LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 03-23-2009, 05:32 PM   #1
Gum
LQ Newbie
 
Registered: Mar 2009
Posts: 4

Rep: Reputation: 0
How secure is vsftpd? What alternative is there for more secure access?


I heard a rumor that passwords are sent across the Internet without any sort of encryption when using vsftpd as the server. How big of a security issue is this? I wouldn't so much mind people reading the data as it streams by, but the passwords need to remain secure.

I want to allow users to ftp website data, html's and jpeg's mostly, to the server without risking a security breach. Some of those websites they are updating will be businesses and process credit cards, so security is a big deal. I want them to be able to use the same name and password as they would for SSH, and I want them to be able to use the built-in "publish" commands in Dreamweaver, MS Publisher, or whatever software they want.

Thanks for your help
 
Old 03-23-2009, 05:48 PM   #2
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
The problem is with the ftp protocol and not vsftp. As far as I know the vs in vsftp is from the server point of view. The ftp protocol itself doesn't transmit passwords or data securely.

Since you said that your clients have ssh access, do the programs they use support sftp?

If you want to support sftp & scp but not ssh, I believe there is a sftp-shell or something similar to use instead of
/bin/sh in /etc/passwd.

If you want to support sftp, scp and ssh, then google for "openssh chroot". For example, there is a sourceforge project for this.
http://sourceforge.net/projects/chrootssh/

There is also an entry in the LQ Wiki.
http://wiki.linuxquestions.org/wiki/OpenSSH_chrooting

I'm not a web designer or web master. Don't some of the programs you mentioned only produce code that assumes they run on IIS servers? ( E.G. use activex, etc. )

Last edited by jschiwal; 03-23-2009 at 05:50 PM.
 
Old 03-23-2009, 07:15 PM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,999
Blog Entries: 54

Rep: Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756
...besides, Vsftpd has ssl_enable, meaning you can wrap both control and data channel comms in SSL.
 
Old 03-23-2009, 10:45 PM   #4
Gum
LQ Newbie
 
Registered: Mar 2009
Posts: 4

Original Poster
Rep: Reputation: 0
Thanks. The new question would be which to choose...

Which do more clients support, vsftpd with SSL or sFTP? I might as well go with the more widely accepted choice.
 
Old 03-24-2009, 01:02 PM   #5
Gum
LQ Newbie
 
Registered: Mar 2009
Posts: 4

Original Poster
Rep: Reputation: 0
Question answered...

The following address has a list of many FTP clients and whether or not they support sFTP and FTP-SSL.
http://geekswithblogs.net/bvamsi/arc.../23/73147.aspx

Turns out that sFTP is more widely accepted by FTP-client programs like FileZilla, although FTP-SSL is also widely accepted. Newer versions of Dreamweaver also support sFTP. According to that webpage sFTP is the better choice for security and popularity.

Last edited by Gum; 03-24-2009 at 01:13 PM.
 
Old 03-24-2009, 05:00 PM   #6
rweaver
Senior Member
 
Registered: Dec 2008
Location: Louisville, OH
Distribution: Debian, CentOS, Slackware, RHEL, Gentoo
Posts: 1,833

Rep: Reputation: 163Reputation: 163
Quote:
Originally Posted by Gum View Post
The following address has a list of many FTP clients and whether or not they support sFTP and FTP-SSL.
http://geekswithblogs.net/bvamsi/arc.../23/73147.aspx

Turns out that sFTP is more widely accepted by FTP-client programs like FileZilla, although FTP-SSL is also widely accepted. Newer versions of Dreamweaver also support sFTP. According to that webpage sFTP is the better choice for security and popularity.
Most of the extremely popular choices for client support both. I've had better luck running sftp generally and it lets you remove a daemon from the system (if you're running openssh for instance).
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
A more secure alternative to http reverse, matahari frenchn00b Debian 5 02-06-2008 03:55 PM
how can I secure my nis server ?can I use openSSL to secure it form sniffing ? abhi_raj Linux - Networking 1 07-10-2006 06:19 AM
VSFTPD with secure & non-secure logins Ricci Graham Linux - Software 5 04-07-2005 04:12 PM
vsftpd, and premoicuous. Is it secure? jsbush Linux - Security 2 11-04-2003 12:16 PM
vsftpd very very secure, so secure i can't use it... baronsam Linux - Networking 4 10-06-2003 06:12 PM


All times are GMT -5. The time now is 02:16 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration