Re: How safe are FTP servers?

Keith Keller wrote:

... Historically wu-ftpd has not been very secure, but I have not used
it or read anything about it in some time.

For what it's worth, wu-ftpd mostly got a bad rap because it was
non-trivial to configure properly. Very flexible in terms of what you
could setup with it, but that lead to complexity. That's not to say
there weren't security vulnerabilities with older versions, but the
biggest cause of trouble with it was poor configuration.

I've been using that FTP server for years, and was even contributing to
its development at one point, in the form of patches that (hopefully)
helped make it easier to configure in only the features that were needed
for a specific installation.

To the OP, if you're only *sending* files to your clients, as someone
else has suggested, a password-protected HTTP/SSL server would be a
better idea. If you find that you either *must* use an FTP server, or
decide that you would prefer to, whichever one you use, be very certain
of its configuration, and of where your clients are intended to access
the service from (TCP_Wrapper is your friend). Review periodically and
keep up to date with any bug-fixes.

The FTP server is only as secure as its weakest link, and your original
instinct was right: your users are sending re-usable passwords in
plain-text. Whether these passwords are likely to be intercepted at any
point along the way depends largely on the security of the client system
and the network it's on, the server and the network it's on, and all
points in between. End-to-end encryption between the client and server
(as with https, or SSH which you already prefer) is a much better idea.

FTP is often still suitable for anonymous access to download files, or
on well protected networks where the path between each end-point is well
known and trustworthy, but as with any service that uses plain-text
authentication (telnet, POP/IMAP, and others), accessing an FTP service
over public networks is not advisable.

--
----------------------------------------------------------------------
Sylvain Robitaille syl@xxxxxxxxxxxxxxxxxx

Systems and Network analyst Concordia University
Instructional & Information Technology Montreal, Quebec, Canada
----------------------------------------------------------------------
.

Relevant Pages

  • RE: [fw-wiz] SaveUserPassword in Cisco VPN Client with PIX
    ... Recent versions of the Cisco VPN ... client offers this as a method of authentication instead of passwords; ... Midwest Network Services Group ... > crypto map configs with VPN clients on the same PIX by creating ...
    (Firewall-Wizards)
  • Re: ssh bypassing OS procedures?
    ... > passwords every thirty days, the OS will lock the user account. ... > he can still ssh into the system via private key authentication. ... Why are you giving user accounts on your ftp server? ...
    (comp.security.ssh)
  • FTP server on WinXPP Client PC ... logon no longer works
    ... did could not logon to the FTP server until after a 'password reset'. ... now it only seems to accept Local UserID: Passwords ... Remote access to log on to the PC. ...
    (microsoft.public.windows.server.sbs)
  • Re: ssh bypassing OS procedures?
    ... >> I have a ftp server setup so that if the users don't change their ... >> passwords every thirty days, the OS will lock the user account. ... >> he can still ssh into the system via private key authentication. ... > should *NEVER* have user accounts with the same passwords as the ftp ...
    (comp.security.ssh)
  • Re: Bestcrypt brute force
    ... >> The problem is that (if I understand your network correctly), ... >> a free license but a good commercial one is Blackmoon Ftp Server. ...
    (Security-Basics)