[ale] FTP-only

Jonathan Rickman jonathan at xcorps.net
Wed Jan 1 18:48:24 EST 2003


On Wed, 1 Jan 2003, attriel wrote:

> OK, so, I remember waaaay back when i started with slack in 95 there were
> tricks where people would use someone's FTP to get into the server via
> shell-overloads and the like, so it was always advised to not give them
> real shells, but rather fake ones, like /bin/none or something ...
>
> Then it turned out that that really wasn't a good idea, b/c there were an
> all new set of fakes they could do to turn /dev/null or such into a root
> bash ... But i don't remember what the real solution was to that, since
> most of my FTP's also had shell access (well, they had shells and so I
> gave them FTP for uploading) ...
>
> Now, I'm installing a new server for web serving, but at this point most
> of the people using it DON'T get shells anymore (executive decisions are
> so much fun :) SO!  I need to know those tricks again.  How do I make an
> FTP setup secure ?  I'm thinking about doing SFTP, but I'm not 100% sure
> that all the people using the system could handle it (specifically, my
> parents :o)
>
> So, failing the SFTP option, what's the way of making like wu secure?  And
> which is easier to secure/less "exploit-y"?  wu? pro? something else?


It all depends on how diligent you are about patching. I'd rate WU pretty
poorly due to it's amazing history. Personally, I like Pro but vsftp is
pretty good and is generally regarded as the most secure.
http://vsftpd.beasts.org

--
Jonathan Rickman
X Corps Security
http://www.xcorps.net

_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale






More information about the Ale mailing list