Subject: Re: IPFilter and Passive FTP Servers
To: Todd Gruhn <firstname.lastname@example.org>
From: Steven M. Bellovin <email@example.com>
Date: 11/28/2002 08:51:53
In message <firstname.lastname@example.org>, "Todd Gruhn" writes:
>I just did a ton of research on this, and went ahead
>and installed WU-FTPD on DEBIAN LINUX. Lets just
>say it took a lot of time and thought.
>Mostly because the scanner (SAINT) kept saying that
>FTP could be hacked.
>What I did was to get the latest copy of WU-FTP from
>debian.org and apply the latest patch kit. I then tracked
>down a security doc on how to secure FTP and test WUFTP
>by hacking the best known security holes. Once I got
>kicked out, or the security holes failed to respond as
>expected (as a hole) was I satisfied. I am now satisfied
>with my WU-FTP install on LINUX.
Given WU-FTP's security history, it makes me rather nervous. When will
the next hole show up?
--Steve Bellovin, http://www.research.att.com/~smb (me)
http://www.wilyhacker.com ("Firewalls" book)