FTP Server

Brian Cluff plug-discuss@lists.plug.mybutt.net
Thu, 17 Jan 2002 11:25:49 -0700 

> Now we have two people making this statement but it completely
> disregards the reality of the situation. If you look at
> <http://www.woodstone.nu/ftpstats/ftp_all.htm> you will see that wu-ftpd
> completely dominates the ftp market which is a good reason that there
> have been more exploits out there for that daemon server and less for
> statistically insignificant daemons.

I may be wrong about this, but a lot of the newer daemons are written a
little different that wu-ftpd.  They are written so that they only run a
root long enough for them to obtain a port lower than 1000 and then the
immediatly switch to something else, where wu runs as room all the time.
Now they are probably equally hard to cause a buffer overrun in, but the big
difference being that with proftpd and some of the others, when someone does
do that with the intent of causeing hard they get some lowly account that
will be hard to do any damage in rather than a full on root exploit.

> More importantly, there is a very robust method for keeping these things
> up to date on a redhat system - it's called up2date and it will
> automatically download and update installed daemons when system
> advisories require updating. Say I install a proftpd or pure-ftpd on a
> system but the security advisories that I get from redhat will never
> mention them because they don't include them, and it never gets
> updated...how smart is that? I can tell you from my very limited
> perspective, it's much smarter for me to use wu-ftpd as part of the
> redhat package and it gets updated frequently by my running "up2date -u"
> which will update all the packages installed on my system (or profile)
> as opposed to having to consider the security implications of a
> 'foreign' ftp server that redhat doesn't support.

I was speaking from experience with wu-ftpd.  I would run out and get the
latest version of wu whenever they even hinted that there was a problem with
it and I still got cracked more than once with that stupid daemon.

> I wonder if all those preaching switching the
> standard/supported/maintained ftp daemon for one that will require some
> effort in updating, linking libraries, security implications etc... why
> they are still using bind, openssh and other daemons that likewise have
> a storied history of security advisories?

I use mandrake and by default it installs proftpd.  Wu is still available
for those that have to have it for some reason.  So I AM sticking with the
standard install.  Of  course I have yet to have a mandrake box cracked at
all, even if I didn't update it, where as I have had redhat cracked sevral
times and almost always with all the latest security patches.

Brian Cluff