Quoting Rafael 'Dido' Sevilla ([EMAIL PROTECTED]): > On Fri, Mar 22, 2002 at 03:17:35PM +0800, Eliel Antero S. Roxas wrote: >> Hello Evryone! >> >> I am trying to set up an FTP server in Red Hat 7.1. > > Forget about installing it. I'm serious. > > I would strongly suggest that you ditch the FTP server completely, or > leave it at anonymous-only download if that's what you want.
The latter is what I do -- currently using vs-ftpd. I keep a list of known ftpds, with comments on security and other matters, at http://linuxmafia.com/pub/linux/security/ftp-daemons . Many problems people attribute to ftpds are just a matter of people not thinking to use something better than wu-ftpd. But there are also other pitfalls often considered inherent to non-anonymous ftp. Let's consider them: > Non-anonymous FTP is very dangerous in today's world, as it performs > authentication without cryptography, which is a complete joke. This isn't necessarily a problem. It's a problem if (1) ftp users have wide access to the filesystem, and (2) ftp exposes passwords also usable for shell access. But nobody says either of those things _needs_ to be true. o Chroot non-anonymous users to subdirectories of their home directories. ~/public_html might be good enough. o And you _do_ already apply quota to the /home tree, right? o Compile your ftpd to authenticate against a separate password file, not the main system authentication database. An ftpd compiled and operated that way will not create the hazard you describe. Mind you, some years ago, I shut off non-anonymous ftpd (and POP3[1]) on my systems for exactly the reason you described. It's only recently that I realised there _are_ ways to offer the service that don't suffer the obvious threat model. > As I have said over and over, FTP is a relic of a time when the > Internet was a research network where everyone could trust everyone > else. Please note that it has some unique advantages: http://linuxmafia.com/~rick/linux-info/ftp-justification [1] APOP isn't widely enough supported to be a reasonable option, and requires having a plaintext password file sitting around. SSL-wrapped POP3 works fine, but you have to really twist your users' arms to get them to set up the client side. -- Cheers, Rick Moen Emacs is a decent operating system, [EMAIL PROTECTED] but it still lacks a good text editor. _ Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph To leave: send "unsubscribe" in the body to [EMAIL PROTECTED] To subscribe to the Linux Newbies' List: send "subscribe" in the body to [EMAIL PROTECTED]
