[Gllug] ftp security
John Edwards
john_ed at cornerstonelinux.co.uk
Mon Oct 22 16:16:34 UTC 2001
On Mon, Oct 22, 2001 at 04:57:15PM +0100, Paul Brazier wrote:
> I'm helping to set up a box with RH7.1 which will (amongst other things)
> give remote users ftp access to their home directories only. I read
> somewhere that wu-ftpd is insecure.
>
> Is this just because ftp is unencrypted and thus passwords & logins are
> transmitted in cleartext for sniffers to pick up? In this case don't all
> ftp servers suffer from the same problem? Or are some ftp servers better
> than others for security for different reasons?
>
> I don't have control over what the clients use so ssh etc. isn't an
> option (except for administrators).
>
> --
> Paul Brazier
> Cosmos UK
The Washington University ftp server (wu-ftpd) has a long history of remote
root expliots similar to sendmail. proftpd is a more secure alternative that
take an Apache like approach, running as an unprivileged user and having
a finer control over who can login and what they can do. You can also
authenicate against a different set of passwd files or even LDAP. It does
take a bit more time to learn and setup but is worth it.
As for ftp sending password in the clear try to setup a system where the
only access those accounts have is ftp (eg set the shell to /bin/false).
That way if someone does sniff the password, and eventually someone probably
will, they can not login to the box.
But you really should recommend sftp (or maybe rsync) to the project manager
and clearly outline what could happen to your user's valuable data when
(not if) their password is captured. You might also mention the Data
Protection Act a bit (probably not relavent, but might put the fear of
lawyers into them), and the use of your machine as an illegal warez site.
--
#------------------------------------------------------------#
| John Edwards Email: John.Edwards at uk.com |
| |
| "Security vulnerabilities are here to stay." |
| Scott Culp, Manager, Microsoft Security Response Center |
#------------------------------------------------------------#
--
Gllug mailing list - Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug
More information about the GLLUG
mailing list