topic wu-ftpd security problem in Operating System - Linux

wu-ftpd security problem

jack Hu_1 — Tue, 24 Jun 2003 11:44:44 GMT

Dear Sir:
My company do a security scan.So my Linux has two wu-ftpd warning:
wu-ftpd site exec format string.
wu-ftpd site newer denial of service.

the wu-ftpd is 2.4.2rv17-3
the Linux is redhat 6.0
Can someone help me to fix this problem.
Or give me some suggestin ?
Upgrade wu-ftpd or other solution ?
thanks
Jack

Re: wu-ftpd security problem

John Poff — Tue, 24 Jun 2003 12:29:53 GMT

Hi Jack,

The latest version of wu-ftpd is 2.6.2. Here is the web site for wu-ftpd:

http://www.wu-ftpd.org/

I'd suggest upgrading to the latest version and re-running the security scan.

Also, if you can, you might want to upgrade to a newer version of RedHat Linux. The 6.0 version is pretty old and isn't supported any more.

JP

Re: wu-ftpd security problem

Steven E. Protter — Tue, 24 Jun 2003 13:55:07 GMT

Your best bet is of course the upgrade of the OS. There are a ton of security holes in 6.0 that are addressed in subsequent releases.

You can however run the Red Hat Update function built into the current OS and just install the latest rpm for the wu-ftp server.

That will take you to 2.6.2

There is nothing inherently insecure about that server.

Red Hat is using the optional vsftp server on their high volume ftp sites.

If you are picking a new version of Red Hat I would suggest 7.3 because its the last stable release in the 7 series.

9.0 is pretty good but its a .0 release and that always slows me down on using it. I'm currently upgrading my test environment and have run into some issues.

SEP

Re: wu-ftpd security problem

jack Hu_1 — Tue, 24 Jun 2003 15:09:49 GMT

Dear Sir:
I think it's a good idea for me to upgrade the new version of Linux.
But now they will do again to scan the security issue.
So how can I disable the ftp function first ?
Then I can do the upgrade of Linux and the ftp function later.
Or just upgrade the ftp function first ?
thanks
Jack

Re: wu-ftpd security problem

Steven E. Protter — Tue, 24 Jun 2003 16:34:22 GMT

To disable ftp do as follows:

vi /etc/xinetd.d/wu-ftpd

If should look like this....

# default: on
# description: The wu-ftpd FTP server serves FTP connections. It uses # normal, unencrypted usernames and passwords for authentication.
service ftp
{
disable = no
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.ftpd
server_args = -l -a
log_on_success += DURATION USERID
log_on_failure += USERID
nice = 10
}

change dispable to yes

service xinetd restart

Now ftp is disabled.

The actual filename may be different on older versions of redhat maybe xinetd.d is inetd.d things like that.

But you need to change the config file and restart the xinetd or inetd daemon.

SEP

Re: wu-ftpd security problem

Caesar_3 — Tue, 24 Jun 2003 18:28:21 GMT

Hello!

To improve your security better is to
remove the wu-ftp and start to use the vsftp
works also with SSL (secure ftp)
RH also remove the wu-ftp and start distribute the vsftp because it's more secure and easy to use.

Caesar

Re: wu-ftpd security problem

Steven E. Protter — Wed, 25 Jun 2003 00:32:15 GMT

I have used wu-ftpd for years and vsftp for a few months.

Bill Hassell will tell you that wu-ftpd is just as secure as any ftp release out there. You can stay with it if you are comfortable with it.

vsftp does have some advantages. Security is not one of them. It was a write from scratch so there is no support for certain legacy functionality that you may have come to expect in wu-ftpd. The primary advantage and reason that Red Hat uses it for its external ftp servers is that it handles heavy loads very well.

The vulnerbility in wu-ftpd you originated your post on was discovered and corrected years ago. I am not seeing frequent security bullitens on this product. It is old, safe and secure.

A good idea to track these issues is to subscribe to HP's security bulletins, which cover this product and other common products like sendmail. You can also subscribe to the CERT security newsletter which will get you updates on common utilities.

The bottom line is nothing is totally secure and you need to be aware of things.

I would recommend one extra thing for any Linux or HP-UX server you admin. Bastille. This tool will let you harden the security of either OS with confidence and a simple question and answer interface.

SEP

Re: wu-ftpd security problem

Andrew Cowan — Wed, 25 Jun 2003 05:20:51 GMT

The most secure solution you can use is OpenSSH's sftp as all the data is encrypted whilst in transit. You can also take advantage of scp, remote commands etc. OpenSSH is rapidly becoming the standard for secure administration across most platforms.

It also has the advantage that it is free and there is tons of support available for it. If you also want to use secure login (ssh) instead of telnet, I recommend that you download Putty from(www.chiark.greenend.org.uk/~sgtatham/putty/)

Putty is an excellent terminal emulator and its also free.

Re: wu-ftpd security problem

U.SivaKumar_2 — Wed, 25 Jun 2003 06:00:44 GMT

Hi,

I concur with John.

Every application has security bugs which the authors missed but found out by other people.

And the authors correct the security bugs in their previous release code with a latest release code.

So I recommend you to download the latest wu-ftpd and install in your machine.

regards,

U.SivaKumar

Re: wu-ftpd security problem

Caesar_3 — Wed, 25 Jun 2003 18:13:40 GMT

Hello!

About the vsftp, ofcourse it's nor secure ftp
in the way of encript the chanel and all the
connection, i mean for the security of allow
users is better made and easy to use.

For the secure chanel ftp should use sftp.

Caesar

Re: wu-ftpd security problem

Jerome Henry — Wed, 25 Jun 2003 18:45:25 GMT

Adding to friends advice, and paraphrasing a bit, it depends mainly on who'll conect to your ftp server.
If it's an inner company ftp server, then wu-ftpd will do the job, as said before, as long as you upgrade to a new version, in which no bug is found yet.

Your sca, looking like nmap or nessus, may warn again, on the risk linked to ftp server, but you just have to quota upload directory to be safe.

wu-ftpd have many good configurations examples :
http://www.wu-ftpd.org/HOWTO/

vsftpd is knwon as sure, use it if your ftp server is connected outside. I also like very muc pro-ftpd, as its configuration file looks like apache a lot, which is friendly, and is also considered as pretty sure :

http://proftpd.linux.co.uk/

hth

J

Re: wu-ftpd security problem

Bill Douglass — Thu, 26 Jun 2003 02:13:40 GMT

I don't believe RH 6.0 has xinetd.

To disable ftpd, you can either remove the entry from /etc/inetd.conf, or add the following line to /etc/hosts.deny:

in.ftpd: ALL

This will prevent anyone from logging in via ftp.

Re: wu-ftpd security problem

jack Hu_1 — Thu, 26 Jun 2003 11:11:14 GMT

Dear Sir:
I first update wu-ftpd to 2.6 version.
I could the scan now.
And I will try to upgrade my OS too.
Also the SSH,.....
Very thanks for all your help.
Jack