FTP Server

Blake Barnett plug-discuss@lists.plug.mybutt.net
17 Jan 2002 10:49:31 -0700 

On Wed, 2002-01-16 at 20:12, Craig White wrote:
> More importantly, there is a very robust method for keeping these things
> up to date on a redhat system - it's called up2date and it will
> automatically download and update installed daemons when system
> advisories require updating. Say I install a proftpd or pure-ftpd on a
> system but the security advisories that I get from redhat will never
> mention them because they don't include them, and it never gets
> updated...how smart is that? I can tell you from my very limited
> perspective, it's much smarter for me to use wu-ftpd as part of the
> redhat package and it gets updated frequently by my running "up2date -u"
> which will update all the packages installed on my system (or profile)
> as opposed to having to consider the security implications of a
> 'foreign' ftp server that redhat doesn't support.

Wow, you really bought into RedHats' marketing tactics.  RedHat *IS*
Linux, right?  :)

> 
> I wonder if all those preaching switching the
> standard/supported/maintained ftp daemon for one that will require some
> effort in updating, linking libraries, security implications etc... why
> they are still using bind, openssh and other daemons that likewise have
> a storied history of security advisories?

Under that logic, Windows NT 4 is the most secure OS in the world.  

BIND & OpenSSH are the only viable options in those categories.  There
may be worthwhile replacements for BIND, but unless you want to pay for
the commercial SSH products there's nothing else.

> 
> Lastly, if security through obscurity (or statistically insignificant
> marketshare - hence statistically insignificant exploit efforts) is
> desired, may I recommend Macintosh OS 9?

This sounds eerily like a statement made by Microsoft about the Full
Disclosure fiasco recently.

The fact of the matter is, FTP is an inherently hard protocol to
secure.  If you want secure file transfers go for SSH/SCP, s-ftp, or
even ftp over SSL.  If you want functionality, there's nothing wrong
with wu-ftpd, it works quite nicely.  If you want at least the false
sense of security associated with applications designed from the ground
up with security in mind.  Go for pureftpd, vsftpd or proftpd.  In the
end it doesn't matter that much which one you choose as long as you are
vigilant and monitor security lists, and fix any problems that arise. 
It's all about using whatever tool is right for the task at hand.

> 
> Craig
-- 
Blake Barnett (bdb)  <blake.barnett@developonline.com>
Sr. Unix Administrator
DevelopOnline.com                 office: 480-377-6816

Learning is a skill, you get better at it with practice.