[CentOS] should vsftpd be disabled in favour of sftp for security reasons?

Fri Sep 17 15:03:14 UTC 2010
Kwan Lowe <kwan.lowe at gmail.com>

On Fri, Sep 17, 2010 at 5:51 AM, Robert P. J. Day <rpjday at crashcourse.ca> wrote:
>
>  (another in an ongoing list of things i just want to clarify for the
> sake of future courses taught on centos.)
>
>  from this RHEL doc page:
>
> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/s1-openssh-server-config.html
>
> the reader is advised to, for the sake of security, remove/disable
> vsftpd, ostensibly in favour of sftp/sftp-server.  really?
>
>  i can obviously see disallowing stuff like telnet and rsh and
> rlogin, that's a no-brainer.  but advising against vsftpd for the sake
> of security?  i'm not sure i see the logic in that.  thoughts?

I agree with the point that the document is making. If you go to the
trouble to lock down an account, it doesn't make sense to allow that
same account to access the server via the ftp protocol.  However, I do
use vsftpd with specific IDs that do not have shell access. These
accounts are also generally not system accounts so even if a password
was sniffed, it would not allow shell access.