[TriLUG] FTP servers

Thomas C. Meggs tom at plik.net
Tue Sep 17 21:57:44 EDT 2002 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tanner! :)

Tanner Lovelace wrote:
| So nice of you to just trash something without any references
| and then recommend a commercial product.  You don't by any chance
| own stock in NcFTP do you?  (Okay, that was a cheap shot, but
| I did wonder...)

First off, I'm not affiliated with NcFTP. You shouldn't judge me by my
intentions, I was just repeating some advice I heard.

| For the record, proftpd does *not* have a "history riddled with
| security problems."  If you want to know about proftp's security,
| feel free to search google and look here:
| http://www.proftpd.org/security.html

I ran ProFTPD for about a year with an application that required rather
high security, and I got really sick and tired of having to patch it
several times in succession. The third time was the charm. So forgive me
if I still have a bitter sentiment. I admit that ProFTPD hasn't had any
serious problems in a while. However, here are your references. :)

http://www.cert.org/advisories/CA-1999-03.html
http://www.cert.org/advisories/CA-1999-13.html
http://www.cert.org/advisories/CA-2000-13.html

| run it on my servers for years).  (As always, you should have a
| comprehensive security policy in place to address things like
| cleartext passwords.)  Running proftp will not, by itself allow
| your box to be "root'd".

A good security policy is always neccesary. On top of my usual lock
downs I am strongly against using plain text passwords. Of course, these
recent OpenSSH/OpenSSL vulnerabilities have been a pain in the ass.

You say that ProFTPD will not by itself allow your server to be
compromised. How is ProFTPD presently changing the UID of its children?
I notice that it is running as nobody. I assume it is requiring root
privledges somewhere along the way.

Regards,
Tom

- --
$Id: .sig,v 1.17 2002/08/21 13:12:32 tom Exp $

pub  1024D/87F1C20F 2001-11-15 Thomas C. Meggs <tom at plik.net>
Key fingerprint = 5E9A D535 B9DA A889 984B  9654 2025 409B 87F1 C20F

"It was funny with coffee.  Sometimes it did nothing for
him, and actually made him weak. But sometimes it really
made him feel like God."
	- from "Miguel", short story by Dan Bern

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iQIVAwUBPYfdlgZIFEaahkDtAQI8UQ/+KOJGMExUyzkfTV21VBIlNxsa60Ywy+uA
Z5M1PKkZPlZ9vRpMUS1R9ybarM+x9dAcAoeqtGfAa8QgAFyOlpEc1KY5eCaYXm7D
3hKzuKdJdB8WPsI98gCy/RcE0BdpWBIAIL8oGCfB1A7lt+ZxiIbLpfr6lWoztsc9
HP77Q7lSp9agfDblMA8litTeuAwh8zVgXu+SLXlY5TYfS5WaI09BKSayWTwHXHyv
DA2BGhleAnV8ULmMu82b0MBzouczfd/TXZhozdyCaiSFbxhEkYcTCmPfuWwb5eHx
bYe4RlegSXYxN5sux0C2fOH/qhBzGt+ox9J95fIXnWnN+NAuO5lHV/p1k4GX41VB
MRHPWdsdKC219ZYH7xLJ4cEGNx0o7eQvxZUUO1NRCf6NqY+mjV+LuZeSP9iuqkIQ
GT8MScs/nrITDD2rQH33+vCewfd8NvqMJPHHJUQnrk1j7iFaFbJ0ezuNWpgJEfCk
35xTi9W4oJzrEcqMZZo5T3j0i+u3SwA+8/r5ivpENPi5CVIotYL7/yGp8TSiVkJ2
6nYAx06RLVEJ7IOGZDIDpTf7C/fNFzV6OfO7pKekD3DMSRQ3jMHltufzhq2fnSzg
GwjBjMSOxA43rGfMi+373wcHk57r2OlmneQ3zivA/evFhba+hlvH0yOzxmZX3e1o
3Ef7id3XrTU=
=EdAh
-----END PGP SIGNATURE-----

More information about the TriLUG mailing list