[CentOS] should vsftpd be disabled in favour of sftp for security reasons?

Fri Sep 17 17:06:30 UTC 2010
samuel machua <samnjugu at gmail.com>

On Fri, 17 Sep 2010 07:08:23 -0700
cpolish at surewest.net wrote:

> Robert P. J. Day wrote:
> > On Fri, 17 Sep 2010, Michel van Deventer wrote:
> > 
> > > >
> > > >   (another in an ongoing list of things i just want to clarify
> > > > for the sake of future courses taught on centos.)
> > > >
> > > >   from this RHEL doc page:
> > > >
> > > > http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/s1-openssh-server-config.html
> > > >
> > > > the reader is advised to, for the sake of security,
> > > > remove/disable
> > > vsftpd, ostensibly in favour of sftp/sftp-server.  really?
> > > >
> > > >   i can obviously see disallowing stuff like telnet and rsh and
> > > > rlogin, that's a no-brainer.  but advising against vsftpd for
> > > > the sake
> > > of security?  i'm not sure i see the logic in that.  thoughts?
> > 
> > > As FTP is a clear-text protocol, I would surely advise against
> > > leaving it on :) I only run a vsftpd server on one of my machines
> > > for the customers comfort, but that will change in the near
> > > future !
> > >
> > > I can easily image scenarios where unencrypted traffic with
> > > usernames/passwords is disallowed.
> > 
> >   but you can configure vsftpd to have secure connection:
> > 
> > http://wiki.vpslink.com/Configuring_vsftpd_for_secure_connections_(TLS/SSL/SFTP)
> > 
> > would that not address that issue?  i'm not arguing against secure
> > communications, only that that manual page so cavalierly dismisses
> > vsftpd when it seems clear that you *can* configure vsftpd to be
> > secure.
> 
> Google for vsftpd + bugtraq. Be afraid.
> 

I used to have vsftpd laying around unused after I started using sftp
but I just went ahead and removed it. The less services I have running
the fewer points of entry are there, so if you can already do what ftp
does with ssh/sftp why open up ftp. Unless you are supporting some
legacy apps that do not support sftp.