[CentOS] should vsftpd be disabled in favour of sftp for security reasons?

Sat Sep 18 23:58:32 UTC 2010
Jeff Allison <jeff.allison at allygray.2y.net>

On 19/09/2010, at 4:48 AM, Emmett Culley wrote:

> On 09/17/2010 02:51 AM, Robert P. J. Day wrote:
>>
>>    (another in an ongoing list of things i just want to clarify  
>> for the
>> sake of future courses taught on centos.)
>>
>>    from this RHEL doc page:
>>
>> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5/html/ 
>> Deployment_Guide/s1-openssh-server-config.html
>>
>> the reader is advised to, for the sake of security, remove/disable
>> vsftpd, ostensibly in favour of sftp/sftp-server.  really?
>>
>>    i can obviously see disallowing stuff like telnet and rsh and
>> rlogin, that's a no-brainer.  but advising against vsftpd for the  
>> sake
>> of security?  i'm not sure i see the logic in that.  thoughts?
>>
>> rday
>>
> We use vsftpd as an FTPS only server in CHROOT mode.  The only  
> reason we don't user sftp instead is because it cannot (easily?)  
> CHROOT users.
>
> Emmett

Possibly because FTP sends clear text passwords...