How secure is Linux FTP vs IIS FTP ? - Security

This is a discussion on How secure is Linux FTP vs IIS FTP ? - Security ; How secure is Linux FTP vs IIS FTP ?...

+ Reply to Thread
Page 1 of 2 1 2 LastLast
Results 1 to 20 of 25

Thread: How secure is Linux FTP vs IIS FTP ?

  1. How secure is Linux FTP vs IIS FTP ?

    How secure is Linux FTP vs IIS FTP ?



  2. Re: How secure is Linux FTP vs IIS FTP ?

    NNTP wrote:

    > How secure is Linux FTP vs IIS FTP ?


    They can't really be compared. One is a specific FTP server, the other is a
    platform upon which many different FTP servers can run.

    FTP, however, isn't very secure to start with - everything is sent in clear
    text (including passwords).

    --
    David Dorward
    Home is where the ~/.bashrc is

  3. Re: How secure is Linux FTP vs IIS FTP ?

    On 01.04.2006, David Dorward wrote:
    > NNTP wrote:
    >
    >> How secure is Linux FTP vs IIS FTP ?

    >
    > They can't really be compared. One is a specific FTP server, the other is a
    > platform upon which many different FTP servers can run.
    >
    > FTP, however, isn't very secure to start with - everything is sent in clear
    > text (including passwords).


    ....unless SSL/TLS is forced.

    --
    Feel free to correct my English
    Stanislaw Klekot

  4. Re: How secure is Linux FTP vs IIS FTP ?

    On Sat, 01 Apr 2006 12:01:17 -0600, NNTP wrote:

    > How secure is Linux FTP vs IIS FTP ?


    Supposedly 'Very Secure' http://vsftpd.beasts.org/

    --
    -Menno.


  5. Re: How secure is Linux FTP vs IIS FTP ?

    Menno Duursma writes:

    >On Sat, 01 Apr 2006 12:01:17 -0600, NNTP wrote:


    >> How secure is Linux FTP vs IIS FTP ?


    >Supposedly 'Very Secure' http://vsftpd.beasts.org/


    The question makes little sense. ftp is a protocol which is inherently
    insecure. It sends passwords in the clear. It encrypts nothing.
    Now, the implimentation on specific machines can introduce additional
    insecurities (eg allowing anyone to read any file on your system), but
    those are implimentation issues. Linux ftp servers try hard not to let such
    things happen. vsftpd is one such but there are a number of others as well.


  6. Re: How secure is Linux FTP vs IIS FTP ?

    On Sat, 01 Apr 2006 21:01:14 +0000, Unruh wrote:

    > Menno Duursma writes:
    >
    >>On Sat, 01 Apr 2006 12:01:17 -0600, NNTP wrote:

    >
    >>> How secure is Linux FTP vs IIS FTP ?

    >
    >>Supposedly 'Very Secure' http://vsftpd.beasts.org/

    >
    > The question makes little sense. ftp is a protocol which is inherently
    > insecure.


    Well it was ment as some what of an attempt at pun.

    > It sends passwords in the clear. It encrypts nothing.


    As Stachu pointed out, it can be configured to force SSL/TLS:
    http://groups.google.com/group/comp....b2cca3d3814d58

    (Proftpd can to Kerberos via GSSAPI aswell.)

    > Now, the implimentation on specific machines can introduce additional
    > insecurities (eg allowing anyone to read any file on your system), but
    > those are implimentation issues. Linux ftp servers try hard not to let
    > such things happen.


    Sure: remember WU-FTPd?

    > vsftpd is one such but there are a number of others as well.


    Pureftpd?

    --
    -Menno.


  7. Re: How secure is Linux FTP vs IIS FTP ?

    On 2006-04-01, Menno Duursma wrote:
    > On Sat, 01 Apr 2006 21:01:14 +0000, Unruh wrote:



    >
    >> It sends passwords in the clear. It encrypts nothing.

    >
    > As Stachu pointed out, it can be configured to force SSL/TLS:


    At which point, it isn't ftp any more.


    --
    "Other people are not your property."
    [email me at huge [at] huge [dot] org [dot] uk]

  8. Re: How secure is Linux FTP vs IIS FTP ?

    On Sun, 02 Apr 2006 11:19:36 +0000, Huge wrote:
    > On 2006-04-01, Menno Duursma wrote:
    >> On Sat, 01 Apr 2006 21:01:14 +0000, Unruh wrote:


    >>> It sends passwords in the clear. It encrypts nothing.

    >>
    >> As Stachu pointed out, it can be configured to force SSL/TLS:

    >
    > At which point, it isn't ftp any more.


    But ofcource it's not the 1st of April anymore either.
    (How about Kerberized FTP though: is that still "ftp" then?)

    --
    -Menno.


  9. Re: How secure is Linux FTP vs IIS FTP ?

    David Dorward wrote:

    > NNTP wrote:
    >
    >> How secure is Linux FTP vs IIS FTP ?

    >
    > They can't really be compared. One is a specific FTP server, the other is
    > a platform upon which many different FTP servers can run.
    >
    > FTP, however, isn't very secure to start with - everything is sent in
    > clear text (including passwords). (Except in binary mode)
    >



    It never was secure.
    What about FTP while on a HTTP web browser? XML web browser?
    Does it swith to unsecure mode to do file transfers?

  10. Re: How secure is Linux FTP vs IIS FTP ?

    Nog wrote:

    > What about FTP while on a HTTP web browser?


    A what? A piece of software might be a web browser (and access HTML
    documents over HTTP) and also an FTP client. It doesn't make any difference
    as to how data is transfered for each protocol.

    > XML web browser?


    A what?

    > Does it swith to unsecure mode to do file transfers?


    What is "unsecure mode"? Presumably there is a "secure mode" too? How do
    they differ?

    --
    David Dorward
    Home is where the ~/.bashrc is

  11. Re: How secure is Linux FTP vs IIS FTP ?

    In comp.os.linux.security Unruh :
    > Menno Duursma writes:


    >>On Sat, 01 Apr 2006 12:01:17 -0600, NNTP wrote:


    >>> How secure is Linux FTP vs IIS FTP ?


    >>Supposedly 'Very Secure' http://vsftpd.beasts.org/


    > The question makes little sense. ftp is a protocol which is inherently
    > insecure. It sends passwords in the clear. It encrypts nothing.


    Indeed, unless TLS/SSL or alike are used. AFAIK "Very secure"
    just means it has been programmed with security in mind against
    exploiting vsftpd. Unlike other well known ftpd, there hasn't
    been anything (iirc) completely compromising the security of
    vsftpd.

    [..]

    --
    Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
    mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/'
    #bofh excuse 138: BNC (brain not connected)

  12. Re: How secure is Linux FTP vs IIS FTP ?

    Nog (06-04-03 18:05:29):

    > It never was secure.


    It was never intended to be secure. As the name states, it's just a
    "file transfer protocol". For 'secure' file transfers, you have SFTP,
    SSH (i.e. via SCP) or other protocols.


    > What about FTP while on a HTTP web browser? XML web browser?


    (ignoring non-sense)


    > Does it swith to unsecure mode to do file transfers?


    Well, there is no 'secure mode'. Thus, there also is no 'unsecure
    mode'. The only two transfer modes, FTP differentiates between, are
    binary mode vs. ASCII mode. As said, FTP has never been intended to be
    secure.


    Regards.

  13. Re: How secure is Linux FTP vs IIS FTP ?

    Huge (06-04-02 11:19:36):

    > > As Stachu pointed out, it can be configured to force SSL/TLS:

    >
    > At which point, it isn't ftp any more.


    Sure it's still FTP, but then it's encapsulated in another protocol; at
    least in the case of SSL/TLS.


    Regards.

  14. Re: How secure is Linux FTP vs IIS FTP ?

    Unruh wrote:
    > Menno Duursma writes:
    >
    >>On Sat, 01 Apr 2006 12:01:17 -0600, NNTP wrote:

    >
    >>> How secure is Linux FTP vs IIS FTP ?

    >
    >>Supposedly 'Very Secure' http://vsftpd.beasts.org/

    >
    > The question makes little sense. ftp is a protocol which is inherently
    > insecure. It sends passwords in the clear. It encrypts nothing.


    Oh, my dear sir. You are _so_ out of your field of knowledge.

    A little learning is a dangerous thing;
    Drink deep, or taste not the Pierian spring;
    There shallow draughts intoxicate the brain,
    And drinking largely sobers us again.
    -- Alexander Pope

    Consider a site that runs a well-selected ftp daemon (such as vsftpd or
    pure-ftpd) in anonymous-only mode, e.g. linuxmafia.com:

    corleone:~ rick$ ftp linuxmafia.com
    Connected to linuxmafia.com.
    220 (vsFTPd 2.0.3)
    Name (linuxmafia.com:rick): anonymous
    331 Please specify the password.
    Password:
    230 Login successful.
    Remote system type is UNIX.
    Using binary mode to transfer files.
    ftp> ls
    229 Entering Extended Passive Mode (|||51344|)
    150 Here comes the directory listing.

    drwxrwxr-x 4 1000 107 8192 Apr 07 06:32 bale
    drwxrwxr-x 2 1000 1000 1024 Oct 16 2004 bas
    drwxrwxr-x 2 0 110 1024 Sep 02 1999 bas-save
    -rw-rw-r-- 1 0 110 383 Jun 29 1997 bas.html
    [...]

    ftp> bye
    221 Goodbye.
    corleone:~ rick$


    Now, in a trivial sense, you're correct: I was obliged to provide a
    "password". However, since this was for the anonymous account (username
    "anonymous" or "ftp"), the password is permitted to be anything at all,
    or nothing (though courtesy and convention suggest using one's e-mail
    address, to help site statistics).


    Now, consider a theoretical different site, running an ftp daemon
    offering standard ftp, but only wrapped in SSL. (Prepackaged ftp
    daemons designed to operate that way exist.) In that case, you would be
    not merely misguided but outright mistaken: Passwords are _not_ sent
    in the clear, and it encrypts _everything_.


    > vsftpd is one such but there are a number of others as well.


    Here are almost all of them:
    "FTP Daemons" on http://linuxmafia.com/kb/Network_Other/

    See also:
    "FTP Justification" on http://linuxmafia.com/kb/Network_Other/



  15. Re: How secure is Linux FTP vs IIS FTP ?

    Huge wrote:
    > On 2006-04-01, Menno Duursma wrote:
    >> On Sat, 01 Apr 2006 21:01:14 +0000, Unruh wrote:

    >
    >>> It sends passwords in the clear. It encrypts nothing.

    >>
    >> As Stachu pointed out, it can be configured to force SSL/TLS:

    >
    > At which point, it isn't ftp any more.


    That is simply mistaken.

    --
    Cheers,
    Rick Moen "vi is my shepherd; I shall not font."
    rick@linuxmafia.com -- Psalm 0.1 beta

  16. Re: How secure is Linux FTP vs IIS FTP ?

    On 2006-04-07, Rick Moen wrote:
    > Huge wrote:
    >> On 2006-04-01, Menno Duursma wrote:
    >>> On Sat, 01 Apr 2006 21:01:14 +0000, Unruh wrote:

    >>
    >>>> It sends passwords in the clear. It encrypts nothing.
    >>>
    >>> As Stachu pointed out, it can be configured to force SSL/TLS:

    >>
    >> At which point, it isn't ftp any more.

    >
    > That is simply mistaken.


    Wallow in your ignorance all you wish. I do not have the energy
    to give a ****.

    --
    "Other people are not your property."
    [email me at huge [at] huge [dot] org [dot] uk]

  17. Re: How secure is Linux FTP vs IIS FTP ?

    Huge wrote:

    > Wallow in your ignorance all you wish. I do not have the energy
    > to give a ****.


    Or, at your leisure, look up the protocol definition, and consider that
    it performs exactly the _same_ operations with or without wrapping in
    SSL. Which, frankly, you probably knew full well, but just wanted to
    mouth off.


  18. Re: How secure is Linux FTP vs IIS FTP ?

    Rick Moen (06-04-08 09:07:41):

    > > Wallow in your ignorance all you wish. I do not have the energy to
    > > give a ****.

    >
    > Or, at your leisure, look up the protocol definition, and consider
    > that it performs exactly the _same_ operations with or without
    > wrapping in SSL. Which, frankly, you probably knew full well, but
    > just wanted to mouth off.


    Well, the OSI layer model is not totally useless. Maybe he should read
    about it.


    Regards.

  19. Re: How secure is Linux FTP vs IIS FTP ?

    In article ,
    Huge wrote:

    >On 2006-04-01, Menno Duursma wrote:
    >> On Sat, 01 Apr 2006 21:01:14 +0000, Unruh wrote:

    >
    >>> It sends passwords in the clear. It encrypts nothing.

    >>
    >> As Stachu pointed out, it can be configured to force SSL/TLS:

    >
    >At which point, it isn't ftp any more.


    Which is like saying that X11 tunnelled over SSH isn't X11 any more.

  20. Re: How secure is Linux FTP vs IIS FTP ?

    In article ,
    David Dorward wrote:

    >What is "unsecure mode"? Presumably there is a "secure mode" too? How do
    >they differ?


    In whether the FTP service is enabled or not.

    Enabled => insecure mode
    Disabled => secure mode

+ Reply to Thread
Page 1 of 2 1 2 LastLast