On 23/10/99 Art Lemasters wrote:
Look at /etc/hosts.allow and /etc/hosts.deny. Read the documentation
(man pages, /usr/doc, everything) very thoroughly, because there are
serious security risks involved with mistakes made at configuring FTP and
telnet. BTW, proftpd and ssl telnet are the best way to go with those
if you must run them, IMHO. Any input (or corrections) from others on
this list would be welcome.
definitely right about the security issues involved with activating those services. dont enable them lightly...
I would suggest ssh over ssl telnet though, ssh 1.2.27 is very secure and has clients available for most platforms, but I think its simply less hassle to deal with then ssl as you don't have to deal with all that certificate crud. ymmv.
as for ftp I think its a tossup between wu-ftpd 2.6.0 and proftpd, proftpd is supposed to be built from scratch with security in mind but it has proven to have just about as many problems as any other, the last couple wu-ftpd exploits existed in proftpd too, wu-ftpd also has some nice abilities (on the fly tarring and gziping) which proftpd claims introduce more security risks, maybe they are right but I have yet to see a recent exploit that involved those abilities and I find them very useful.
debian appears to still have not packaged the final version 2.6.0 of wu-ftpd which fixes the latest exploits (redhat has a final 2.6.0 available on their errata, fixing all 3 of the issues reported on BugTraq)
what other ftpds are available for GNU/Linux? (and/or debian packaged)am going to look at the OpenBSD ftpd and see what it can do, if it has not been done already I may try and get it to run on GNU/Linux, that would probably be the most secure one there is :-)
Best Regards, Ethan Benson To obtain my PGP key: http://www.alaska.net/~erbenson/pgp/