"Andreas Rittershofer"
I would replace this with proftpd (www.proftpd.org), which is more flexible and more secure than the standard in.ftpd. Proftpd can be run standalone as a demon listening to port 21 or, like usual, via inetd.
ProFTPd has a *LONG* list of bugs, security incidents and compatibility
Thats new to me: when I search www.cert.org for proftp, there is not one hit.
Search Bugtraq. Virtually every 1.2.0pre and 1.2.0rc version (more than 10) has had a security problem or other severe bugs, including exploitable buffer overflows, crashes when command and CRLF span over package boundaries, 1.2.1 suffers from glob(3) problems, and so on. That beast cannot possibly be secure if public beta test versions have problems that big. The list is endless, I'll not reproduce it here. I've been using the Linux port of ftpd-BSD and limiting the impact of the glob problem with DJB's softlimit. For fresh installs, I'd recommend against ftp in the first place, for anonymous ftp only in the second place, and check out pureftpd and vsftpd. Both are still beta, but close to release and feature security as a major design goal. ProFTPd also sported security as a design goal but has failed miserably more than one time. If pureftpd and vsftpd will be secure, we'll see. At least vsftpd has an extensive audit scheme. -- Matthias Andree