[plug] re: FTP set-up

Fri Jun 30 15:19:01 WST 2000

Hi,

Sorry if I trumpeting my own horn a bit, Why don't you give muddleftpd a try. 
It is a powerful server that has been designed and implemented securely, with 
the following classes of bugs a non-issue:

1) Printf format bugs (where user specifies %s in format). I personally 
checked all the code for this bug. These fortunately are really easy to fix.
2) Stack overflow bugs. Muddleftpd uses dynamic memory to automaticly 
allocated space for strings whenever the resultant length of a string is 
unknown (most of the time). These bugs are common in programs that are not 
designed from stratch to handle it. Muddleftpd has been implemented by me 
with a pholosophy that these bugs must NEVER occur.

For you, you should use the latest development version, with the 
standard.conf example configuration. Mail me if you want more help

Have a look at:

http://www.muddleftpd.cx/

Have fun
Beau Kuiper
kuiperba at cs.curitn.edu.au
support at muddleftpd.cx

On Fri, 30 Jun 2000, Christian wrote:
> On Fri, Jun 30, 2000 at 09:35:18AM +0800, Matt Kemner wrote:
> > On Thu, 29 Jun 2000, Jon L. Miller wrote:
> >
> > Install proftpd, and add an entry to the config file like:
>
> Has proftpd undergone a comprehensive audit by an independent third
> party yet?  I know the developers themselves had more or less done so
> but the last I heard the code was still in a pretty shabby state so
> there is certainly an element of risk in installing it.  My advice would
> be, if you choose to install proftpd, to watch an appropriate security
> bulletin (not CERT, too slow) for any problems and be prepared to have
> possible downtime or regular upgrades on your FTP service.  The only
> FTP server with a worse security record would have to be wu-ftpd.  The
> FTP server that is distributed with Debian is based on the OpenBSD FTP
> server and is therefore must more trustworthy.  Of course it suffers
> from the standard problem of plaintext passwords and is nowhere near as
> configurable as proftpd so you lose the advantage of the configuration
> that Matt gave.  I guess it boils down to what you'd rather risk:
>
> 1. Install proftpd which allows you to limit FTP access to the user's
> home directory but be potentially open for a remote root compromise in
> the future.
>
> 2. Use a less configurable FTP server like the one I suggested which
> allows someone with the user's password to FTP around the entire machine
> (permissions permitting) but likely will not open you to a root compromise.
>
> Personally I would choose (2) but there may be good reasons for you to
> consider (1), depending on your situation.
>
> Regards,
>
> Christian.