On Fri, September 17, 2010 05:51, Robert P. J. Day wrote: > > from this RHEL doc page: > > http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/s1-openssh-server-config.html > > the reader is advised to, for the sake of security, remove/disable > vsftpd, ostensibly in favour of sftp/sftp-server. really? > > i can obviously see disallowing stuff like telnet and rsh and > rlogin, that's a no-brainer. but advising against vsftpd for the > sake of security? i'm not sure i see the logic in that. thoughts? It depends. What this should say is that if you have no requirement for anonymous ftp access on a particular host then disabling the vsftpd service makes perfect sense and should be done. It should also say that plain text authenticated ftp access compromises any user passwords employed thereon and for this reason ONLY ANONYMOUS ftp access should ever be available if vsftpd is running. That said, configuring vsftpd safely can sometimes be a challenge even for anonymous access. This is particularity the case when working with virtual hosts and ip-addrs. Mainly because vsftpd logs nothing if a session is not established for whatever reason, like an expired certificate for example. If you do not foresee any requirement for anonymous ftp access to a host then removing the software is the sensible course of action. For the most part sftp is a perfectly acceptable replacement for ftp. From a user experience standpoint most will never notice the change. From the sysadmin pov the want of a working chroot jail for sftp remains a bit problematic. -- *** E-Mail is NOT a SECURE channel *** James B. Byrne mailto:ByrneJB at Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3