FTP Server
Armand
plug-discuss@lists.plug.mybutt.net
Thu, 17 Jan 2002 17:53:51 -0700
Blake Barnett wrote:
[snip]
>
> The fact of the matter is, FTP is an inherently hard protocol to
> secure. If you want secure file transfers go for SSH/SCP, s-ftp, or
> even ftp over SSL. If you want functionality, there's nothing wrong
> with wu-ftpd, it works quite nicely. If you want at least the false
> sense of security associated with applications designed from the ground
> up with security in mind. Go for pureftpd, vsftpd or proftpd. In the
> end it doesn't matter that much which one you choose as long as you are
> vigilant and monitor security lists, and fix any problems that arise.
> It's all about using whatever tool is right for the task at hand.
>
I concur, incidentally recently posted at:
http://linux.oreillynet.com/pub/a/linux/2002/01/14/insecurities.html
ProFTPD
The ProFTPD FTP daemon is vulnerable to a denial-of-service attack and a
problem in resolving some host names properly. The denial-of-service
attack can be
used by a remote attacker to cause ProFTPD to consume all of the CPU and
memory on the server. The resolution problem is caused by ProFTPD not
properly
forward-resolving reverse-resolved host names, and could be used by an
attacker to get around ProFTPD access control lists or to log incorrect
host names.
Users should consider upgrading ProFTPD to version 1.2.5rc1 or newer.
Cheers,
Armand