what to do when you've been rooted
E Frank Ball
frankb at efball.com
Sun Jan 21 19:07:47 PST 2001
} >Absolutely. Do you *NEED* to run a ftp deamon? Most are nothing but
} >security holes waiting to be found. Using ftp to go out is ok, but if
} >at all possible rely on an http server to let others grab files from
} >you, and turn off cgi-bin functionalilty if you don't *NEED* it.
} That'd be OK for a desktop computer. But this is a remote machine that
} services a few users and needs to have normal services.
} I don't care about anonymous ftp, but how else am I(and a couple of users)
} supposed to get files from the machine(conveniently)?
} I've always considered an ftp daemon to be a neccessary part of a base
} install. If wu-ftpd has been fixed I don't see why I shouldn't use it,
} unless there's something else I should know about it. If there is, please
} tell me!
wu-ftpd has a history of security disasters. Somebody else posted with
a web address for a comparision of ftp servers. I you have to have it,
pick a better one. Why does redhat still ship with wu-ftp? Why do they
still ship with sendmail? (I use postfix, some prefer qmail, some even
use exim, all are way better than sendmail) Why does 7.0 have security
holes that were patched in 6.2 before 7.0 came out? Why do they ...
ssh has a function called scp which can be used to securely move files
from one machine to another. passwords and all traffic are encrypted.
ssh2 has sftp, which is very much like ftp, but secure. Neither will
allows anonymous login. http can be used for anonymous gets. No good
solution for anonymous puts. openssh.com or www.ssh.fi (ssh1 and ssh2)
openssh is supposed to replace ssh1 and ssh2 with a better license
setup, but sftp doesn't work for me with openssh, and when I connect to
an openssh server with ssh1 it won't export X like it should. I run
openssh on my firewall and ssh1 and ssh2 on the machines inside, so I
have all the bases covered.
I administer my webpages on 3 remote machines using only ssh (including
scp and sftp). No ftp or telnet required.
E Frank Ball efball at efball.com
More information about the talk