Subject: Re: IPFilter and Passive FTP Servers
To: Todd Gruhn <>
From: Steven M. Bellovin <>
List: netbsd-users
Date: 11/28/2002 08:51:53
In message <>, "Todd Gruhn" writes:
>I just did a ton of research on this, and went ahead
>and installed WU-FTPD on DEBIAN LINUX. Lets just 
>say it took a lot of time and thought.
>Mostly because the scanner (SAINT) kept saying that
>FTP could be hacked.
>What I did was to get the latest copy of WU-FTP from 
> and apply the latest patch kit. I then tracked
>down a security doc on how to secure FTP and test WUFTP
>by hacking the best known security holes. Once I got 
>kicked out, or the security holes failed to respond as
>expected (as a hole) was I satisfied. I am now satisfied
>with my WU-FTP install on LINUX.

Given WU-FTP's security history, it makes me rather nervous.  When will 
the next hole show up?

		--Steve Bellovin, (me) ("Firewalls" book)