[CentOS] should vsftpd be disabled in favour of sftp for security reasons?

James B. Byrne byrnejb at harte-lyne.ca
Fri Sep 17 17:31:06 EDT 2010

On Fri, September 17, 2010 05:51, Robert P. J. Day wrote:

>   from this RHEL doc page:
> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/s1-openssh-server-config.html
> the reader is advised to, for the sake of security, remove/disable
> vsftpd, ostensibly in favour of sftp/sftp-server.  really?
>   i can obviously see disallowing stuff like telnet and rsh and
> rlogin, that's a no-brainer.  but advising against vsftpd for the
> sake of security?  i'm not sure i see the logic in that.  thoughts?

It depends.  What this should say is that if you have no requirement
for anonymous ftp access on a particular host then disabling the
vsftpd service makes perfect sense and should be done.  It should
also say that plain text authenticated ftp access compromises any
user passwords employed thereon and for this reason ONLY ANONYMOUS
ftp access should ever be available if vsftpd is running.

That said, configuring vsftpd safely can sometimes be a challenge
even for anonymous access. This is particularity the case when
working with virtual hosts and ip-addrs.  Mainly because vsftpd logs
nothing if a session is not established for whatever reason, like an
expired certificate for example.

If you do not foresee any requirement for anonymous ftp access to a
host then removing the software is the sensible course of action.

For the most part sftp is a perfectly acceptable replacement for
ftp. From a user experience standpoint most will never notice the
change.  From the sysadmin pov the want of a working chroot jail for
sftp remains a bit problematic.

***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

More information about the CentOS mailing list