[CentOS] should vsftpd be disabled in favour of sftp for security reasons?
cpolish at surewest.net
cpolish at surewest.net
Fri Sep 17 14:08:23 UTC 2010
Robert P. J. Day wrote:
> On Fri, 17 Sep 2010, Michel van Deventer wrote:
>
> > >
> > > (another in an ongoing list of things i just want to clarify for the
> > > sake of future courses taught on centos.)
> > >
> > > from this RHEL doc page:
> > >
> > > http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/s1-openssh-server-config.html
> > >
> > > the reader is advised to, for the sake of security, remove/disable
> > vsftpd, ostensibly in favour of sftp/sftp-server. really?
> > >
> > > i can obviously see disallowing stuff like telnet and rsh and
> > > rlogin, that's a no-brainer. but advising against vsftpd for the sake
> > of security? i'm not sure i see the logic in that. thoughts?
>
> > As FTP is a clear-text protocol, I would surely advise against
> > leaving it on :) I only run a vsftpd server on one of my machines
> > for the customers comfort, but that will change in the near future !
> >
> > I can easily image scenarios where unencrypted traffic with
> > usernames/passwords is disallowed.
>
> but you can configure vsftpd to have secure connection:
>
> http://wiki.vpslink.com/Configuring_vsftpd_for_secure_connections_(TLS/SSL/SFTP)
>
> would that not address that issue? i'm not arguing against secure
> communications, only that that manual page so cavalierly dismisses
> vsftpd when it seems clear that you *can* configure vsftpd to be
> secure.
Google for vsftpd + bugtraq. Be afraid.
--
Charles Polisher
More information about the CentOS
mailing list