[CentOS] should vsftpd be disabled in favour of sftp for security reasons?

Fri Sep 17 10:08:19 UTC 2010
Robert P. J. Day <rpjday at crashcourse.ca>

On Fri, 17 Sep 2010, Michel van Deventer wrote:

> >
> >   (another in an ongoing list of things i just want to clarify for the
> > sake of future courses taught on centos.)
> >
> >   from this RHEL doc page:
> >
> > http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/s1-openssh-server-config.html
> >
> > the reader is advised to, for the sake of security, remove/disable
> vsftpd, ostensibly in favour of sftp/sftp-server.  really?
> >
> >   i can obviously see disallowing stuff like telnet and rsh and
> > rlogin, that's a no-brainer.  but advising against vsftpd for the sake
> of security?  i'm not sure i see the logic in that.  thoughts?

> As FTP is a clear-text protocol, I would surely advise against
> leaving it on :) I only run a vsftpd server on one of my machines
> for the customers comfort, but that will change in the near future !
>
> I can easily image scenarios where unencrypted traffic with
> usernames/passwords is disallowed.

  but you can configure vsftpd to have secure connection:

http://wiki.vpslink.com/Configuring_vsftpd_for_secure_connections_(TLS/SSL/SFTP)

would that not address that issue?  i'm not arguing against secure
communications, only that that manual page so cavalierly dismisses
vsftpd when it seems clear that you *can* configure vsftpd to be
secure.

rday

-- 

========================================================================
Robert P. J. Day                               Waterloo, Ontario, CANADA

        Top-notch, inexpensive online Linux/OSS/kernel courses
                        http://crashcourse.ca

Twitter:                                       http://twitter.com/rpjday
LinkedIn:                               http://ca.linkedin.com/in/rpjday
========================================================================