**Secure** Ftp server

Discussion in 'Computer Security' started by michele, Jul 26, 2004.

  1. michele

    michele Guest

    Hi, i'm searching for a secure (i.e. without exploits or security holes) for
    use in my windows server. I've take a look to serv-u or cerberus ftp, but
    they are full of exploits!
    Can anyone suggest me a secure (or the more secure) ftp server to use?
    Thanks
    Michele
     
    michele, Jul 26, 2004
    #1
    1. Advertising

  2. >Hi, i'm searching for a secure (i.e. without exploits or security holes) for
    >use in my windows server. I've take a look to serv-u or cerberus ftp, but
    >they are full of exploits!
    >Can anyone suggest me a secure (or the more secure) ftp server to use?


    Any server is only as secure as the administrator is knowledgeable about
    securing it. Any FTP server can be secured, even Microsoft's. So pick the one
    that is most familiar to you and learn how to use it.
    --
    Dave "Crash" Dummy - A weapon of mass destruction
    ?subject=Techtalk (Do not alter!)
    http://lists.gpick.com
     
    \Crash\ Dummy, Jul 26, 2004
    #2
    1. Advertising

  3. michele

    ObiWan Guest

    >> Hi, i'm searching for a secure (i.e. without exploits or security
    >> holes) for use in my windows server. I've take a look to serv-u or
    >> cerberus ftp, but they are full of exploits!
    >> Can anyone suggest me a secure (or the more secure) ftp server to
    >> use?

    >
    > Any server is only as secure as the administrator is knowledgeable
    > about securing it. Any FTP server can be secured, even Microsoft's.
    > So pick the one that is most familiar to you and learn how to use it.


    Hi Dave :) I agree with this, although I've tried the filezilla ftp server
    (filezilla.sourceforge.net) which afaict seems robust enough; btw as
    you know there's no "surefire" solution, but the filezilla seems ok
     
    ObiWan, Jul 26, 2004
    #3
  4. >Hi Dave :) I agree with this, although I've tried the filezilla ftp server
    >(filezilla.sourceforge.net) which afaict seems robust enough; btw as
    >you know there's no "surefire" solution, but the filezilla seems ok


    Hi, ObiWan. Slumming? :)

    I am not familiar with Filezilla, while I have of course heard of it. I have
    always used Microsoft, but hesitate to mention it lest the MS bashers pile on.
    As I said, any well known server will do the job, if set up correctly. It just
    comes down to a matter of personal choice. The idiot behind the keyboard is
    still the controlling factor when it comes to security.
    --
    Dave "Crash" Dummy - A weapon of mass destruction
    ?subject=Techtalk (Do not alter!)
    http://lists.gpick.com
     
    \Crash\ Dummy, Jul 26, 2004
    #4
  5. michele

    Leythos Guest

    In article <>, "\"Crash\" Dummy"
    <> says...
    > >Hi Dave :) I agree with this, although I've tried the filezilla ftp server
    > >(filezilla.sourceforge.net) which afaict seems robust enough; btw as
    > >you know there's no "surefire" solution, but the filezilla seems ok

    >
    > Hi, ObiWan. Slumming? :)
    >
    > I am not familiar with Filezilla, while I have of course heard of it. I have
    > always used Microsoft, but hesitate to mention it lest the MS bashers pile on.
    > As I said, any well known server will do the job, if set up correctly. It just
    > comes down to a matter of personal choice. The idiot behind the keyboard is
    > still the controlling factor when it comes to security.


    I use ServerZilla (FTP Server) on my Windows 2000 and 2003 servers - It
    provides a much better interface and more control over the FTP users
    than MS FTP does. You can set passwords, directories, performance,
    etc... I've been running SZ for almost a year with 2 public facing FTP
    servers and not had any problems.

    --
    --

    (Remove 999 to reply to me)
     
    Leythos, Jul 26, 2004
    #5
  6. michele

    Guest

    michele <> wrote:
    > Hi, i'm searching for a secure (i.e. without exploits or security holes) for
    > use in my windows server. I've take a look to serv-u or cerberus ftp, but
    > they are full of exploits!
    > Can anyone suggest me a secure (or the more secure) ftp server to use?
    > Thanks
    > Michele


    Install any BSD distribution. All of them comes pretty secure and has
    an included ftp server ( with alternatives easily installable if
    you have special demands)

    --
    Peter Håkanson
    IPSec Sverige ( At Gothenburg Riverside )
    Sorry about my e-mail address, but i'm trying to keep spam out,
    remove "icke-reklam" if you feel for mailing me. Thanx.
     
    , Jul 26, 2004
    #6
  7. michele

    ObiWan Guest


    >> Hi, ObiWan. Slumming? :)


    Hi Dave ..... well, sometimes one
    has to go down to the roots to see
    what's going on :)

    >> I am not familiar with Filezilla, while I have of course heard of
    >> it. I have always used Microsoft, but hesitate to mention it lest
    >> the MS bashers pile on.


    Well the MS FTP service isn't bad, as long as you use it as an
    anonymous server, on the other hand, using msftp with a bunch
    of user accounts may become a nightmare since you'll need to
    create each user account as a system user .. not something I
    really like to do :)

    >> As I said, any well known server will do the job


    Agreed, but again, my preference for FZ Server is just due to
    the fact that the users/groups/folders management interface
    is easier to use when it comes to many users (and folders)
    also, the FZ has some interesting features like kerberos
    authentication and "z-mode" (compressed transfer mode)
    not that I use them so much, but they're there if needed ;-)

    > I use ServerZilla (FTP Server) on my Windows 2000 and 2003


    Uhm ... Leythos, I suppose you're referring to FileZilla Server ?!?
     
    ObiWan, Jul 26, 2004
    #7
  8. michele

    ObiWan Guest

    >> Hi, i'm searching for a secure (i.e. without exploits or security
    >> holes) for use in my windows server.


    > Install any BSD distribution. All of them comes pretty secure and has
    > an included ftp server ( with alternatives easily installable if
    > you have special demands)


    I may agree here, but the OP asked for _windows_ software, so ...
     
    ObiWan, Jul 26, 2004
    #8
  9. "ObiWan" <> wrote in message
    news:...
    >


    <snip>

    > Agreed, but again, my preference for FZ Server is just due to
    > the fact that the users/groups/folders management interface
    > is easier to use when it comes to many users (and folders)
    > also, the FZ has some interesting features like kerberos
    > authentication and "z-mode" (compressed transfer mode)
    > not that I use them so much, but they're there if needed ;-)
    >
    > > I use ServerZilla (FTP Server) on my Windows 2000 and 2003

    >
    > Uhm ... Leythos, I suppose you're referring to FileZilla Server ?!?


    One and the same, AFAIK. Certainly seems secure enough (until the next
    exploit ;o)

    One oft-forgotten thing is to only permit the server to do what you need
    (e.g. no uploads required? Inhibit them).

    Ditto keeping the data on a non-system partition (and preferably drive). For
    a dedicated NT-class server, it's useful to place the boot on drive C, the
    data on (e.g.) D:, and the actual OS on E:/whatever

    --

    Hairy One Kenobi (no relation ;o)

    Disclaimer: the opinions expressed in this opinion do not necessarily
    reflect the opinions of the highly-opinionated person expressing the opinion
    in the first place. So there!
     
    Hairy One Kenobi, Jul 26, 2004
    #9
  10. michele

    Leythos Guest

    In article <QhbNc.1504$>, abuse@[127.0.0.1]
    says...
    > "ObiWan" <> wrote in message
    > news:...
    > >

    >
    > <snip>
    >
    > > Agreed, but again, my preference for FZ Server is just due to
    > > the fact that the users/groups/folders management interface
    > > is easier to use when it comes to many users (and folders)
    > > also, the FZ has some interesting features like kerberos
    > > authentication and "z-mode" (compressed transfer mode)
    > > not that I use them so much, but they're there if needed ;-)
    > >
    > > > I use ServerZilla (FTP Server) on my Windows 2000 and 2003

    > >
    > > Uhm ... Leythos, I suppose you're referring to FileZilla Server ?!?


    Well, there are two parts to Zilla, one is the FTP Client and has no
    hosting ability, the other is called Server Zilla and has the hosting
    services. You can download both from most open-source sites.

    > One and the same, AFAIK. Certainly seems secure enough (until the next
    > exploit ;o)
    >
    > One oft-forgotten thing is to only permit the server to do what you need
    > (e.g. no uploads required? Inhibit them).
    >
    > Ditto keeping the data on a non-system partition (and preferably drive). For
    > a dedicated NT-class server, it's useful to place the boot on drive C, the
    > data on (e.g.) D:, and the actual OS on E:/whatever


    We actually configure the OS on the C drive, provide no access to
    exposed accounts to it (unless specifically needed) and then create
    partitions for customers data - we have a ton of 4GB partitions for FTP
    space, and have found that SZ works great. I love the fact that I can
    speed limit users.


    --
    --

    (Remove 999 to reply to me)
     
    Leythos, Jul 26, 2004
    #10
  11. michele

    Guest

    ObiWan <> wrote:
    >>> Hi, i'm searching for a secure (i.e. without exploits or security
    >>> holes) for use in my windows server.


    >> Install any BSD distribution. All of them comes pretty secure and has
    >> an included ftp server ( with alternatives easily installable if
    >> you have special demands)


    > I may agree here, but the OP asked for _windows_ software, so ...


    The user asked for contradicting items, "secure" and "windows". Assuming
    that the importent task is "ftp-server" ( and not "running windows") i suggested
    the best solution i know of ( running an ftp-server and dropping the "windows" part)
    In addition to getting a safer system he will also obtain saving on licenses and
    support costs. So my suggestion really is a win-win suggestion.




    --
    Peter Håkanson
    IPSec Sverige ( At Gothenburg Riverside )
    Sorry about my e-mail address, but i'm trying to keep spam out,
    remove "icke-reklam" if you feel for mailing me. Thanx.
     
    , Jul 26, 2004
    #11
  12. On Mon, 26 Jul 2004 20:15:59 +0000 (UTC),
    spoketh

    >ObiWan <> wrote:
    >>>> Hi, i'm searching for a secure (i.e. without exploits or security
    >>>> holes) for use in my windows server.

    >
    >>> Install any BSD distribution. All of them comes pretty secure and has
    >>> an included ftp server ( with alternatives easily installable if
    >>> you have special demands)

    >
    >> I may agree here, but the OP asked for _windows_ software, so ...

    >
    >The user asked for contradicting items, "secure" and "windows". Assuming


    There's nothing contradictory in "security" and "windows". Any competent
    Windows administrator knows how to secure their servers...

    Lars M. Hansen
    www.hansenonline.net
    Remove "bad" from my e-mail address to contact me.
    "If you try to fail, and succeed, which have you done?"
     
    Lars M. Hansen, Jul 26, 2004
    #12
  13. michele

    Leythos Guest

    In article <ce3opv$1ujo$>,
    says...
    > ObiWan <> wrote:
    > >>> Hi, i'm searching for a secure (i.e. without exploits or security
    > >>> holes) for use in my windows server.

    >
    > >> Install any BSD distribution. All of them comes pretty secure and has
    > >> an included ftp server ( with alternatives easily installable if
    > >> you have special demands)

    >
    > > I may agree here, but the OP asked for _windows_ software, so ...

    >
    > The user asked for contradicting items, "secure" and "windows". Assuming
    > that the importent task is "ftp-server" ( and not "running windows") i suggested
    > the best solution i know of ( running an ftp-server and dropping the "windows" part)
    > In addition to getting a safer system he will also obtain saving on licenses and
    > support costs. So my suggestion really is a win-win suggestion.


    Your response does not provide a "safer" solution, cost savings, or
    anything except the idea that Linux is more secure for everyone - which
    is not the case.

    It doesn't cost anything to provide open-source FTP solutions, doesn't
    take a learning curve, changing of the OS, or being open to attacks.

    It's very easy to secure a Windows system, provide only FTP access from
    the public connection, etc...

    Your response shows a complete lack of understanding of security on the
    Windows platform.

    Now, I do agree that MS platforms, without third-party software, make
    for bad FTP servers, but only because of the administrative costs, not
    due to any other reason.

    As for FTP / Cost, you don't have to create Windows Accounts to provide
    Windows user/password accounts (licenses) for FTP access to it, the Open
    Source solutions have their own user/password database and don't care
    how many licensed users you have on the box (in fact you don't have to
    use NT accounts for authentication).

    --
    --

    (Remove 999 to reply to me)
     
    Leythos, Jul 26, 2004
    #13
  14. michele

    Mike Guest

    wrote:

    > ObiWan <> wrote:
    >
    >>>>Hi, i'm searching for a secure (i.e. without exploits or security
    >>>>holes) for use in my windows server.

    >
    >
    >>>Install any BSD distribution. All of them comes pretty secure and has
    >>>an included ftp server ( with alternatives easily installable if
    >>>you have special demands)

    >
    >
    >>I may agree here, but the OP asked for _windows_ software, so ...

    >
    >
    > The user asked for contradicting items, "secure" and "windows". Assuming

    Oh purleeese! It is also possible without to much effort to make a Linux
    system that from the point of view of security is about as much use as a
    chocolate teapot.

    > that the importent task is "ftp-server" ( and not "running windows") i suggested
    > the best solution i know of ( running an ftp-server and dropping the "windows" part)
    > In addition to getting a safer system he will also obtain saving on licenses and

    You only need Windows licenses for file and print services on the local
    network. IIRC there are no licensing limits for FTP access. It is also
    perfectly possible with a little effort and planning to run a secure FTP
    server on a MS Windows machine.

    > support costs. So my suggestion really is a win-win suggestion.

    Apart from the steep learning curve for the Windows admin.
     
    Mike, Jul 26, 2004
    #14
  15. michele

    Leythos Guest

    In article <ce3vcn$824$>,
    says...
    > You only need Windows licenses for file and print services on the local
    > network. IIRC there are no licensing limits for FTP access. It is also
    > perfectly possible with a little effort and planning to run a secure FTP
    > server on a MS Windows machine.


    Actually, if you provide authenticated FTP access, using NT accounts,
    then you need one per user that authenticates with the server. If you
    use Anonymous access then none are needed. With third party services,
    that use authentication, not NT auth, you don't need additional licenses
    for the NT based server (NT means any Windows Server OS).

    --
    --

    (Remove 999 to reply to me)
     
    Leythos, Jul 26, 2004
    #15
  16. michele

    Guest

    Leythos <> wrote:
    > In article <ce3opv$1ujo$>,
    > says...
    >> ObiWan <> wrote:
    >> >>> Hi, i'm searching for a secure (i.e. without exploits or security
    >> >>> holes) for use in my windows server.

    >>
    >> >> Install any BSD distribution. All of them comes pretty secure and has
    >> >> an included ftp server ( with alternatives easily installable if
    >> >> you have special demands)

    >>
    >> > I may agree here, but the OP asked for _windows_ software, so ...

    >>
    >> The user asked for contradicting items, "secure" and "windows". Assuming
    >> that the importent task is "ftp-server" ( and not "running windows") i suggested
    >> the best solution i know of ( running an ftp-server and dropping the "windows" part)
    >> In addition to getting a safer system he will also obtain saving on licenses and
    >> support costs. So my suggestion really is a win-win suggestion.


    > Your response does not provide a "safer" solution, cost savings, or
    > anything except the idea that Linux is more secure for everyone - which
    > is not the case.


    And your response onsly show that You Dont Read What I Wrote ! BSD != Linux


    > It doesn't cost anything to provide open-source FTP solutions, doesn't
    > take a learning curve, changing of the OS, or being open to attacks.


    This i did not claim. What i did claim was lowe total cost of ownership.

    > It's very easy to secure a Windows system, provide only FTP access from
    > the public connection, etc...


    > Your response shows a complete lack of understanding of security on the
    > Windows platform.


    True. But i Can read, cert is one place to read about windows broken
    security, securityfocus another.

    > Now, I do agree that MS platforms, without third-party software, make
    > for bad FTP servers, but only because of the administrative costs, not
    > due to any other reason.


    > As for FTP / Cost, you don't have to create Windows Accounts to provide
    > Windows user/password accounts (licenses) for FTP access to it, the Open
    > Source solutions have their own user/password database and don't care
    > how many licensed users you have on the box (in fact you don't have to
    > use NT accounts for authentication).


    True.

    > --
    > --
    >
    > (Remove 999 to reply to me)


    --
    Peter Håkanson
    IPSec Sverige ( At Gothenburg Riverside )
    Sorry about my e-mail address, but i'm trying to keep spam out,
    remove "icke-reklam" if you feel for mailing me. Thanx.
     
    , Jul 27, 2004
    #16
  17. "Leythos" <> wrote in message
    news:...
    > In article <QhbNc.1504$>, abuse@[127.0.0.1]
    > says...
    > > "ObiWan" <> wrote in message
    > > news:...


    <snip>

    > > Ditto keeping the data on a non-system partition (and preferably drive).

    For
    > > a dedicated NT-class server, it's useful to place the boot on drive C,

    the
    > > data on (e.g.) D:, and the actual OS on E:/whatever

    >
    > We actually configure the OS on the C drive, provide no access to
    > exposed accounts to it (unless specifically needed) and then create
    > partitions for customers data - we have a ton of 4GB partitions for FTP
    > space, and have found that SZ works great. I love the fact that I can
    > speed limit users.


    Got to admit that I'm not so keen on that - things like Nimda often make the
    assumption that you're using c:\winnt. Moving this directory elsewhere is,
    IMHO, a useful precaution.

    Ditto using something other than inetpub if you /must/ deploy IIS.

    H1K
     
    Hairy One Kenobi, Jul 27, 2004
    #17
  18. michele

    Mike Guest

    Leythos wrote:

    > In article <ce3vcn$824$>,
    > says...
    >
    >>You only need Windows licenses for file and print services on the local
    >>network. IIRC there are no licensing limits for FTP access. It is also
    >>perfectly possible with a little effort and planning to run a secure FTP
    >>server on a MS Windows machine.

    >
    >
    > Actually, if you provide authenticated FTP access, using NT accounts,
    > then you need one per user that authenticates with the server. If you
    > use Anonymous access then none are needed. With third party services,
    > that use authentication, not NT auth, you don't need additional licenses
    > for the NT based server (NT means any Windows Server OS).
    >

    Hmmm my understanding was that SMB connections require a CAL whereas
    other types of connections do not and that licenses were for data access
    not authentication.
    http://support.microsoft.com/default.aspx?scid=kb;en-us;151307
    seems to bear this out.




    --

    ------------------------------------

    Real email to mike. The header email is a spam trap and you will be
    blacklisted,
    submitted to anti-spam sites and proably burn in hell.
     
    Mike, Jul 27, 2004
    #18
  19. michele

    Mike Guest

    wrote:

    > Leythos <> wrote:
    >
    >>In article <ce3opv$1ujo$>,
    >>says...
    >>
    >>>ObiWan <> wrote:
    >>>
    >>>>>>Hi, i'm searching for a secure (i.e. without exploits or security
    >>>>>>holes) for use in my windows server.
    >>>
    >>>>>Install any BSD distribution. All of them comes pretty secure and has
    >>>>>an included ftp server ( with alternatives easily installable if
    >>>>>you have special demands)
    >>>
    >>>>I may agree here, but the OP asked for _windows_ software, so ...
    >>>
    >>>The user asked for contradicting items, "secure" and "windows". Assuming
    >>>that the importent task is "ftp-server" ( and not "running windows") i suggested
    >>>the best solution i know of ( running an ftp-server and dropping the "windows" part)
    >>>In addition to getting a safer system he will also obtain saving on licenses and
    >>>support costs. So my suggestion really is a win-win suggestion.

    >
    >
    >>Your response does not provide a "safer" solution, cost savings, or
    >>anything except the idea that Linux is more secure for everyone - which
    >>is not the case.

    >
    >
    > And your response onsly show that You Dont Read What I Wrote ! BSD != Linux


    True but slightly hair splitting

    >
    >
    >>It doesn't cost anything to provide open-source FTP solutions, doesn't
    >>take a learning curve, changing of the OS, or being open to attacks.

    >
    >
    > This i did not claim. What i did claim was lowe total cost of ownership.


    If you have to employ another person or train your current person to
    support your *nix boxes as well as your current Windows boxes then that
    theory flies out the window.

    >>It's very easy to secure a Windows system, provide only FTP access from
    >>the public connection, etc...

    >
    >
    >>Your response shows a complete lack of understanding of security on the
    >>Windows platform.

    >
    >
    > True. But i Can read, cert is one place to read about windows broken
    > security, securityfocus another.


    http://www.openbsd.org/security.html Is fun to read as well. Lets face
    it, all operating systems have vulnerabilities and the biggest one is
    the guy on the keyboard and his knowledge of security and the O/S he is
    using. Then we are back on the TCO argument again.


    --

    ------------------------------------

    Real email to mike. The header email is a spam trap and you will be
    blacklisted,
    submitted to anti-spam sites and proably burn in hell.
     
    Mike, Jul 27, 2004
    #19
  20. michele

    michele Guest

    Thanks for the replies, but i've not understand if i can safely use serv-u,
    or to use the open source solution ServerZilla?
    I suppose that the security of the server is related with the intrinsic
    security of the ftp-server that i use?
    Thanks


    "michele" <> ha scritto nel messaggio
    news:aR5Nc.15532$...
    > Hi, i'm searching for a secure (i.e. without exploits or security holes)

    for
    > use in my windows server. I've take a look to serv-u or cerberus ftp, but
    > they are full of exploits!
    > Can anyone suggest me a secure (or the more secure) ftp server to use?
    > Thanks
    > Michele
    >
    >
     
    michele, Jul 27, 2004
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Mark Brown

    Globalscape Secure FTP server 2 Memory Leak

    Mark Brown, Feb 1, 2005, in forum: Computer Security
    Replies:
    3
    Views:
    758
  2. Frosty

    ftp://ftp.isc.org

    Frosty, Nov 22, 2006, in forum: Computer Support
    Replies:
    2
    Views:
    1,239
  3. Mike Easter

    Why can't I access ftp://ftp.isc.org/ ?

    Mike Easter, Mar 14, 2007, in forum: Computer Support
    Replies:
    10
    Views:
    997
    Vanguard
    Mar 15, 2007
  4. Replies:
    0
    Views:
    639
  5. Replies:
    0
    Views:
    845
Loading...

Share This Page