Hi, What's your choice of ftpd? I'm hesitating to install wuftpd. It has a bad reputation from security point of view. I've seen proftpd. Has anyone had experience? TIA, Öykü
On Tuesday 21 August 2001 12:13 pm, Oyku Gencay wrote:
Hi,
What's your choice of ftpd? I'm hesitating to install wuftpd. It has a bad reputation from security point of view. I've seen proftpd. Has anyone had experience?
TIA, Öykü
I use proftpd, so that I can check "ftpwho" and "ftpcount" and see what's going on with my FTP. It also has a very good reputation for security. Good luck, -Steven -- -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- Steven Hatfield http://www.knightswood.net Registered Linux User #220336 ICQ: 7314105 Useless Machine Data: Running SuSE Linux 7.2 Professional and KDE2.2 12:20pm up 1 day, 15:24, 2 users, load average: 0.08, 0.16, 0.12 -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- Random Quote: Computers are not intelligent. They only think they are.
What's your choice of ftpd? I'm hesitating to install wuftpd. It has a bad reputation from security point of view. I've seen proftpd. Has anyone had experience? From the point of security, DON'T use any ftpd. FTP is plain text, use ssh/scp/sftp instead. There are also windows clients available: http://gd.tuwien.ac.at/utils/shells/ssh/
you can use anonymous ftp, if you like. wu-ftpd 2.4 has been audited by some great guy from SuSE, it has proven to be secure. Or you can use vsftpd, which also has good reputaion AFAIR. hth Markus -- _____________________________ /"\ Markus Gaugusch ICQ 11374583 \ / ASCII Ribbon Campaign markus@gaugusch.dhs.org X Against HTML Mail / \
Hi Öykü,
if all you want is anonymous ftp have a look at
http://cr.yp.to/publicfile.html
It may not be as featurized as proftp but it's saver. Not to mention wuftpd...
Regards,
--
Jörg Frühbrodt
Subject: [suse-security] which ftpd?
What's your choice of ftpd? I'm hesitating to install wuftpd. It has a bad reputation from security point of view. I've seen proftpd. Has anyone had experience?
if all you want is anonymous ftp have a look at http://cr.yp.to/publicfile.html It may not be as featurized as proftp but it's saver. Not to mention wuftpd...
Guys, please show me a security bug in wuftpd-2.4 (the one that is
installed as /usr/sbin/wuftpd in SuSE Systems) after Thomas Biege has made
a full audit of it (2+ years ago, I think).
Then, if you want to make a statement about proftpd's security, then look
at the number of features it has. Statistically, the claim is wrong. If
you want to have a closer impression, please have a brief look at the
code. Then: Performance... We've been running proftpd on ftp.suse.com and
had to go back to wuftpd after three weeks. It just didn't scale, too much
system call overhead in the transfer r/w loops, proc accesses in loops,
...
ftp.suse.com is fully loaded with 600 users at high output. The machine is
90% idle if nothing but wuftpd is active, the load is below 1. The only
problem we have is the latency from the raid controller: It keeps spiking
the load on the machine every once in a while. But that has nothing to do
with the ftp daemon.
Roman.
--
- -
| Roman Drahtmüller
Hi, On 21 Aug 2001, at 21:15, Roman Drahtmueller wrote:
Guys, please show me a security bug in wuftpd-2.4 (the one that is installed as /usr/sbin/wuftpd in SuSE Systems) after Thomas Biege has made a full audit of it (2+ years ago, I think).
security today is a strange thing as one has to count in the philosophical/Psychological components too. The problem is, that this has been discussed on this list before, and there was no real answer then. It is compareable to the sendmail vs. qmail vs. something thing. Security is not a monolithic structure. Eg. if someone uses ftp behind a firewall with trusted users only why should he care about exploits? So if someone started to use a ftpd some time ago, he did so after evaluating all alternatives, and from then on all he had to care about was the security of "his" server. So I think it was the best way to answer such requests in the future with something: "Please check the hompages of all alternatives, and check a list of security sites and make your own decision." mike
Yup, On 22-Aug-01 Thomas Michael Wanka wrote:
Hi,
On 21 Aug 2001, at 21:15, Roman Drahtmueller wrote:
Guys, please show me a security bug in wuftpd-2.4 (the one that is installed as /usr/sbin/wuftpd in SuSE Systems) after Thomas Biege has made a full audit of it (2+ years ago, I think).
security today is a strange thing as one has to count in the philosophical/Psychological components too.
<rant> Phil./psych. issues should be taken into consideration, at least personally. Practically there�s no need and no place for philosophy or psychology, other than security-related, in system/network security, although discussions around it sometimes seem like personal psyched-out crusades of sorts ;)
The problem is, that this has been discussed on this list before, and there was no real answer then. It is compareable to the sendmail vs. qmail vs. something thing.
Yep, maybe. People just compare "apples with pears" sometimes, which can not lead to an answer because there is none.
Security is not a monolithic structure. Eg. if someone uses ftp behind a firewall with trusted users only why should he care about exploits? So if someone started to use a ftpd some time ago, he did so after evaluating all alternatives, and from then on all he had to care about was the security of "his" server.
I disagree. Most people (read: admins) who had their first contact with Linux a couple of months or one year ago are happy to be able to set up ftp or mail servers at all, there are only a few who really care about security. If reality would be like you suggest we wouldn't have so much trouble with security issues I suppose. Your ftp-behind-firewall example may be valid if we're talking about 5 users who work/use their computers in the same room/house, but there are networks with 50, 500, 1000 or more users where security issues are of a very different quality. In the past I audited some networks with so-called "private" ftp servers behind firewalls, and on two occasions I found warez ftp sitez active in these networks, run by malicious employees who found a way through the corporate firewall.
So I think it was the best way to answer such requests in the future with something: "Please check the hompages of all alternatives, and check a list of security sites and make your own decision."
IMHO one goal of security lists like SuSE's is to provide a discussion forum for both "newbies" and advanced users/admins. The world changes, the internet too, and thus security issues change over time, as do programs or tools. At the mo there are no sec.issues with wuftpd but maybe there will be some in future versions. Likewise, there are scaling problems with proftpd but that doesn't mean that these problems will persist forever. We all should keep up with the latest sec.news, and we should direct people to some home pages AND discuss such things. </rant> What goes for the original question wuftpd vs. proftpd, I would stick to proftpd for smaller setups and to a fully blown, *dedicated* chroot-wuftpd "trespassers will be shot" ftp server in larger production environments, which should be put in a tightly secured DMZ. If it would be a public b-to-b server with named and known users I would implement a ssh/sftp server instead.
mike
---
Boris Lorenz
Hi, On 22 Aug 2001, at 11:55, Boris Lorenz wrote:
I disagree. Most people (read: admins) who had their first contact with Linux a couple of months or one year ago are happy to be able to set up ftp or mail servers at all, there are only a few who really care about security. If reality would be like you suggest we wouldn't have so much trouble with security issues I suppose.
That is partly true. But if you install the first server, you need to choose one. You are better off if you are looking for a secure one (like the original poster seemed to do). What has this poster from this discussion? More different opinions than he knew about before! So he is still left with looking at the homepages and other (security) ressources to find a good answer for his question, should he need to use wu-ftpd, how can he be shure it is secure on the long term after this discussion, where some people said it is not? I think he was better off with a list of available servers and a short description as well as links to the homepages of the servers. mike
On 23-Aug-01 Thomas Michael Wanka wrote:
Hi,
On 22 Aug 2001, at 11:55, Boris Lorenz wrote:
I disagree. Most people (read: admins) who had their first contact with Linux a couple of months or one year ago are happy to be able to set up ftp or mail servers at all, there are only a few who really care about security. If reality would be like you suggest we wouldn't have so much trouble with security issues I suppose.
That is partly true. But if you install the first server, you need to choose one. You are better off if you are looking for a secure one (like the original poster seemed to do). What has this poster from this discussion? More different opinions than he knew about before! So he is still left with looking at the homepages and other (security) ressources to find a good answer for his question, should he need to use wu-ftpd, how can he be shure it is secure on the long term after this discussion, where some people said it is not? I think he was better off with a list of available servers and a short description as well as links to the homepages of the servers.
If that really is your opinion, why should we set up and use mailing lists at all? If everything you can come up with is a basically uncommented list of links to some sites, and a generous "make up your own choice now and RTFM" sort of line, you won't help "newbies" or other users/admins at all. Security neither is some point-and-click type of thing, nor a matter of a couple of links, as useful as they may be. AFAIR the original post of this thread was about experiences of other users/admins with ftpd's and their security issues, not the request of your favourite bookmarks. Btw., my lengthy utterances which you quoted have been enclosed by <rant>...</rant>, which means that I wrote them out-of-line to provide a little more background. I have put in a suggestion of what ftpd to use in may mail as well.
mike
---
Boris Lorenz
Hi, On 23 Aug 2001, at 14:12, Boris Lorenz wrote:
AFAIR the original post of this thread was about experiences of other users/admins with ftpd's and their security issues, not the request of your favourite bookmarks.
Didn´t it end up like that? ;) A bookmark here and there and some contradictionary comments. I did not think about a simple uncommented list, but a well commented one (like someone told he had compiled, and if it is the person I think it will be of good quality!). I think this list is to help with problems and questions that come up *after* going thrugh such list. The correct question (like you pointed out in the comments enclosed by the <rant>s and that I probably accidentially quoted) was: "I need this and that, should I go with this or that" because if the poster needed high volume or IPv6 support, the answers were different. I did not mean to offend someone, I just wanted to enhance the support (like my suggestion for a searchable list archive) and actually I expected someone to say that such commented list are here and there. mike
Hi,
What's your choice of ftpd? I'm hesitating to install wuftpd. It has a bad reputation from security point of view. I've seen proftpd. Has anyone had experience?
TIA, Öykü
i like glFtpD (www.glftpd.org) it has many futures and is able to run tcl script, check .zip files bla bla bla bla -- GMX - Die Kommunikationsplattform im Internet. http://www.gmx.net
On Tuesday 21 August 2001 06:46 pm, Michael Kunst wrote:
Hi,
What's your choice of ftpd? I'm hesitating to install wuftpd. It has a bad reputation from security point of view. I've seen proftpd. Has anyone had experience?
TIA, Öykü
i like glFtpD (www.glftpd.org) it has many futures and is able to run tcl script, check .zip files bla bla bla bla
If I had the chance to run any FTP client I wanted, I'd run Bulletproof FTP Server (which used to be G6 FTP Server). It's awesome! You can see what's currently downloading, and by whom, how fast the xfer is going, how long it has left, and you get a nice report of all previous transfers. You can set upload/download ratios, per user limits, and designate which files don't count against those limits. When I left Windows for Linux, that was the one program that I truly missed. I felt like I was virtually in the dark with wuftpd. Any know of something like Bulletproof FTPd for Linux? Thanks, -Steven -- -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- Steven Hatfield http://www.knightswood.net Registered Linux User #220336 ICQ: 7314105 Useless Machine Data: Running SuSE Linux 7.2 Professional and KDE2.2 7:27pm up 1 day, 22:31, 2 users, load average: 0.39, 0.32, 0.19 -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- Random Quote: Courtroom Quotes Q: Have you lived in this town all your life? A: Not yet.
If I had the chance to run any FTP client I wanted, I'd run Bulletproof FTP Server (which used to be G6 FTP Server). It's awesome! You can see what's currently downloading, and by whom, how fast the xfer is going, how long it has left, and you get a nice report of all previous transfers. You can set upload/download ratios, per user limits, and designate which files don't count against those limits. You mean realtime-reporting? maybe in GUI? This is not the way, Linux does its things. And it isn't useful at all. You can tail -f /var/log/xferlog for realtime information, of course without bandwidth usage, but wouldn't it be a waste of bandwidth, if you watched this information from a remote place? If you want to see the actual traffic, try Etherape, it shows all ongoing connections in a graph (very cool), and in a table (with detailed bandwidth usage).
But this doesn't have to do with ftp. hth Markus -- _____________________________ /"\ Markus Gaugusch ICQ 11374583 \ / ASCII Ribbon Campaign markus@gaugusch.dhs.org X Against HTML Mail / \
On Tuesday 21 August 2001 06:46 pm, Michael Kunst wrote:
Hi,
What's your choice of ftpd? I'm hesitating to install wuftpd. It has a bad reputation from security point of view. I've seen proftpd. Has anyone had experience?
TIA, Öykü
i like glFtpD (www.glftpd.org) it has many futures and is able to run tcl script, check .zip files bla bla bla bla
If I had the chance to run any FTP client I wanted, I'd run Bulletproof FTP Server (which used to be G6 FTP Server). It's awesome! You can see what's currently downloading, and by whom, how fast the xfer is going, how long it has left, and you get a nice report of all previous transfers. You can set
upload/download ratios, per user limits, and designate which files don't count against those limits.
When I left Windows for Linux, that was the one program that I truly missed. I felt like I was virtually in the dark with wuftpd.
Any know of something like Bulletproof FTPd for Linux?
Thanks, -Steven
yeah glftpd after you login and have the needed rights u can do SITE WHO / SITE STAT to site who is online what they do and how fast they upload / download / ratio status and many other things ..... -- GMX - Die Kommunikationsplattform im Internet. http://www.gmx.net
Any know of something like Bulletproof FTPd for Linux?
Try vsftpd from Chris Evans. I've sneaked through the code, and I liked it
very much. It was written with security considerations in mind beforehand,
it's new and it didn't have any bugs so far.
Roman.
--
- -
| Roman Drahtmüller
hm, whats about "pureftpd" - as described in freshmeat, is security-minded, support for pam and ipv6 (and quote iirc) anyone tried this one? frank
On Wed, 22 Aug 2001 13:06:47 +0200
Frank Tiemann
hm,
whats about "pureftpd" - as described in freshmeat, is security-minded, support for pam and ipv6 (and quote iirc)
anyone tried this one?
frank
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
I'm using it here, and it works really fine. Really good features, fast and stable... Jan -- Jan Räther Universitaet Hamburg Zentrum für Molekulare Neurobiologie Service-Gruppe EDV Falkenried 94 20251 Hamburg Germany Tel.:040 - 428 - 03 - 6619 Fax.:040 - 428 - 03 - 6621
participants (10)
-
Boris Lorenz -
Frank Tiemann -
Jan R�ther -
Jörg Frühbrodt -
Markus Gaugusch -
Michael Kunst -
Oyku Gencay -
Roman Drahtmueller -
Steven Hatfield -
Thomas Michael Wanka