Secure OS Software for Linux
1748136 Members
3789 Online
108758 Solutions
New Discussion юеВ

Re: wu-ftpd installed, but it didn't reply response.

 
Drew Gulino
New Member

Re: wu-ftpd installed, but it didn't reply response.

I have the rule
'HOST * -> COMPARTMENT xinetd PORT 21 METHOD tcp NETDEV any'. This allows the initial connection. But unless I put the ftpd daemon in the syshi compartment, I get 'Socket connected waiting for login sequence.' when connecting from a client and then the client connection times-out before login is possible.
Hal Rottenberg
Frequent Advisor

Re: wu-ftpd installed, but it didn't reply response.

Drew,

I think you should open a support case with the Response Center so that the lab can research this behavior.

Regards,

Hal Rottenberg
If at first you don't succeed, then skydiving isn't for you.
Steven E. Protter
Exalted Contributor

Re: wu-ftpd installed, but it didn't reply response.

I have heard that wu-ftpd has a security hole that lets users run EXEC commands, potentially getting root access.

I never let root use ftp on Linux or HP-UX machines.

I have heard that Proftpd does not allow EXEC commands and is in general more secure. I'm going to test it on a Linux test box, but am increasingly interested in running it on HP-UX.

Any suggestions, experience in this area.
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Hal Rottenberg
Frequent Advisor

Re: wu-ftpd installed, but it didn't reply response.

"I have heard that wu-ftpd has a security hole that lets users run EXEC commands, potentially getting root access."

Stephen,

My research found this to be an old exploit from 1995. As far as I can tell it never applied to Redhat, upon which Secure Linux is based. The issue was not that the SITE EXEC command was enabled, but that the EXEC bin path was set to /bin, thus allowing shell access. This is a compile-time variable, and I don't think you will find this to be the default on any Linux distribution now.

That aside, I don't know anything about ProFTPD. At this point in time, we are aligning with software that is included in Redhat, so we are using wu-ftpd. In version 2 of our software wu-ftpd will be available as a pre-packaged integration complete with security rules in effect.

I encourage you to integrate ProFTPD if you want, and if you learn anything or encounter snags while doing so, please post to the group.

-hal
If at first you don't succeed, then skydiving isn't for you.
Steven E. Protter
Exalted Contributor

Re: wu-ftpd installed, but it didn't reply response.

Thanks Hal. I'm going to conduct the Proftpd experiment on a test Red Hat box I'm building in the next few weeks.

I will report results.

There was a reported Red Hat 6x hack of a system using wu-fptd on one of the newsgroups.

The information was sketchy, but I find most hacks are due to administrator ignorance and a poor understanding of how to configure the product.

On the other hand, my old ISP switched from wu-ftpd to Proftpd and claimed it was for security reasons. Its worth doing the Proftdd project simply for knowing how to do it.

Early next year, I'm going to have a hand me down D320 box my offices and it will be my first HP-UX box exposed to the public internet. I'm using it to learn and perhaps provide secondary services, such as taking over my web traffic when the Red Hat box is brought down for maintenace.

Hence the queries. I have found HP-UX 11.11 installs with far fewer security holes than 11.00. That's always nice. There is even a little firewall you can use like ipchains on Linux.

Have a good day.
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com