Mailinglist Archive: opensuse-security (606 mails)

< Previous Next >
Re: [suse-security] FTP daemons
Hello Roman,
I cant really remember when I read it but there were actually several
sources. I guess things can change fast. :-)

Nice of you to point out all this and I take your word. Right now I use
ProFTPd and it's been working well but my load is around 6 connections,
nothing compared to the SuSE ftp server. My server has been running very
smoothly (SuSE 7.0) and has now been up for 62 days straight. I will try out
the latest wu-ftpd tarball next week and see how that goes, but for me
security comes first, not performance.

I was wondering, would it be more secure to use qmail for my SMTP server or
is sendmail ok? Again I read from several sources so it's hard to tell which
one is right, I'm sure u understand what I mean. :)

/Morsal


----- Original Message -----
From: "Roman Drahtmueller" <draht@xxxxxxx>
To: "Morsal Roudbay" <morsal@xxxxxxxxxx>
Cc: <suse-security@xxxxxxxx>
Sent: Wednesday, April 04, 2001 5:35 PM
Subject: Re: [suse-security] FTP daemons


On Wed, 4 Apr 2001, Morsal Roudbay wrote:

> From: Morsal Roudbay <morsal@xxxxxxxxxx>
> To: Gerd Bitzer <gerd.bitzer@xxxxxxxxx>, Roman Drahtmueller
<draht@xxxxxxx>
> Cc: suse-security@xxxxxxxx
> Date: Wed, 4 Apr 2001 14:58:53 +0200
> Subject: Re: [suse-security] FTP daemons

Hi Morsal,

> Thanks for your opinion Gerd. I was actually also thinking that Wu-FTPd
> would have many security holes considering it's dark history. I personally
> use ProFTPd and I read it's supposed to be one of the most secure.

I'd be grateful if you could point me to the source where you got that
information from.

We've been running proftpd on ftp.suse.com. This server counts as a high
volume ftp server in both the transferred data, the number of sessions/day
and the number of bytes transferred per session. We've come to the
conclusion that proftpd doesn't scale above a limit of about 300
concurrent users and that the memory leaks make the daemon unuseable in
standalone mode. The lack of scalability is caused by an enormous system
call overhead that is a result of every deamon checking the health of
_all_ other daemons by killing _all_ of them using signal SIGCONT. I've
fixed this, along with some format string parsing bugs and another
performance issue, but it didn't help, it's still too hungry.
One of the primary reasons that made us try proftpd was the feature that
limits the number of connections per IP. Basically, we wanted the
rate-limiting stuff as well, but the resulting syscall overhead would have
killed the fastest machine.

We've now gone back to wuftpd in combination with xinetd. The one that you
find in the wuftpd.rpm package, residing in /usr/sbin/wu.ftpd, is the good
old 2.4 release that comes with a set of patches against all known
vulerabilites (/usr/sbin/wu.ftpd-2.6 is the new one). Some of these
patches are a result of an extensive audit by Thomas Biege back in 1999
(IIRC), and no problem has turned up ever since. I've enhanced the daemon
that we use right now with a rate limiter. It's only a few lines of code,
if you want to take a look at it go to
ftp://ftp.suse.com/pub/people/draht/7.0/, get the source rpm and take a
look at the patch there, called something like "bwlimit".

At full load with currently 650 users the server's (a single processor
machine) load is below 1.0, the machine is 75% idle after 14 days of rock
solid uptime.

Regards,
Roman.
--
- -
| Roman Drahtm├╝ller <draht@xxxxxxx> "Caution: Cape does not |
SuSE GmbH - Security enable user to fly."
| N├╝rnberg, Germany (Batman Costume warning label) |
- -




< Previous Next >
References