Subject: Re: FTP Access
From: Mike Tibor (tibor@lib.uaa.alaska.edu)
Date: Tue Oct 29 2002 - 10:30:47 AKST
On 28 Oct 2002, Jon Reynolds wrote:
> I am now needing to setup ftp access to one of my servers. I have heard
> horror stories of how insecure it is and am thinking of using sftp. Is
> this the recommended way of of doing ftp nowadays and what are some of
> the security issues to watch out for while granting this kind of access?
Well, I'm going to dare to submit that it isn't nearly as horrible as the
hype would have people to believe. It was certainly a little riskier in
the old days before switches arrived on the scene, and everything was
plugged into hubs. But when was the last time you heard of some skiddie
compromising a server using a username/password sniffed off the wire?
It's been about five years for me, and since that time a significant share
of the compromises I've seen and read about (ignoring Windows servers)
have been due to holes in ftp daemons, specifically wu-ftpd and proftpd.
You mentioned in a later email that only two people will need ftp style
access--will they need to put files on the server, or just grab them off
the server?
If they don't need to put files up on the server, then apache is almost
certainly a better solution than an ftp daemon. Lots of the faculty at
the Library ask me how they can put a file up on our ftp server, and after
we talk about it we almost always end up putting it in their user web
directory. Apache can also easily handle it if the users need to put
files on the server as well, but you'll probably need some sort of cgi to
handle it.
Mike
-- Mike Tibor Univ. of Alaska Anchorage (907) 786-1001 voice Network Technician Consortium Library (907) 786-6050 fax tibor@lib.uaa.alaska.edu http://www.lib.uaa.alaska.edu/~tibor/ http://www.lib.uaa.alaska.edu/~tibor/pgpkey for PGP public key--------- To unsubscribe, send email to <aklug-request@aklug.org> with 'unsubscribe' in the message body.
This archive was generated by hypermail 2a23 : Tue Oct 29 2002 - 10:30:49 AKST