-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ok, well here's how I run *my* ftp daemon on my bsd box. First I tell the
daemon that it can only allow users that exist in the /etc/ftpchroot file,
anonymous isn't allowed and nothing else is permitted. This is a nice
start. Oh yeah, all users are chrooted to their home directory.

Next, I can make a choice. Do I want to allow passive connections or not?
If I do then I have to accomodate this with my firewall by opening a port
range for incoming connections. This works by (a) telling FTP to only pick
from the "high" ports (b) telling my kernel that high ports start and end
at xxxxx and xxxxx (this means I don't have to pass 1025-65535 which is
just insane) (c) telling my firewall to open those ports that I've
specifically defined as "high".

I chose differently. My daemon doesn't do passive connections so I just
edited it's yacc command description file and removed PASV, EPSV and LPSV.
Now it's not an issue at all.

Obviously it would be nice to just use SCP and SFTP but that isn't
practical when it comes to joe user who wants to have j.random publshing
software upload to the server.

Joshua b. Jore
Minneapolis Ward 3, precinct 10
http://www.greentechnologist.org

On Fri, 2 Nov 2001, duncan wrote:

> Hello-
>
> Im going to be setting up an FTP server, and am aware that ftp has a
> history of bad security.
>
> I have looked around at ftp servers, and pure-ftpd seems to be pretty
> good... however, im not sure.
>
> Any one have any best practices or good advice to help ensure decent
> security on the box?
>
> SFTP?
>
> Its a linux box, and folks will be connecting (maybe doenst matter) with
>   windows.
>
> thanks
>
> duncan
>
>
>
>
> _______________________________________________
> Twin Cities Linux Users Group Mailing List - Minneapolis/St. Paul, Minnesota
> http://www.mn-linux.org
> tclug-list at mn-linux.org
> https://mailman.mn-linux.org/mailman/listinfo/tclug-list
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (OpenBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE74ts3fexLsowstzcRAq8yAKDrywf9QCf0fOt4PlS1+vC98sGoCgCggOnM
Q44gEsUTFYL/M5BPnJiKu3s=
=orfZ
-----END PGP SIGNATURE-----