Re: How safe are FTP servers?

On 2007-05-17, General Schvantzkoph <schvantzkoph@xxxxxxxxx> wrote:

I've tried to avoid FTP because it uses passwords instead of RSA keys and
I don't want to be subject to password guessing attacks. Now that I'm
stuck with an FTP server I'd like to know if I've just been overly
paranoid. How safe is an FTP server? What else should I do to secure my
network?

How safe is largely a function of which ftp server. IME proftpd is
fairly good; vsftpd is also quite good. Historically wu-ftpd has not
been very secure, but I have not used it or read anything about it in
some time.

Aside from that, your largest concern would be password sniffing.
Question: if you are using this ftp server to distribute code, would it
make sense to use anonymous FTP? This way there's no password to be
sniffed. If that's not an option, then you could consider running your
ftp daemon in a chroot'd environment, and not allowing PUT requests at
all. Give each user who needs to retrieve your code a minimal
unwritable home directory under the chroot, and/or make each user's home
be a directory where you copy only the code they need to download. If a
user's password is sniffed, all the cracker can do is retrieve the files
you've allowed your user to retrieve; he can't even upload any cracking
tools to help him gain a shell from the ftp daemon.

You can also set up a secure web server, if your defense company client
allows https: through their firewall. For distributing files to
authorized users, this might actually be an easier option than the ftp
scenarios I describe.

The main problem with my suggestions is that they are one-way. If your
clients need to copy data to you, you need some other way. You can set
up a CGI on a secure web server to upload data, if password-sniffing is
more of a concern than ease of setup (since regular ftp will be a lot
easier to deal with; you've already done it, after all).

--keith

--
kkeller-usenet@xxxxxxxxxxxxxxxxxxxxxxxxxx
(try just my userid to email me)
AOLSFAQ=http://www.therockgarden.ca/aolsfaq.txt
see X- headers for PGP signature information

.

Relevant Pages

  • Re: Microsoft FTP Server problem on W2K?
    ... It is a UNISYS ClearPath mainframe system that is trying to FTP using ... passive mode to a MS FTP server. ... Currently the mainframe FTPs in ACTIVE mode. ... Since the mainframe pushes files to our customers over a WAN connection, ...
    (microsoft.public.inetserver.iis.security)
  • RE: FTP Upload
    ... FTP server to the following specified size. ... //set or get the remote path of the FTP server that you want to connect. ... //set the class MessageString. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: FTP Upload
    ... FTP server to the following specified size. ... //set or get the remote path of the FTP server that you want to connect. ... //set the class MessageString. ...
    (microsoft.public.dotnet.framework.aspnet)
  • RE: vsftpd beginners tutorial?
    ... # This file was created to illustrate the steps needed to create a new FTP ... Why vsftpd as this FTP Server? ... System software customization considerations. ... User and Group Configuration ...
    (RedHat)
  • Re: IPSwitch, Inc. WS_FTP Server
    ... > bounce attack as well as PASV connection hijacking. ... > The FTP bounce vulnerability allows a remote attacker to cause the ... > anonymously along with any internal addresses that the FTP server has ... That means it's got to handle a PORT ...
    (Bugtraq)
Loading