This is a multi-part message in MIME format. --------------D09B6B4D470CB199F040BAAF Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Thanks a lot to Allan West, Mike Salehi, Buddy Lumpkin, Casey Jones, Blaine Owens, Kevin Riechhart, Doug Palmer, Andrew Caines, Paul Yoshimune, Mark Luntze, Julian Simpson, and Bill "Elvis" Gibs for the responses... Andrew sent me the most thorough response that I have included at the end. As far as I found out it's more of a matter of taste and personal preference on what to use as a "secure" ftp server. I did not get and did not found any comparison reports or technical reviews. Basically, four choice were discussed: wu-ftpd, proftpd, ncftpd, and the bundled in.ftpd that ships with Solaris. Wu-ftpd has the worst history of vulnerabilities, but on the flip side is the most widely used because of its flexibility and features. So there's an argument that it's not neccessary a matter of poor security - more vulnerabilities found just because more people used it. Proftpd - http://www.proftpd.net - seems to have a good reputation, good security, and easy configuration specially if you're familiar with Apache. Ncftpd - http://www.ncftp.com - is designed with high performance and security in mind, but it's not free, although the license fee is minimal. In fact, about half of the people who replied recommended this. In.ftpd (I had only one recommendation on this) is good enough in security, but featurewise is limited. So all in all, personally I still do not have a clear answer. I'm still open to any comments - specially technical reviews. Thanks. You'll find the original post quoted in Andrew's response. --Nasser ============ Andrew's response =========== Nasser, > Any links/reviews/recommendations about which ftp server software to use on > Solaris when security is priority number one? Security is not independednt of functionality. If you want advanced features like virtual hosting, configurable logging and so on, then you will need a more fully featured server. By past history, Sun's default FTP server has a good track record. It is minimal in terms of functionality, which of course reduces its complexity. However, there is currently an unresolved issue with Solaris' in.ftpd relating to its globbing handling. AFAIK, it is not yet exploitable. You will want to run it with TCP Wrapper of course. ProFTPD <http://www.ProFTPD.org/> has good reputation as a very featureful and configurable server. It has some useful functions such as the ability to chroot itself. The well-known wu-ftpd has a disasterous security history. > I'm looking for an ftp server with the least possible vulnerability My crystal ball is in for repair at the moment. You may like to look at past advisories on different FTP servers on either the SecurityFocus site <http://search.securityfocus.com/search.html> or the ISS X-Force site <http://www.iss.net/cgi-bin/xforce/xforce_index.pl>. As a side note, if you offer downloads as well as uploads, you may want to consider using HTTP instead of FTP. -Andrew- --------------D09B6B4D470CB199F040BAAF Content-Type: text/x-vcard; charset=us-ascii; name="nasser.manesh.vcf" Content-Transfer-Encoding: 7bit Content-Description: Card for Manesh, Nasser (CAP, PTL) Content-Disposition: attachment; filename="nasser.manesh.vcf" begin:vcard n:Manesh;Nasser K. tel;fax:(610) 796-4387 tel;work:(610) 796-6527 x-mozilla-html:FALSE url:http://www.penstketruckleasing.com org:Penske Truck Leasing;MIS Technology Services version:2.1 email;internet:nasser.manesh@penske.com title:UNIX System Administrator, Webmaster adr;quoted-printable:;;Rt 10 Green Hills=0D=0AP.O. Box 563;Reading;PA;19603-0563;United States x-mozilla-cpt:;0 fn:Nasser K. Manesh end:vcard --------------D09B6B4D470CB199F040BAAF--Received on Thu May 17 14:19:38 2001
This archive was generated by hypermail 2.1.8 : Wed Mar 23 2016 - 16:24:55 EDT