Date: Sat, 20 Nov 1999 11:08:52 -0700 From: Nate Williams <nate@mt.sri.com> To: Eivind Eklund <eivind@FreeBSD.ORG> Cc: Nate Williams <nate@mt.sri.com>, Matthew Dillon <dillon@apollo.backplane.com>, security@FreeBSD.ORG Subject: Re: Disabling FTP (was Re: Why not sandbox BIND?) Message-ID: <199911201808.LAA10767@mt.sri.com> In-Reply-To: <19991120190417.I602@bitbox.follo.net> References: <4.2.0.58.19991111220759.044f46d0@localhost> <Pine.BSF.4.10.9911120922190.85007-100000@jade.chc-chimes.c <4.2.0.58.19991112102309.045abf00@localhost> <19991112173306.D76708@florence.pavilion.net> <19991112212912.Z57266@rucus.ru.ac.za> <199911121946.LAA24616@apollo.backplane.com> <199911122114.OAA20606@mt.sri.com> <19991113012855.A62879@fasterix.frmug.org> <199911130031.RAA21117@mt.sri.com> <19991120190417.I602@bitbox.follo.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> > > > > Speaking of default system configurations - what do people think about > > > > > turning off the 'ftp' service in the default configuration? > > > > > > > > Personally, I don't like it. At least, not until SSH becomes a default > > > > protocol in the system, since otherwise there is no way to transfer > > > > files to/from FreeBSD boxes easily. > > > > > > You could still easily reenable ftpd if you need it. > > > > Or, you could still easily disable ftpd since you almost *always* need > > it right away. > > I've never, ever needed it. It transfers *cleartext* passwords. My > view is that it is not usable for anything but anonymous FTP. So? *Most* of the FreeBSD boxes I setup are behind firewalls, or are un-connected to the 'real' internet at first. I need something so I can transfer files to/from them to get them up and running initially. > > > Given recent vulnerability history on many ftp daemons, I think it > > > might be safer to disable FTP by default. > > > > FreeBSD's ftpd is not succeptible. Given the argument, why don't we > > disable *ALL* network access, since all are suspect to breakins. :( (I'm > > kidding of course...) > > I am in favour of disabling all network access to boxes as they come > from install. NOT! Then we'd be worse than a windoze box. I think most of you 'ISP' types are forgetting that *MOST* of the FreeBSD boxes out there are installed by users, not big businesses. Making the box unusable for most people, but 'secure' for a very small portio of people is not a winning strategy. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199911201808.LAA10767>