- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - Linux
- >
- wu-ftpd security problem
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-24-2003 04:44 AM
тАО06-24-2003 04:44 AM
wu-ftpd security problem
My company do a security scan.So my Linux has two wu-ftpd warning:
wu-ftpd site exec format string.
wu-ftpd site newer denial of service.
the wu-ftpd is 2.4.2rv17-3
the Linux is redhat 6.0
Can someone help me to fix this problem.
Or give me some suggestin ?
Upgrade wu-ftpd or other solution ?
thanks
Jack
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-24-2003 05:29 AM
тАО06-24-2003 05:29 AM
Re: wu-ftpd security problem
The latest version of wu-ftpd is 2.6.2. Here is the web site for wu-ftpd:
http://www.wu-ftpd.org/
I'd suggest upgrading to the latest version and re-running the security scan.
Also, if you can, you might want to upgrade to a newer version of RedHat Linux. The 6.0 version is pretty old and isn't supported any more.
JP
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-24-2003 06:55 AM
тАО06-24-2003 06:55 AM
Re: wu-ftpd security problem
You can however run the Red Hat Update function built into the current OS and just install the latest rpm for the wu-ftp server.
That will take you to 2.6.2
There is nothing inherently insecure about that server.
Red Hat is using the optional vsftp server on their high volume ftp sites.
If you are picking a new version of Red Hat I would suggest 7.3 because its the last stable release in the 7 series.
9.0 is pretty good but its a .0 release and that always slows me down on using it. I'm currently upgrading my test environment and have run into some issues.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-24-2003 08:09 AM
тАО06-24-2003 08:09 AM
Re: wu-ftpd security problem
I think it's a good idea for me to upgrade the new version of Linux.
But now they will do again to scan the security issue.
So how can I disable the ftp function first ?
Then I can do the upgrade of Linux and the ftp function later.
Or just upgrade the ftp function first ?
thanks
Jack
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-24-2003 09:34 AM
тАО06-24-2003 09:34 AM
Re: wu-ftpd security problem
vi /etc/xinetd.d/wu-ftpd
If should look like this....
# default: on
# description: The wu-ftpd FTP server serves FTP connections. It uses # normal, unencrypted usernames and passwords for authentication.
service ftp
{
disable = no
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.ftpd
server_args = -l -a
log_on_success += DURATION USERID
log_on_failure += USERID
nice = 10
}
change dispable to yes
service xinetd restart
Now ftp is disabled.
The actual filename may be different on older versions of redhat maybe xinetd.d is inetd.d things like that.
But you need to change the config file and restart the xinetd or inetd daemon.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-24-2003 11:28 AM
тАО06-24-2003 11:28 AM
Re: wu-ftpd security problem
To improve your security better is to
remove the wu-ftp and start to use the vsftp
works also with SSL (secure ftp)
RH also remove the wu-ftp and start distribute the vsftp because it's more secure and easy to use.
Caesar
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-24-2003 05:32 PM
тАО06-24-2003 05:32 PM
Re: wu-ftpd security problem
Bill Hassell will tell you that wu-ftpd is just as secure as any ftp release out there. You can stay with it if you are comfortable with it.
vsftp does have some advantages. Security is not one of them. It was a write from scratch so there is no support for certain legacy functionality that you may have come to expect in wu-ftpd. The primary advantage and reason that Red Hat uses it for its external ftp servers is that it handles heavy loads very well.
The vulnerbility in wu-ftpd you originated your post on was discovered and corrected years ago. I am not seeing frequent security bullitens on this product. It is old, safe and secure.
A good idea to track these issues is to subscribe to HP's security bulletins, which cover this product and other common products like sendmail. You can also subscribe to the CERT security newsletter which will get you updates on common utilities.
The bottom line is nothing is totally secure and you need to be aware of things.
I would recommend one extra thing for any Linux or HP-UX server you admin. Bastille. This tool will let you harden the security of either OS with confidence and a simple question and answer interface.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-24-2003 10:20 PM
тАО06-24-2003 10:20 PM
Re: wu-ftpd security problem
It also has the advantage that it is free and there is tons of support available for it. If you also want to use secure login (ssh) instead of telnet, I recommend that you download Putty from(www.chiark.greenend.org.uk/~sgtatham/putty/)
Putty is an excellent terminal emulator and its also free.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-24-2003 11:00 PM
тАО06-24-2003 11:00 PM
Re: wu-ftpd security problem
I concur with John.
Every application has security bugs which the authors missed but found out by other people.
And the authors correct the security bugs in their previous release code with a latest release code.
So I recommend you to download the latest wu-ftpd and install in your machine.
regards,
U.SivaKumar
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-25-2003 11:13 AM
тАО06-25-2003 11:13 AM
Re: wu-ftpd security problem
About the vsftp, ofcourse it's nor secure ftp
in the way of encript the chanel and all the
connection, i mean for the security of allow
users is better made and easy to use.
For the secure chanel ftp should use sftp.
Caesar