All im going to say about this reply Blake is -- Nice Respect Nige ----- Original Message ----- From: "Blake Barnett" To: Sent: Thursday, January 17, 2002 10:49 AM Subject: Re: FTP Server > On Wed, 2002-01-16 at 20:12, Craig White wrote: > > More importantly, there is a very robust method for keeping these things > > up to date on a redhat system - it's called up2date and it will > > automatically download and update installed daemons when system > > advisories require updating. Say I install a proftpd or pure-ftpd on a > > system but the security advisories that I get from redhat will never > > mention them because they don't include them, and it never gets > > updated...how smart is that? I can tell you from my very limited > > perspective, it's much smarter for me to use wu-ftpd as part of the > > redhat package and it gets updated frequently by my running "up2date -u" > > which will update all the packages installed on my system (or profile) > > as opposed to having to consider the security implications of a > > 'foreign' ftp server that redhat doesn't support. > > Wow, you really bought into RedHats' marketing tactics. RedHat *IS* > Linux, right? :) > > > > > I wonder if all those preaching switching the > > standard/supported/maintained ftp daemon for one that will require some > > effort in updating, linking libraries, security implications etc... why > > they are still using bind, openssh and other daemons that likewise have > > a storied history of security advisories? > > Under that logic, Windows NT 4 is the most secure OS in the world. > > BIND & OpenSSH are the only viable options in those categories. There > may be worthwhile replacements for BIND, but unless you want to pay for > the commercial SSH products there's nothing else. > > > > > Lastly, if security through obscurity (or statistically insignificant > > marketshare - hence statistically insignificant exploit efforts) is > > desired, may I recommend Macintosh OS 9? > > This sounds eerily like a statement made by Microsoft about the Full > Disclosure fiasco recently. > > The fact of the matter is, FTP is an inherently hard protocol to > secure. If you want secure file transfers go for SSH/SCP, s-ftp, or > even ftp over SSL. If you want functionality, there's nothing wrong > with wu-ftpd, it works quite nicely. If you want at least the false > sense of security associated with applications designed from the ground > up with security in mind. Go for pureftpd, vsftpd or proftpd. In the > end it doesn't matter that much which one you choose as long as you are > vigilant and monitor security lists, and fix any problems that arise. > It's all about using whatever tool is right for the task at hand. > > > > > Craig > -- > Blake Barnett (bdb) > Sr. Unix Administrator > DevelopOnline.com office: 480-377-6816 > > Learning is a skill, you get better at it with practice. > > ________________________________________________ > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail. > > PLUG-discuss mailing list - PLUG-discuss@lists.plug.mybutt.net > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss >