Subject: Re: ProFTP security
From: Rich Lafferty (rich@alcor.concordia.ca)
Date: Wed Sep 29 1999 - 08:44:48 MDT
Quoting Jason P. Stanford (jps3@lehigh.edu) from Wed, Sep 29, 1999 at 08:17:14AM -0400:
> All:
>
> I've been updating ProFTP according to the updates posted on this
> mailing list, and currently have pre7 installed (the latest, I believe).
> I was wondering just how secure it is? Are the security holes that have
> been found recently very dangerous, or a mild annoyance? Is is "safe"
> for me to turn ftp services back on?
I'm probably beginning to sound like a broken record on this..
I've added ProFTPd to my "things that will never appear on a machine
for which I'm responsible" list. The find-bug-fix-bug game has been
going on for weeks now, and each time they're *sure* that it's secure,
only to have something else found -- usually, something trivially
obvious -- that they overlooked.
The ProFTPd people think that pre7 is secure. They also thought that
pre3 through pre6 were secure, and were wrong about that. (I can't
remember the history of releases prior to pre3.)
Unless ProFTPd offers some features that you really need above and
beyond standard FTP stuff, I'd recommend going with the port of
openbsd's ftpd to Linux (which builds clean as a whistle; would people
be interested in an RPM of this?). It's solid as a rock and requires
very little attention whatsoever. If all you want is to offer
anonymous FTP, then Dan Bernstein has an anonftpd which adds security
by completely omitting functionality which, although part of the FTP
RFC, isn't required for anonymous ftp.
For what it's worth, the SuSE Linux distribution has decided that it
will no longer offer ProFTPd nor Wu-FTPd because of the constant bug
race that I described above (wu is nearly as bad as pro), and are
shipping with the stock OpenBSD port. It's my opinion that YDL might
consider doing the same, at least for the 'standard' one, especially
since the YDL target market seem to be new admins in the majority of
cases.
> Also, on a related note, what's a good place to start learning about
> basic to advanced network security. I am not looking to crack down on
> users and system resources, I just want enough knowledge to track
> attempts and exploits and handle them accordingly.
Well, the best starting point is to get a really good general unix
administration manual. Evi Nemeth's _Unix System Administration
Handbook_ is excellent but expensive. O'Reilly publishes Spaf's
_Practical Unix and Internet Security_ which is also useful. On
the Web, there's CERT <http://www.cert.org/> and COAST
<http://www.cs.purdue.edu/coast/> as starting points.
> I am of the opinion that a convenient system is a productive system
> for its users. I would hate to have to implement strict, draconian
> rules and regulations out of fear of the system going belly up.
Security and convenience aren't necessarily that opposed -- some
common-sense restrictions on users are usually necessary (such as on
password maintenance, account sharing, illegal activities, etc) but a
well-maintained system can remain well-maintained without putting too
much work on the backs of the users.
> I will be a bit paranoid until this department sees fit to cough up
> the dough for a tape drive!
And rightfully so! Do you have an extra hard drive onto which you can
backup, say, /etc and /home, at least?
-r.
-- ------------------------------ Rich Lafferty --------------------------- Sysadmin/Programmer, Information and Instructional Technology Services Concordia University, Montreal, QC (514) 848-7625 ------------------------- rich@alcor.concordia.ca ----------------------
This archive was generated by hypermail 2a24 : Fri Oct 01 1999 - 16:13:45 MDT