Yup, On 22-Aug-01 Thomas Michael Wanka wrote:
Hi,
On 21 Aug 2001, at 21:15, Roman Drahtmueller wrote:
Guys, please show me a security bug in wuftpd-2.4 (the one that is installed as /usr/sbin/wuftpd in SuSE Systems) after Thomas Biege has made a full audit of it (2+ years ago, I think).
security today is a strange thing as one has to count in the philosophical/Psychological components too.
<rant> Phil./psych. issues should be taken into consideration, at least personally. Practically there�s no need and no place for philosophy or psychology, other than security-related, in system/network security, although discussions around it sometimes seem like personal psyched-out crusades of sorts ;)
The problem is, that this has been discussed on this list before, and there was no real answer then. It is compareable to the sendmail vs. qmail vs. something thing.
Yep, maybe. People just compare "apples with pears" sometimes, which can not lead to an answer because there is none.
Security is not a monolithic structure. Eg. if someone uses ftp behind a firewall with trusted users only why should he care about exploits? So if someone started to use a ftpd some time ago, he did so after evaluating all alternatives, and from then on all he had to care about was the security of "his" server.
I disagree. Most people (read: admins) who had their first contact with Linux a couple of months or one year ago are happy to be able to set up ftp or mail servers at all, there are only a few who really care about security. If reality would be like you suggest we wouldn't have so much trouble with security issues I suppose. Your ftp-behind-firewall example may be valid if we're talking about 5 users who work/use their computers in the same room/house, but there are networks with 50, 500, 1000 or more users where security issues are of a very different quality. In the past I audited some networks with so-called "private" ftp servers behind firewalls, and on two occasions I found warez ftp sitez active in these networks, run by malicious employees who found a way through the corporate firewall.
So I think it was the best way to answer such requests in the future with something: "Please check the hompages of all alternatives, and check a list of security sites and make your own decision."
IMHO one goal of security lists like SuSE's is to provide a discussion forum for both "newbies" and advanced users/admins. The world changes, the internet too, and thus security issues change over time, as do programs or tools. At the mo there are no sec.issues with wuftpd but maybe there will be some in future versions. Likewise, there are scaling problems with proftpd but that doesn't mean that these problems will persist forever. We all should keep up with the latest sec.news, and we should direct people to some home pages AND discuss such things. </rant> What goes for the original question wuftpd vs. proftpd, I would stick to proftpd for smaller setups and to a fully blown, *dedicated* chroot-wuftpd "trespassers will be shot" ftp server in larger production environments, which should be put in a tightly secured DMZ. If it would be a public b-to-b server with named and known users I would implement a ssh/sftp server instead.
mike
---
Boris Lorenz