cancel
Showing results for 
Search instead for 
Did you mean: 

wu-ftpd security problem

jack Hu_1
Advisor

wu-ftpd security problem

Dear Sir:
My company do a security scan.So my Linux has two wu-ftpd warning:
wu-ftpd site exec format string.
wu-ftpd site newer denial of service.

the wu-ftpd is 2.4.2rv17-3
the Linux is redhat 6.0
Can someone help me to fix this problem.
Or give me some suggestin ?
Upgrade wu-ftpd or other solution ?
thanks
Jack
12 REPLIES
John Poff
Honored Contributor

Re: wu-ftpd security problem

Hi Jack,

The latest version of wu-ftpd is 2.6.2. Here is the web site for wu-ftpd:

http://www.wu-ftpd.org/

I'd suggest upgrading to the latest version and re-running the security scan.

Also, if you can, you might want to upgrade to a newer version of RedHat Linux. The 6.0 version is pretty old and isn't supported any more.

JP
Steven E. Protter
Exalted Contributor

Re: wu-ftpd security problem

Your best bet is of course the upgrade of the OS. There are a ton of security holes in 6.0 that are addressed in subsequent releases.

You can however run the Red Hat Update function built into the current OS and just install the latest rpm for the wu-ftp server.

That will take you to 2.6.2

There is nothing inherently insecure about that server.

Red Hat is using the optional vsftp server on their high volume ftp sites.

If you are picking a new version of Red Hat I would suggest 7.3 because its the last stable release in the 7 series.

9.0 is pretty good but its a .0 release and that always slows me down on using it. I'm currently upgrading my test environment and have run into some issues.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
jack Hu_1
Advisor

Re: wu-ftpd security problem

Dear Sir:
I think it's a good idea for me to upgrade the new version of Linux.
But now they will do again to scan the security issue.
So how can I disable the ftp function first ?
Then I can do the upgrade of Linux and the ftp function later.
Or just upgrade the ftp function first ?
thanks
Jack
Steven E. Protter
Exalted Contributor

Re: wu-ftpd security problem

To disable ftp do as follows:

vi /etc/xinetd.d/wu-ftpd

If should look like this....

# default: on
# description: The wu-ftpd FTP server serves FTP connections. It uses # normal, unencrypted usernames and passwords for authentication.
service ftp
{
disable = no
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.ftpd
server_args = -l -a
log_on_success += DURATION USERID
log_on_failure += USERID
nice = 10
}


change dispable to yes

service xinetd restart

Now ftp is disabled.

The actual filename may be different on older versions of redhat maybe xinetd.d is inetd.d things like that.

But you need to change the config file and restart the xinetd or inetd daemon.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Caesar_3
Esteemed Contributor

Re: wu-ftpd security problem

Hello!

To improve your security better is to
remove the wu-ftp and start to use the vsftp
works also with SSL (secure ftp)
RH also remove the wu-ftp and start distribute the vsftp because it's more secure and easy to use.


Caesar
Steven E. Protter
Exalted Contributor

Re: wu-ftpd security problem

I have used wu-ftpd for years and vsftp for a few months.

Bill Hassell will tell you that wu-ftpd is just as secure as any ftp release out there. You can stay with it if you are comfortable with it.

vsftp does have some advantages. Security is not one of them. It was a write from scratch so there is no support for certain legacy functionality that you may have come to expect in wu-ftpd. The primary advantage and reason that Red Hat uses it for its external ftp servers is that it handles heavy loads very well.

The vulnerbility in wu-ftpd you originated your post on was discovered and corrected years ago. I am not seeing frequent security bullitens on this product. It is old, safe and secure.

A good idea to track these issues is to subscribe to HP's security bulletins, which cover this product and other common products like sendmail. You can also subscribe to the CERT security newsletter which will get you updates on common utilities.

The bottom line is nothing is totally secure and you need to be aware of things.

I would recommend one extra thing for any Linux or HP-UX server you admin. Bastille. This tool will let you harden the security of either OS with confidence and a simple question and answer interface.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Andrew Cowan
Honored Contributor

Re: wu-ftpd security problem

The most secure solution you can use is OpenSSH's sftp as all the data is encrypted whilst in transit. You can also take advantage of scp, remote commands etc. OpenSSH is rapidly becoming the standard for secure administration across most platforms.

It also has the advantage that it is free and there is tons of support available for it. If you also want to use secure login (ssh) instead of telnet, I recommend that you download Putty from(www.chiark.greenend.org.uk/~sgtatham/putty/)

Putty is an excellent terminal emulator and its also free.
U.SivaKumar_2
Honored Contributor

Re: wu-ftpd security problem

Hi,

I concur with John.

Every application has security bugs which the authors missed but found out by other people.

And the authors correct the security bugs in their previous release code with a latest release code.

So I recommend you to download the latest wu-ftpd and install in your machine.

regards,

U.SivaKumar

Innovations are made when conventions are broken
Caesar_3
Esteemed Contributor

Re: wu-ftpd security problem

Hello!

About the vsftp, ofcourse it's nor secure ftp
in the way of encript the chanel and all the
connection, i mean for the security of allow
users is better made and easy to use.

For the secure chanel ftp should use sftp.

Caesar
Jerome Henry
Honored Contributor

Re: wu-ftpd security problem

Adding to friends advice, and paraphrasing a bit, it depends mainly on who'll conect to your ftp server.
If it's an inner company ftp server, then wu-ftpd will do the job, as said before, as long as you upgrade to a new version, in which no bug is found yet.

Your sca, looking like nmap or nessus, may warn again, on the risk linked to ftp server, but you just have to quota upload directory to be safe.

wu-ftpd have many good configurations examples :
http://www.wu-ftpd.org/HOWTO/

vsftpd is knwon as sure, use it if your ftp server is connected outside. I also like very muc pro-ftpd, as its configuration file looks like apache a lot, which is friendly, and is also considered as pretty sure :

http://proftpd.linux.co.uk/

hth

J
You can lean only on what resists you...
Bill Douglass
Esteemed Contributor

Re: wu-ftpd security problem

I don't believe RH 6.0 has xinetd.

To disable ftpd, you can either remove the entry from /etc/inetd.conf, or add the following line to /etc/hosts.deny:

in.ftpd: ALL

This will prevent anyone from logging in via ftp.
jack Hu_1
Advisor

Re: wu-ftpd security problem

Dear Sir:
I first update wu-ftpd to 2.6 version.
I could the scan now.
And I will try to upgrade my OS too.
Also the SSH,.....
Very thanks for all your help.
Jack