[svlug] ftp access question

Rafael raffi at linwin.com
Wed Jun 28 00:40:55 PDT 2000
Previous message: [svlug] ftp access question
Next message: [svlug] ftp access question
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Tue, 27 Jun 2000, Rick Moen wrote:

> begin  Rafael quotation:
> 
> > FTP is a long time security problem and it's not worth to have it on
> > any server these days IMO.
> 
> Well, it's more accurate to say that certain crufty and overfeatured
> ftpds, notably wu-ftpd and proftpd, have had a bad security history, and
> that more of the same might be expected based on analyses of their
> design.
> 
> So, one option is to run a better-designed ftpd.  See:  
> http://linuxmafia.com/pub/linux/security/ftp-daemons
> My personal pick (in light of my needs) would be aftpd.
> 
> > HTTPD server allows anybody to download any files
> > anonymously if that's what you want.
> 
> With advantages for server load (as the connections are transient), but
> the disadvantages of stripping information concerning the owning user

What good is it when the downloaded file is owned by bozo/lozo and I'm
raffi/raffi untaring the file and compiling it? If I want to preserve the
ownership across the platforms, moving a user from one server to another
for example, ssh with tar will do the job, thank you. The only time I use
ftp is to bring in ssh. After that it's gone.

> and group, special file attributes including symlink vs. normal, and

Links are mostly a nuisance and nobody will convince me otherwise. When
working on "computer ranch" with over 750 servers last year we had
problems when people created links against the guidelines, especialy over
NFS and across the partitions. You move the drive and start getting
calls "where is my file?" We had to cleanup the mess many times. 3 lashes
for each bad link should be the POSIX standard.

> accurate (non-rounded) filesizes.  http cannot obsolete ftp until I 

Who cares if the file is listed as 4MB or 4028kB? All I care is the fact
that it will take me a long time to download over modem line. It's more
important to have additional file to list MD5 sums to check the integrity
of the files.

> can see that http://debian.linuxmafia.com/debian/dists/unstable/ is 
> a symlink, and I can see how many bytes long
> http://debian.linuxmafia.com/debian/tips is without having to first
> retrieve it and run "ls".
> 

I can see file sizes with much better icons in netscape than standard ftp:
http://metalab.unc.edu/pub/linux/distributions/debian/
     ChangeLog               04-Mar-2000 11:24    85k  
     Contents-alpha.gz       05-Sep-1999 15:25   989k  

while lynx does a good job in text format:
 [   ]  ChangeLog               04-Mar-2000 11:24    85k
 [   ]  Contents-alpha.gz       05-Sep-1999 15:25   989k
 ..........................

So what's the problem? None. It's historic. How many Gophers are people
visiting lately? Not to mention setting them up?

I see no reason to use ftp to get to the files. Files is files.

> > For upload and secure (passwd protected) downloads use scp or ssh.
> 
> Which leaves the problem of anonymous upload.  This you can do with CGI:
> 
> http://html.about.com/compute/html/library/weekly/aa030899.htm
> http://www.muquit.com/muquit/software/upload_pl/upload_pl.html
> http://www.tsden.org/ryutaroh/fileupload-e.shtml
> http://www.altnews.com.au/tools/wwwcount/upload/upload.html

That's not a problem for a long time. Again, FTP is more dangerous than
other methods. I have no need for anonymous upload. If there is a need for
anybody to upload files I'll give them an account. That way I know what's
going on.

> 
> > That way you have only one service to administer and worry about.
> 
> A point.
> 
> Getting back to Gordon's question, assuming he's using wu-ftp, many 
> questions can be resolved via the information files on the project Web
> site, and particularly in http://www.wu-ftpd.org/wu-ftpd-faq.html .

Gordon:
"... I have anonymous ftp/guest disabled by adding anonymous and guest to
/etc/ftpusers.  This may not have been the correct way, but it causes
people to supply passwords, which don't exist."

Gordon doesn't want to run "open ftp" if I read his email correctly. Why
bother with FTP on the first place? As I demonstrated above, http provides
safer environment for downloads. ssh provides the rest for the uploads.
Those who don't care to use it don't need to have access to the server.

> I no longer use wu-ftp, but I believe he needs to set the configuration 
> options he's referring to in /etc/ftpaccess .  There's an HTML copy of 
> the manpage at http://www.wu-ftpd.org/man/ftpaccess.html .
> 
> > I've had a break in from a Korean bank through BIND earlier this year.
> 
> But the vulerability he probably exploited has been known about since 
> 1999-11-16.  Moral:  Make sure you find out about known remote root

Of course, but who has all systems up to date or time to do it?

> exploits in all network daemons you choose to run.  This can mean
> something as easy as (e.g.) subscribing to the debian-security-announce 
> mailing list.  And so on.

Life is uncertain, some times you lose. You also learn a lot if you care
to do so.

> 
> -- 
> Cheers,    "That scruffy beard... those suspenders... that smug expression....
> Rick Moen   You're one of those condescending Unix users!"   "Here's a nickel,
> rick (at) linuxmafia.com      kid.  Get yourself a real computer."  -- Dilbert
> 

(cd /var/mail;tar cfp - mail)|(ssh -l root someserver 'cd /var/spool/mail;tar xvfp -')

Any questions?

   O__  ---- Rafael Skodlar
  c/ /'_ --- Linux Imagineer since 1994
 (*) \(*) -- There is a tunnel at the end of light.
Previous message: [svlug] ftp access question
Next message: [svlug] ftp access question
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the svlug mailing list