[ale] FTP-only
Jonathan Rickman
jonathan at xcorps.net
Wed Jan 1 18:48:24 EST 2003
On Wed, 1 Jan 2003, attriel wrote:
> OK, so, I remember waaaay back when i started with slack in 95 there were
> tricks where people would use someone's FTP to get into the server via
> shell-overloads and the like, so it was always advised to not give them
> real shells, but rather fake ones, like /bin/none or something ...
>
> Then it turned out that that really wasn't a good idea, b/c there were an
> all new set of fakes they could do to turn /dev/null or such into a root
> bash ... But i don't remember what the real solution was to that, since
> most of my FTP's also had shell access (well, they had shells and so I
> gave them FTP for uploading) ...
>
> Now, I'm installing a new server for web serving, but at this point most
> of the people using it DON'T get shells anymore (executive decisions are
> so much fun :) SO! I need to know those tricks again. How do I make an
> FTP setup secure ? I'm thinking about doing SFTP, but I'm not 100% sure
> that all the people using the system could handle it (specifically, my
> parents :o)
>
> So, failing the SFTP option, what's the way of making like wu secure? And
> which is easier to secure/less "exploit-y"? wu? pro? something else?
It all depends on how diligent you are about patching. I'd rate WU pretty
poorly due to it's amazing history. Personally, I like Pro but vsftp is
pretty good and is generally regarded as the most secure.
http://vsftpd.beasts.org
--
Jonathan Rickman
X Corps Security
http://www.xcorps.net
_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale
More information about the Ale
mailing list