/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
/* ALSO: Don't quote this header. It makes you look lame :-) */
On Tue, Oct 17, 2000 at 05:50:41PM +1100, raf wrote:
> it's very dangerous to run an internal ftp server.
> if it's used for non-anonymous use, the usernames
> and passwords can be sniffed. whether it's used
> anonymously or not, it's a vector for breakins.
> it's better to run the ftp server on a separate,
> perimeter network, outside your internal network
> if at all possible.
The main danger of having the usernames and passwords sniffed depends on
whether the users coming in from outside to the ftp server also have valid
shells, and telnet (or ssh if it's set to accept password rather than
certificate login) access to reach them. It's quite possible to set up an
ftp server (e.g. proftpd) so that the users don't have shell access, in
which case the remaining dangers are of the sniffer getting the same ftp
access as the valid user (which is why you want to be sure outside users are
jailed to the proper directories), and vulnerabilities in the ftp daemon
itself (which show up from time to time, particularly in wu_ftpd - it's the
same thing as running named or sendmail: keep up with the latest release).
If you will have outside telnet or ssh access, you can at least set the
firewall to only allow it from specific IPs - although of course IPs can be
spoofed. Ssh is not just more secure but also a solider connection, so using
telnet from outside is a bit silly unless you need to come in from somewhere
you can't install ssh.
\/\/ I-I I T
Blauvelt
[EMAIL PROTECTED]
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ --
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
