On Tue, Aug 01, 2006 at 10:26:23AM -0500, Titan wrote:
> I have quite a predicament. I have been tasked with setting up an FTP
> server for the research group I'm involved with. The problem is once
> I'm gone someone with no *NIX experience will be maintaining the
> server. I've been considering using OpenBSD because it looks like it
> can go far longer without updates than Windows and Linux servers and
> looks to be very secure.
>
> In your experience, would it be possible for someone with no *NIX
> experience to maintain a simple FTP server?
No.
In fact, most persons with UNIX experience would counsel you against
using FTP other than anonymous FTP - as posted before, it's quite
insecure[1]. As mentioned before, sftp is preferable.
If you must do this, consider going with whatever the group knows. If
this is nothing, tell them to get some help.
> How long would you trust an unpatched OpenBSD server to go unhacked?
If it's only running ftpd (or sshd+sftp-server), system compromise is
likely to take years, given a proper setup (i.e., no root access via ftp
and such). However, user accounts may be compromised within minutes.
Joachim
[1] Using S/Key exclusively does go some way towards mitigating the
problem, but adds a lot of complexity and raises the bar for a competent
attacker from 'trivial' to 'easy'. (Hint: take over a session; if you
have some time, write a program that does so as soon as QUIT is seen,
leaving the user none the wiser. This does, however, require a host that
can actually intercept the stream, instead of just seeing it. Or, for a
quicker solution, proxy the authentication request from the server to
the client and then deny authentication, and you have succesfully stolen
a password. Less stealthy, though.)
