[linux-sec-uk] Secure FTP
Alex Hudson
linux-sec-uk at mailman.lug.org.uk
Mon Aug 18 18:46:00 2003
--=-bPlEXnE36wTJs/Qo8+sJ
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
(Hi list ;)
On Mon, 2003-08-18 at 11:39, Simon Morris wrote:
> They now need FTP services, which is where I start to sweat :-)
I wouldn't worry too much. If you're talking about a local intranet
service, it doesn't sound _that_ bad. If you're talking about something
which would sit on the internet, then so kind of host-specific access
control via packet filtering or other means would be worth thinking
about. I think ftp daemons got themselves a bad rap (a bit like bind, I
guess) but have improved a fair amount. Most people will consider them
weak-spots still though, I think.
> Is my plan of creating a seperate home directory under the chroot
> (/ftproot/home/) for the users FTP space feasible, and does anyone have
> a favourite secure FTP daemon with LDAP authentication.
I personally use(d) PureFTPD. It's fairly small and simple, and has a
swappable auth system (I have it setup to query a file for acceptable
users, rather than /etc/passwd, and runs fairly low-privledge). I'm
pretty sure there is already an LDAP auth backend for it, although
whether or not it works might depend on your schema. I'm told ProFTPD
has it's fair share of exploits on bugtraq, but I've never really
followed the ftp scene all that much; I don't use ftp any more.
In terms of crack attacks, I do get a few attempts on the ftpd server.
Not as many as Apache receives (tho' most attempts are directed at
Windows-based systems), but enough to notice.
Cheers,
Alex.
--=-bPlEXnE36wTJs/Qo8+sJ
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
iD8DBQA/QRCx+gMffptpE9cRAsjZAJ4qTg4WXJgiySDvyynCCIVnph4kTACcCSqN
y0Z2IhGhATb+5wc6TqwjSKg=
=tNG2
-----END PGP SIGNATURE-----
--=-bPlEXnE36wTJs/Qo8+sJ--