From: Joachim Schipper (j.schippermath.uu.nl)
Date: Tue Aug 01 2006 - 11:40:43 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Aug 01, 2006 at 10:26:23AM -0500, Titan wrote:
> I have quite a predicament. I have been tasked with setting up an FTP
> server for the research group I'm involved with. The problem is once
> I'm gone someone with no *NIX experience will be maintaining the
> server. I've been considering using OpenBSD because it looks like it
> can go far longer without updates than Windows and Linux servers and
> looks to be very secure.
>
> In your experience, would it be possible for someone with no *NIX
> experience to maintain a simple FTP server?

No.

In fact, most persons with UNIX experience would counsel you against
using FTP other than anonymous FTP - as posted before, it's quite
insecure[1]. As mentioned before, sftp is preferable.

If you must do this, consider going with whatever the group knows. If
this is nothing, tell them to get some help.

> How long would you trust an unpatched OpenBSD server to go unhacked?

If it's only running ftpd (or sshd+sftp-server), system compromise is
likely to take years, given a proper setup (i.e., no root access via ftp
and such). However, user accounts may be compromised within minutes.

                Joachim

[1] Using S/Key exclusively does go some way towards mitigating the
problem, but adds a lot of complexity and raises the bar for a competent
attacker from 'trivial' to 'easy'. (Hint: take over a session; if you
have some time, write a program that does so as soon as QUIT is seen,
leaving the user none the wiser. This does, however, require a host that
can actually intercept the stream, instead of just seeing it. Or, for a
quicker solution, proxy the authentication request from the server to
the client and then deny authentication, and you have succesfully stolen
a password. Less stealthy, though.)

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]