(another in an ongoing list of things i just want to clarify for the sake of future courses taught on centos.)
from this RHEL doc page:
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment...
the reader is advised to, for the sake of security, remove/disable vsftpd, ostensibly in favour of sftp/sftp-server. really?
i can obviously see disallowing stuff like telnet and rsh and rlogin, that's a no-brainer. but advising against vsftpd for the sake of security? i'm not sure i see the logic in that. thoughts?
rday
On Fri, 2010-09-17 at 05:51 -0400, Robert P. J. Day wrote:
(another in an ongoing list of things i just want to clarify for the sake of future courses taught on centos.)
from this RHEL doc page:
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment...
the reader is advised to, for the sake of security, remove/disable vsftpd, ostensibly in favour of sftp/sftp-server. really?
There is nothing wrong with locking it down in Read Only file structures.
John
On Fri, Sep 17, 2010 at 5:51 AM, Robert P. J. Day rpjday@crashcourse.ca wrote:
(another in an ongoing list of things i just want to clarify for the sake of future courses taught on centos.)
from this RHEL doc page:
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment...
the reader is advised to, for the sake of security, remove/disable vsftpd, ostensibly in favour of sftp/sftp-server. really?
i can obviously see disallowing stuff like telnet and rsh and rlogin, that's a no-brainer. but advising against vsftpd for the sake of security? i'm not sure i see the logic in that. thoughts?
I agree with the point that the document is making. If you go to the trouble to lock down an account, it doesn't make sense to allow that same account to access the server via the ftp protocol. However, I do use vsftpd with specific IDs that do not have shell access. These accounts are also generally not system accounts so even if a password was sniffed, it would not allow shell access.
On Fri, September 17, 2010 05:51, Robert P. J. Day wrote:
from this RHEL doc page:
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment...
the reader is advised to, for the sake of security, remove/disable vsftpd, ostensibly in favour of sftp/sftp-server. really?
i can obviously see disallowing stuff like telnet and rsh and rlogin, that's a no-brainer. but advising against vsftpd for the sake of security? i'm not sure i see the logic in that. thoughts?
It depends. What this should say is that if you have no requirement for anonymous ftp access on a particular host then disabling the vsftpd service makes perfect sense and should be done. It should also say that plain text authenticated ftp access compromises any user passwords employed thereon and for this reason ONLY ANONYMOUS ftp access should ever be available if vsftpd is running.
That said, configuring vsftpd safely can sometimes be a challenge even for anonymous access. This is particularity the case when working with virtual hosts and ip-addrs. Mainly because vsftpd logs nothing if a session is not established for whatever reason, like an expired certificate for example.
If you do not foresee any requirement for anonymous ftp access to a host then removing the software is the sensible course of action.
For the most part sftp is a perfectly acceptable replacement for ftp. From a user experience standpoint most will never notice the change. From the sysadmin pov the want of a working chroot jail for sftp remains a bit problematic.
On 09/17/2010 02:51 AM, Robert P. J. Day wrote:
(another in an ongoing list of things i just want to clarify for the sake of future courses taught on centos.)
from this RHEL doc page:
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment...
the reader is advised to, for the sake of security, remove/disable vsftpd, ostensibly in favour of sftp/sftp-server. really?
i can obviously see disallowing stuff like telnet and rsh and rlogin, that's a no-brainer. but advising against vsftpd for the sake of security? i'm not sure i see the logic in that. thoughts?
rday
We use vsftpd as an FTPS only server in CHROOT mode. The only reason we don't user sftp instead is because it cannot (easily?) CHROOT users.
Emmett
On 19/09/2010, at 4:48 AM, Emmett Culley wrote:
On 09/17/2010 02:51 AM, Robert P. J. Day wrote:
(another in an ongoing list of things i just want to clarify for the sake of future courses taught on centos.)
from this RHEL doc page:
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5/html/ Deployment_Guide/s1-openssh-server-config.html
the reader is advised to, for the sake of security, remove/disable vsftpd, ostensibly in favour of sftp/sftp-server. really?
i can obviously see disallowing stuff like telnet and rsh and rlogin, that's a no-brainer. but advising against vsftpd for the sake of security? i'm not sure i see the logic in that. thoughts?
rday
We use vsftpd as an FTPS only server in CHROOT mode. The only reason we don't user sftp instead is because it cannot (easily?) CHROOT users.
Emmett
Possibly because FTP sends clear text passwords...
-
Emmett Culley -
James B. Byrne -
Jeff Allison -
JohnS -
Kwan Lowe -
Robert P. J. Day