[Gllug] ftp security

John Edwards john_ed at cornerstonelinux.co.uk
Mon Oct 22 16:16:34 UTC 2001 

On Mon, Oct 22, 2001 at 04:57:15PM +0100, Paul Brazier wrote:
> I'm helping to set up a box with RH7.1 which will (amongst other things)
> give remote users ftp access to their home directories only. I read
> somewhere that wu-ftpd is insecure.
> 
> Is this just because ftp is unencrypted and thus passwords & logins are
> transmitted in cleartext for sniffers to pick up? In this case don't all
> ftp servers suffer from the same problem? Or are some ftp servers better
> than others for security for different reasons?
> 
> I don't have control over what the clients use so ssh etc. isn't an
> option (except for administrators).
> 
> --
> Paul Brazier
> Cosmos UK 

The Washington University ftp server (wu-ftpd) has a long history of remote 
root expliots similar to sendmail. proftpd is a more secure alternative that 
take an Apache like approach, running as an unprivileged user and having 
a finer control over who can login and what they can do. You can also 
authenicate against a different set of passwd files or even LDAP. It does 
take a bit more time to learn and setup but is worth it.

As for ftp sending password in the clear try to setup a system where the 
only access those accounts have is ftp (eg set the shell to /bin/false).
That way if someone does sniff the password, and eventually someone probably 
will, they can not login to the box.

But you really should recommend sftp (or maybe rsync) to the project manager 
and clearly outline what could happen to your user's valuable data when 
(not if) their password is captured. You might also mention the Data 
Protection Act a bit (probably not relavent, but might put the fear of 
lawyers into them), and the use of your machine as an illegal warez site.


-- 
#------------------------------------------------------------#
|      John Edwards    Email: John.Edwards at uk.com            |
|                                                            |
|     "Security vulnerabilities are here to stay."           |
|   Scott Culp, Manager, Microsoft Security Response Center  |
#------------------------------------------------------------#

-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug

More information about the GLLUG mailing list