On Fri, 17 Sep 2010 07:08:23 -0700 cpolish@surewest.net wrote:
Robert P. J. Day wrote:
On Fri, 17 Sep 2010, Michel van Deventer wrote:
(another in an ongoing list of things i just want to clarify for the sake of future courses taught on centos.)
from this RHEL doc page:
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment...
the reader is advised to, for the sake of security, remove/disable
vsftpd, ostensibly in favour of sftp/sftp-server. really?
i can obviously see disallowing stuff like telnet and rsh and rlogin, that's a no-brainer. but advising against vsftpd for the sake
of security? i'm not sure i see the logic in that. thoughts?
As FTP is a clear-text protocol, I would surely advise against leaving it on :) I only run a vsftpd server on one of my machines for the customers comfort, but that will change in the near future !
I can easily image scenarios where unencrypted traffic with usernames/passwords is disallowed.
but you can configure vsftpd to have secure connection:
http://wiki.vpslink.com/Configuring_vsftpd_for_secure_connections_(TLS/SSL/S...)
would that not address that issue? i'm not arguing against secure communications, only that that manual page so cavalierly dismisses vsftpd when it seems clear that you *can* configure vsftpd to be secure.
Google for vsftpd + bugtraq. Be afraid.
I used to have vsftpd laying around unused after I started using sftp but I just went ahead and removed it. The less services I have running the fewer points of entry are there, so if you can already do what ftp does with ssh/sftp why open up ftp. Unless you are supporting some legacy apps that do not support sftp.