From owner-freebsd-security Sat Nov 20 10: 9: 8 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns.mt.sri.com (ns.mt.sri.com [206.127.79.91]) by hub.freebsd.org (Postfix) with ESMTP id BFBB0150CA; Sat, 20 Nov 1999 10:09:00 -0800 (PST) (envelope-from nate@mt.sri.com) Received: from mt.sri.com (rocky.mt.sri.com [206.127.76.100]) by ns.mt.sri.com (8.9.3/8.9.3) with SMTP id LAA26068; Sat, 20 Nov 1999 11:08:53 -0700 (MST) (envelope-from nate@rocky.mt.sri.com) Received: by mt.sri.com (SMI-8.6/SMI-SVR4) id LAA10767; Sat, 20 Nov 1999 11:08:52 -0700 Date: Sat, 20 Nov 1999 11:08:52 -0700 Message-Id: <199911201808.LAA10767@mt.sri.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: Eivind Eklund Cc: Nate Williams , Matthew Dillon , security@FreeBSD.ORG Subject: Re: Disabling FTP (was Re: Why not sandbox BIND?) In-Reply-To: <19991120190417.I602@bitbox.follo.net> References: <4.2.0.58.19991111220759.044f46d0@localhost> <19991112173306.D76708@florence.pavilion.net> <19991112212912.Z57266@rucus.ru.ac.za> <199911121946.LAA24616@apollo.backplane.com> <199911122114.OAA20606@mt.sri.com> <19991113012855.A62879@fasterix.frmug.org> <199911130031.RAA21117@mt.sri.com> <19991120190417.I602@bitbox.follo.net> X-Mailer: VM 6.34 under 19.16 "Lille" XEmacs Lucid Reply-To: nate@mt.sri.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > > > > Speaking of default system configurations - what do people think about > > > > > turning off the 'ftp' service in the default configuration? > > > > > > > > Personally, I don't like it. At least, not until SSH becomes a default > > > > protocol in the system, since otherwise there is no way to transfer > > > > files to/from FreeBSD boxes easily. > > > > > > You could still easily reenable ftpd if you need it. > > > > Or, you could still easily disable ftpd since you almost *always* need > > it right away. > > I've never, ever needed it. It transfers *cleartext* passwords. My > view is that it is not usable for anything but anonymous FTP. So? *Most* of the FreeBSD boxes I setup are behind firewalls, or are un-connected to the 'real' internet at first. I need something so I can transfer files to/from them to get them up and running initially. > > > Given recent vulnerability history on many ftp daemons, I think it > > > might be safer to disable FTP by default. > > > > FreeBSD's ftpd is not succeptible. Given the argument, why don't we > > disable *ALL* network access, since all are suspect to breakins. :( (I'm > > kidding of course...) > > I am in favour of disabling all network access to boxes as they come > from install. NOT! Then we'd be worse than a windoze box. I think most of you 'ISP' types are forgetting that *MOST* of the FreeBSD boxes out there are installed by users, not big businesses. Making the box unusable for most people, but 'secure' for a very small portio of people is not a winning strategy. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message