Re: Is debian OpenBSD ftpd secure?
Berend De Schouwer wrote:
>
> On Tue, 30 Jan 2001 15:45:50 Mike Moran wrote:
[ ... ]
>
> | However, SAINT still seems to pick this up as a vulnerability. Is this
> | just because the SAINT detection routines get fooled by the
> | almost-successful login, or is there actually a real vulnerability?
>
> It shouldn't. Its "best practice" to ALWAYS ask for a password,
> even if the account is disabled. Does SAINT give any more info?
Not that I remember (I don't have SAINT available here right now). It
just highlighted the OpenBSD server in its vulnerability list, and gave
a link to a list of known problems with a whole load of ftp servers.
OpenBSD was mentioned in the section about anonymous access
vulnerability. However, from my reading, it is only vulnerable if the
"anonymous" account is available for login. Still, I'd like to be sure
that it isn't vulnerable; the previous (RH) machine I was on got hit by
the Ramen Worm last week, so I'd like to be doubly sure I am safe from
similar attacks on debian.
Are there any other SAINT-like vulnerability testers that I could double
check it with?
--
Mike.Moran@ee.ed.ac.uk
Web: http://houseofmoran.com/
AvantGo: http://houseofmoran.com/Lite/
Reply to: