On Fri, Sep 17, 2010 at 5:51 AM, Robert P. J. Day rpjday@crashcourse.ca wrote:
(another in an ongoing list of things i just want to clarify for the sake of future courses taught on centos.)
from this RHEL doc page:
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment...
the reader is advised to, for the sake of security, remove/disable vsftpd, ostensibly in favour of sftp/sftp-server. really?
i can obviously see disallowing stuff like telnet and rsh and rlogin, that's a no-brainer. but advising against vsftpd for the sake of security? i'm not sure i see the logic in that. thoughts?
I agree with the point that the document is making. If you go to the trouble to lock down an account, it doesn't make sense to allow that same account to access the server via the ftp protocol. However, I do use vsftpd with specific IDs that do not have shell access. These accounts are also generally not system accounts so even if a password was sniffed, it would not allow shell access.