A simple and secure FTPd
Hi. I'm usign ProFtpd 1.2.0rc2 which is a ftpd with nice features. Nevertheless I only need simple ftp functionality: simple ftp access to some users account (not anonymous ftp). And I'm wondering which ftpd could be the securest one for this task. I suppose the more complex a program, more insecure is. So I guest Proftpd is more susceptible as being found vulnerable to some new (potential) vulns. Is it secure the following ftpd: 220 xxxx FTP server (Version 6.4/OpenBSD/Linux-ftpd-0.16) ready ??? What are your choices, apart from the said daemons? Another problem with Proftpd is some nasty bug related to "No port command" (it's known by proftpd developers).. although this is not security related. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ** RoMaN SoFt / LLFB ** roman@madrid.com http://pagina.de/romansoft ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I use ProFTPD for all my ftp servers, from cryptoarchive (anon access, really don't wanna get broken into =) to my machines at home (with really complex and weird setups, like upload directories you can download from if you are at a certain machine). Anyways the rc2 is busted ppretty bad, on the machine Indeed to upload to I just went back to rc1 and used DenyFilter "%" which blocks the % which means the DOS in rc1 can't be done, so happy days =). BTW if you need people to login, and are worried about security then ftp is not your best bet. There are SSH and SSL ftp's though you might consider, or simply move to SSH and scp (which has it's own issues right now, sigh). Kurt Seifried, seifried@securityportal.com SecurityPortal - your focal point for security on the 'net ----- Original Message ----- From: "RoMaN SoFt / LLFB!!" <roman@madrid.com> To: <suse-security@suse.com> Sent: Tuesday, November 28, 2000 1:50 AM Subject: [suse-security] A simple and secure FTPd Hi. I'm usign ProFtpd 1.2.0rc2 which is a ftpd with nice features. Nevertheless I only need simple ftp functionality: simple ftp access to some users account (not anonymous ftp). And I'm wondering which ftpd could be the securest one for this task. I suppose the more complex a program, more insecure is. So I guest Proftpd is more susceptible as being found vulnerable to some new (potential) vulns. Is it secure the following ftpd: 220 xxxx FTP server (Version 6.4/OpenBSD/Linux-ftpd-0.16) ready ??? What are your choices, apart from the said daemons? Another problem with Proftpd is some nasty bug related to "No port command" (it's known by proftpd developers).. although this is not security related. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ** RoMaN SoFt / LLFB ** roman@madrid.com http://pagina.de/romansoft ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
On Tue, 28 Nov 2000 01:55:45 -0700, you wrote:
BTW if you need people to login, and are worried about security then ftp is not your best bet. There are SSH and SSL ftp's though you might consider, or
For example? :-) I'd need also windows client support since users would access from a NT wks machine.
simply move to SSH and scp (which has it's own issues right now, sigh).
Yep, I've heard about these insecurities. Isn't there a secure (stable) version yet? Another question: what's the difference between the ssh and open-ssh packets which SuSE 6.4 ship with? Which one is recommended? =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ** RoMaN SoFt / LLFB ** roman@madrid.com http://pagina.de/romansoft ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Hmm, everytime I reply to you it doesn't indent with ">". strange. *******ing outlook. I need a beer. SSH clients for windows exist, I have quite a few at CryptoArchive (www|ftp.cryptoarchive.net). SSL ftp client for windows also exist, I rmember seeing at least one, can't remember the name offhand though. The SCP problem in SSH is quite deepseated as I understand it and I'm not entirely sure if they fixed it in 2.3.0 (have to check, groan). As for another poster: SSH/OpenSSH: SSH is the original, done by a finnish guy, it steadily got more and more commercial, 2.0 was 100% commercial, this sucked because it was so useful and not free. So OpenBSD team took 1.2.12 (or .22?) and ripped out all the proprietary code, cleaned it up a LOT, added ssh protocol 1.5 and 2 support, labled it OpenSSH, and everyone rejoiced =). =================== On Tue, 28 Nov 2000 01:55:45 -0700, you wrote:
BTW if you need people to login, and are worried about security then ftp is not your best bet. There are SSH and SSL ftp's though you might consider, or
For example? :-) I'd need also windows client support since users would access from a NT wks machine.
simply move to SSH and scp (which has it's own issues right now, sigh).
Yep, I've heard about these insecurities. Isn't there a secure (stable) version yet? Another question: what's the difference between the ssh and open-ssh packets which SuSE 6.4 ship with? Which one is recommended? =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ** RoMaN SoFt / LLFB ** roman@madrid.com http://pagina.de/romansoft ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
On Tue, 28 Nov 2000 09:50:30 +0100, you wrote:
Is it secure the following ftpd:
220 xxxx FTP server (Version 6.4/OpenBSD/Linux-ftpd-0.16) ready ???
I've had a look to some databases. Here is the result: As shipped with SuSE 6.4,it IS vulnerable. Bugtraq: Multiple Vendor ftpd setproctitle() Format String Vulnerability http://www.securityfocus.com/vdb/bottom.html?vid=1425 SuSE: http://www.suse.com/de/support/security/suse_security_announce_57.txt This is the latest nkitb, which is the rpm you have to install to patch yourself: ---------------------------------------------------------------------- File: nkitb-2000.10.4-0.i386.rpm Version: 2000.10.4 Size: 672 kB Date: Wed 04 Oct 2000 01:19:25 PM CEST Source: nkitb-2000.10.4-0.src.rpm Security: Yes ---------------------------------------------------------------------- Description: Security fix for traceroute What I'm missing here in the description is the ftp patch. I suppose the description says only about the latest modification in nkit. Perhaps it would be better to list ALL patches included _since_ ORIGINAL shipped package. For instance, the description above doesn't list the ftp patch. I've installed the new package, but I cannot see i if ftpd is updated since the ftpd-banner keeps intact. Regards. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ** RoMaN SoFt / LLFB ** roman@madrid.com http://pagina.de/romansoft ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
participants (2)
-
Kurt Seifried -
RoMaN SoFt / LLFB!!