[fw-wiz] OT: Summary - FTP Servers

• Previous message: Florin Andrei: "Re: [fw-wiz] OT: FTP Servers"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: firewall-wizards <firewall-wizards@honor.icsalabs.com>
Date: Thu, 12 Jun 2003 11:31:16 -0500

Hello All,

    First, thanks to everyone who responded. Thanks to the rest of the
list for their patience with the off-topic posting.

    Second, I wanted to post a summary of the responses. Most people
responded both to me and the list, but some didn't.

    Of those who commented the concensus was *not* to use WU-FTPD - its
day has come and gone.

    Several people suggested abandoning the FTP protocol if possible and
using HTTP. Unfortunately that does not fit our requirements, but this
suggestion is making us rethink how we are doing some things (which is a
good thing).

    Publicfile (http://cr.yp.to/publicfile.html) received the most
responses for those needing download-only FTP. Unfortunately we have to
provide some upload capability. Otherwise I would look long and hard at
publicfile. As a side note there were some suggestions not to use the
HTTP server in publicfile for various reasons, age and logging format
being the main ones.

    After publicfile two products received the highest number of
recommendations: vsFTPD (http://vsftpd.beasts.org) and Proftp
(http://www.proftpd.org). The only complaint about vsFTPD was weak
documentation, although one person stated that the man pages were good.
 The main complaint about Proftp was a concern about it becoming too
feature rich, bringing up security questions due to the increased
features/code growth. One person also questioned Proftp's security
history, but no details were provided.
 
    Doing a quick search of the vulnerabilities database on the
SecurityFocus web site (www.securityfocus.com) turns up one
vulnerability in vsFTP, and it was an improperly compiled version of
vsFTP released with RedHat 9.0. Doing the same search for Proftp turned
up eight vulnerabilities.

    After these, I generally received one recommendation each for the
following: Pure-ftpd (http://www.pureftpd.org), SFTP, TNFTP
(ftp://ftp.netbsd.org/pub/NetBSD/misc/tnftp) and whichever vendor daemon
comes with the OS we have chosen.

    Finally, there was a mention of FTP/TLS
(http://www.ford-hutchinson.com/~fh-1-pfh/ftps-ext.html) and a document
from IBM (
http://oss.software.ibm.com/linux/papers/security/Securing_Linux_Servers_xSP.pdf).
 The document from IBM recommends both vsFTP and Proftp.

    Thanks again to everyone for your help.

John

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Florin Andrei: "Re: [fw-wiz] OT: FTP Servers"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]