[CentOS] should vsftpd be disabled in favour of sftp for security reasons?

Fri Sep 17 09:55:24 UTC 2010
Michel van Deventer <michel at van.deventer.cx>

>
>   (another in an ongoing list of things i just want to clarify for the
> sake of future courses taught on centos.)
>
>   from this RHEL doc page:
>
> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/s1-openssh-server-config.html
>
> the reader is advised to, for the sake of security, remove/disable
vsftpd, ostensibly in favour of sftp/sftp-server.  really?
>
>   i can obviously see disallowing stuff like telnet and rsh and
> rlogin, that's a no-brainer.  but advising against vsftpd for the sake
of security?  i'm not sure i see the logic in that.  thoughts?
As FTP is a clear-text protocol, I would surely advise against leaving it
on :)
I only run a vsftpd server on one of my machines for the customers
comfort, but that will change in the near future !

I can easily image scenarios where unencrypted traffic with
usernames/passwords is disallowed.

    Regards,

     Michel