secure anonymous or single user account ftp daemon, and if he didn't need
uploads oftpd would have fit the bill nicely and would have been far more
secure than wu-ftpd, especially considering he needed his ftp server to be
world accessible.  I don't know pureftp, which was recommended, but, at
first glance, proftpd seems to be a good, full featured alternative to wu.
My experience is way too limited to really judge it yet, though.

Just because lots of people poke at something doesn't mean that the
security threats aren't real.  Look at Microsoft Internet Explorer 5.5.
What a disaster!  It has security holes you can drive a Mack truck right
through without much effort.  Sure it's maintained and has a huge user
base.  That doesn't make it good.  I agree that oftpd or other ftp daemons
may have holes we don't know about because they haven't been fiddled with
as much, but if the authors did a good job and designed with security in
mind from the start, they probably have a better result than wu-ftpd.

I *wish* we could just train all our users to use ssh, sftp, and scp.  That
would be the real solution.  One thing we do for all our *nix servers here
is to use tcp_wrappers and limit access to a list or range of IP addresses,
which helps tremendously.  That isn't an option if you need the server to
be world accessible for downloads.  Even with wrappers passwords are being
sent over the network in the clear, and that can't be a good thing ever,
which is why I advocate sftp.

One of my responsibilities has been to bring a number of SGI servers
running IRIX up to security standards here at work.  The group in question
has been cracked and had systems tampered with twice.  Still, the users
fight the security measures tooth and nail and just don't get it.  To quote
one high and mighty scientist I support:  "Caitlyn, since you started
working here our job is much, much harder, and that just isn't acceptable."
Ummm... I didn't set the standards, nor did I break into his systems, and
he's just plain ready to shoot the messenger.  All we have done to him is
make him use secure tools instead of insecure ones where possible so that
he (and others) don't get cracked again.  Convincing end users that
security is important is like pulling teeth, and makes you far less popular
than a dentist :(

Regards,
Cait

----------------------------------------------------------------------------

Caitlyn M. Martin             martin.caitlyn at epa.gov
Systems Analyst              (919) 541-4441
Lockheed Martin
(a contractor for the US EPA)
----------------------------------------------------------------------------


                                                                                                                  
                    Julie                                                                                         
                    <jockgrrl at ix.netco        To:     Keith Barringer <zx2dragon at yahoo.com>,                      
                    m.com>                    techtalk at linuxchix.org                                              
                    Sent by:                  cc:                                                                 
                    techtalk-admin at lin        Subject:     Re: [techtalk] FTP server                              
                    uxchix.org                                                                                    
                                                                                                                  
                                                                                                                  
                    03/31/01 01:02 AM                                                                             
                                                                                                                  
                                                                                                                  




From: Keith Barringer <zx2dragon at yahoo.com>
> I've been assigned the task of setting up an FTP
> server at work.  I am very new to Linux and have
> currently loaded Mandrake 7.2 because I am familiar
> with it.
>
> I d/l OFTPD, but it appears to only be a server to do
> downloads from and I need something that can act as a
> file transfer point for users out in the field.
>
> I was thinking of using wu, but with all of the
> vulnerabilities that were just released, I'm not that
> sure about using it.

One of the things about programs like wuftp is that
they have vulnerabilities because they are being used
and maintained.  For my $0.02 I'd rather go with
something like wuftp that is being maintained and poked
and prodded than with something I've never heard of
(and I'd never heard of oftpd before just now ...)

-- Julie.


_______________________________________________
techtalk mailing list
techtalk at linuxchix.org
http://www.linux.org.uk/mailman/listinfo/techtalk

More information about the Techtalk mailing list