FTP Server
Nancy Sollars
plug-discuss@lists.plug.mybutt.net
Thu, 17 Jan 2002 12:24:00 -0700
All im going to say about this reply Blake is -- Nice
Respect
Nige
----- Original Message -----
From: "Blake Barnett" <blake.barnett@developonline.com>
To: <plug-discuss@lists.plug.mybutt.net>
Sent: Thursday, January 17, 2002 10:49 AM
Subject: Re: FTP Server
> On Wed, 2002-01-16 at 20:12, Craig White wrote:
> > More importantly, there is a very robust method for keeping these things
> > up to date on a redhat system - it's called up2date and it will
> > automatically download and update installed daemons when system
> > advisories require updating. Say I install a proftpd or pure-ftpd on a
> > system but the security advisories that I get from redhat will never
> > mention them because they don't include them, and it never gets
> > updated...how smart is that? I can tell you from my very limited
> > perspective, it's much smarter for me to use wu-ftpd as part of the
> > redhat package and it gets updated frequently by my running "up2date -u"
> > which will update all the packages installed on my system (or profile)
> > as opposed to having to consider the security implications of a
> > 'foreign' ftp server that redhat doesn't support.
>
> Wow, you really bought into RedHats' marketing tactics. RedHat *IS*
> Linux, right? :)
>
> >
> > I wonder if all those preaching switching the
> > standard/supported/maintained ftp daemon for one that will require some
> > effort in updating, linking libraries, security implications etc... why
> > they are still using bind, openssh and other daemons that likewise have
> > a storied history of security advisories?
>
> Under that logic, Windows NT 4 is the most secure OS in the world.
>
> BIND & OpenSSH are the only viable options in those categories. There
> may be worthwhile replacements for BIND, but unless you want to pay for
> the commercial SSH products there's nothing else.
>
> >
> > Lastly, if security through obscurity (or statistically insignificant
> > marketshare - hence statistically insignificant exploit efforts) is
> > desired, may I recommend Macintosh OS 9?
>
> This sounds eerily like a statement made by Microsoft about the Full
> Disclosure fiasco recently.
>
> The fact of the matter is, FTP is an inherently hard protocol to
> secure. If you want secure file transfers go for SSH/SCP, s-ftp, or
> even ftp over SSL. If you want functionality, there's nothing wrong
> with wu-ftpd, it works quite nicely. If you want at least the false
> sense of security associated with applications designed from the ground
> up with security in mind. Go for pureftpd, vsftpd or proftpd. In the
> end it doesn't matter that much which one you choose as long as you are
> vigilant and monitor security lists, and fix any problems that arise.
> It's all about using whatever tool is right for the task at hand.
>
> >
> > Craig
> --
> Blake Barnett (bdb) <blake.barnett@developonline.com>
> Sr. Unix Administrator
> DevelopOnline.com office: 480-377-6816
>
> Learning is a skill, you get better at it with practice.
>
> ________________________________________________
> See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't
post to the list quickly and you use Netscape to write mail.
>
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.mybutt.net
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>