Subject: Re: ProFTP security
From: Dan Burcaw (dburcaw@terraplex.com)
Date: Wed Sep 29 1999 - 14:48:32 MDT
Note that we are considering which ftp servers to use in future versions.
Where can I find OpenBSD's ftpd? That might be worth a look..
Dan
On Wed, 29 Sep 1999, Rich Lafferty wrote:
> Quoting Jason P. Stanford (jps3@lehigh.edu) from Wed, Sep 29, 1999 at 08:17:14AM -0400:
> > All:
> >
> > I've been updating ProFTP according to the updates posted on this
> > mailing list, and currently have pre7 installed (the latest, I believe).
> > I was wondering just how secure it is? Are the security holes that have
> > been found recently very dangerous, or a mild annoyance? Is is "safe"
> > for me to turn ftp services back on?
>
> I'm probably beginning to sound like a broken record on this..
>
> I've added ProFTPd to my "things that will never appear on a machine
> for which I'm responsible" list. The find-bug-fix-bug game has been
> going on for weeks now, and each time they're *sure* that it's secure,
> only to have something else found -- usually, something trivially
> obvious -- that they overlooked.
>
> The ProFTPd people think that pre7 is secure. They also thought that
> pre3 through pre6 were secure, and were wrong about that. (I can't
> remember the history of releases prior to pre3.)
>
> Unless ProFTPd offers some features that you really need above and
> beyond standard FTP stuff, I'd recommend going with the port of
> openbsd's ftpd to Linux (which builds clean as a whistle; would people
> be interested in an RPM of this?). It's solid as a rock and requires
> very little attention whatsoever. If all you want is to offer
> anonymous FTP, then Dan Bernstein has an anonftpd which adds security
> by completely omitting functionality which, although part of the FTP
> RFC, isn't required for anonymous ftp.
>
> For what it's worth, the SuSE Linux distribution has decided that it
> will no longer offer ProFTPd nor Wu-FTPd because of the constant bug
> race that I described above (wu is nearly as bad as pro), and are
> shipping with the stock OpenBSD port. It's my opinion that YDL might
> consider doing the same, at least for the 'standard' one, especially
> since the YDL target market seem to be new admins in the majority of
> cases.
>
> > Also, on a related note, what's a good place to start learning about
> > basic to advanced network security. I am not looking to crack down on
> > users and system resources, I just want enough knowledge to track
> > attempts and exploits and handle them accordingly.
>
> Well, the best starting point is to get a really good general unix
> administration manual. Evi Nemeth's _Unix System Administration
> Handbook_ is excellent but expensive. O'Reilly publishes Spaf's
> _Practical Unix and Internet Security_ which is also useful. On
> the Web, there's CERT <http://www.cert.org/> and COAST
> <http://www.cs.purdue.edu/coast/> as starting points.
>
> > I am of the opinion that a convenient system is a productive system
> > for its users. I would hate to have to implement strict, draconian
> > rules and regulations out of fear of the system going belly up.
>
> Security and convenience aren't necessarily that opposed -- some
> common-sense restrictions on users are usually necessary (such as on
> password maintenance, account sharing, illegal activities, etc) but a
> well-maintained system can remain well-maintained without putting too
> much work on the backs of the users.
>
> > I will be a bit paranoid until this department sees fit to cough up
> > the dough for a tape drive!
>
> And rightfully so! Do you have an extra hard drive onto which you can
> backup, say, /etc and /home, at least?
>
> -r.
>
> --
> ------------------------------ Rich Lafferty ---------------------------
> Sysadmin/Programmer, Information and Instructional Technology Services
> Concordia University, Montreal, QC (514) 848-7625
> ------------------------- rich@alcor.concordia.ca ----------------------
>
>
Dan
Terra Soft Solutions, Inc.
Yellow Dog Linux
"The Ultimate Companion for a Dedicated Server"
http://www.yellowdoglinux.com/
This archive was generated by hypermail 2a24 : Fri Oct 01 1999 - 16:13:45 MDT