Re: Linux, best distro

From: Juhan Leemet (juhan_at_logicognosis.com)
Date: 10/26/04 

Date: Tue, 26 Oct 2004 18:29:22 -0200

On Mon, 25 Oct 2004 18:11:00 -0700, Jeffrey Froman wrote:
> Dances With Crows wrote:
>> People still use FTP?
>
> Indeed. In the real world, FTP is pervasive and still heavily in demand.
> What's more, it is quite convenient in many situations where security is
> not an issue.

I think the form of FTP that is pervasive and in common use is the
"anonymous FTP" where you supply your email address as password to the
account "anonymous". It would be irresponsible to still keep using ftp
(plain text user ID and password transmission) for anything secure.

> More importantly, scp requires shell access, which is hugely more difficult
> to secure than FTP-only access. It is wrong to lump FTP in with telnet,
> because FTP access does not provide a shell.

If you really mean "anonymous FTP" then I would agree, otherwise ftp is as
bad as telnet in that it transmits user ID and user password in plain text.

Anything secure should be using ssl or tunneling as a transport, and
something like ssh for secure login. There are choices. I use ssh (et al).

> If a user wants to risk the security of their own FTP-space by using an
> unencrypted login, that's their risk. If a user can break into your system
> with an FTP account, then I'd say you have much bigger problems than lack
> of encryption.

The usuall attack would be (IMO, pure guesstimation) to harvest user IDs
and passwords by monitoring ftp traffic, and then using those IDs and
passwords to attack specific hosts via telnet or some other access method.
I don't think anyone would expect to execute a shell using ftp, but they
might try planting some trojans, just in case they happen to work? 

-- 
Juhan Leemet
Logicognosis, Inc.

Relevant Pages

  • Re: [SLE] How to allow ftp and telnet
    ... access with ftp any of my files from his remote location. ... Instead use ssh and scp. ... the machine and scp to copy files in a secure manner. ... ftp and telnet are -not- secure and could result in your machine being ...
    (SuSE)
  • Re: How many CALs do I need?
    ... > FTP Server: Box will have FTP. ... > 1 login name and password that everyone would share. ... > Secure Web Pages: Our website will have a 'secure' section that you must ... > logging in at any given time, but it will all be under the same account ...
    (microsoft.public.windows.server.sbs)
  • How many CALs do I need?
    ... FTP Server: Box will have FTP. ... login name and password that everyone would share. ... Secure Web Pages: Our website will have a 'secure' section that you must ... logging in at any given time, but it will all be under the same account ...
    (microsoft.public.windows.server.sbs)
  • RE: [OT] M$ collaborates with Suse
    ... Most hosting facilities do allow FrontPage and/or FTP access...FrontPage ... Remote Administration to an actual server can be done with a Terminal ... Secure Administration on the inside can be done with Scripting. ... decent free SSH Servers out there for Windows and I like freeSSHd. ...
    (Debian-User)
  • Re: Folder sharing and ZA
    ... rather than have a shared folder you could set up either an FTP ... server or Web server on your machine. ... but be aware that regular FTP isn't very secure - passwords can be ...
    (comp.security.firewalls)