CentOS - Sep 2010 - should vsftpd be disabled in favour of sftp for security reasons?

(another in an ongoing list of things i just want to clarify for the
sake of future courses taught on centos.)

  from this RHEL doc page:

http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/s1-openssh-server-config.html

the reader is advised to, for the sake of security, remove/disable
vsftpd, ostensibly in favour of sftp/sftp-server.  really?

  i can obviously see disallowing stuff like telnet and rsh and
rlogin, that's a no-brainer.  but advising against vsftpd for the sake
of security?  i'm not sure i see the logic in that.  thoughts?

rday

-- 

=======================================================================Robert P.
J. Day                               Waterloo, Ontario, CANADA

        Top-notch, inexpensive online Linux/OSS/kernel courses
                        http://crashcourse.ca

Twitter:                                       http://twitter.com/rpjday
LinkedIn:                               http://ca.linkedin.com/in/rpjday
========================================================================

>
>   (another in an ongoing list of things i just want to clarify for the
> sake of future courses taught on centos.)
>
>   from this RHEL doc page:
>
>
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/s1-openssh-server-config.html
>
> the reader is advised to, for the sake of security, remove/disable
vsftpd, ostensibly in favour of sftp/sftp-server. 
really?
>
>   i can obviously see disallowing stuff like telnet and rsh and
> rlogin, that's a no-brainer.  but advising against vsftpd for the sake
of security?  i'm not sure i see the logic in that.  thoughts?
As FTP is a clear-text protocol, I would surely advise against leaving it
on :)
I only run a vsftpd server on one of my machines for the customers
comfort, but that will change in the near future !

I can easily image scenarios where unencrypted traffic with
usernames/passwords is disallowed.

    Regards,

     Michel

On Fri, 2010-09-17 at 05:51 -0400, Robert P. J. Day
wrote:
> (another in an ongoing list of things i just want to clarify for the
> sake of future courses taught on centos.)
> 
>   from this RHEL doc page:
> 
>
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/s1-openssh-server-config.html
> 
> the reader is advised to, for the sake of security, remove/disable
> vsftpd, ostensibly in favour of sftp/sftp-server.  really?
There is nothing wrong with locking it down in Read Only file
structures.

John

On Fri, Sep 17, 2010 at 5:51 AM, Robert P. J. Day <rpjday at
crashcourse.ca> wrote:
>
> ?(another in an ongoing list of things i just want to clarify for the
> sake of future courses taught on centos.)
>
> ?from this RHEL doc page:
>
>
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/s1-openssh-server-config.html
>
> the reader is advised to, for the sake of security, remove/disable
> vsftpd, ostensibly in favour of sftp/sftp-server. ?really?
>
> ?i can obviously see disallowing stuff like telnet and rsh and
> rlogin, that's a no-brainer. ?but advising against vsftpd for the sake
> of security? ?i'm not sure i see the logic in that. ?thoughts?
I agree with the point that the document is making. If you go to the
trouble to lock down an account, it doesn't make sense to allow that
same account to access the server via the ftp protocol.  However, I do
use vsftpd with specific IDs that do not have shell access. These
accounts are also generally not system accounts so even if a password
was sniffed, it would not allow shell access.

On Fri, September 17, 2010 05:51, Robert P. J. Day wrote:
>
>   from this RHEL doc page:
>
>
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/s1-openssh-server-config.html
>
> the reader is advised to, for the sake of security, remove/disable
> vsftpd, ostensibly in favour of sftp/sftp-server.  really?
>
>   i can obviously see disallowing stuff like telnet and rsh and
> rlogin, that's a no-brainer.  but advising against vsftpd for the
> sake of security?  i'm not sure i see the logic in that.  thoughts?
It depends.  What this should say is that if you have no requirement
for anonymous ftp access on a particular host then disabling the
vsftpd service makes perfect sense and should be done.  It should
also say that plain text authenticated ftp access compromises any
user passwords employed thereon and for this reason ONLY ANONYMOUS
ftp access should ever be available if vsftpd is running.

That said, configuring vsftpd safely can sometimes be a challenge
even for anonymous access. This is particularity the case when
working with virtual hosts and ip-addrs.  Mainly because vsftpd logs
nothing if a session is not established for whatever reason, like an
expired certificate for example.

If you do not foresee any requirement for anonymous ftp access to a
host then removing the software is the sensible course of action.

For the most part sftp is a perfectly acceptable replacement for
ftp. From a user experience standpoint most will never notice the
change.  From the sysadmin pov the want of a working chroot jail for
sftp remains a bit problematic.

-- 
***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

On 09/17/2010 02:51 AM, Robert P. J. Day wrote:
> 
>    (another in an ongoing list of things i just want to clarify for the
> sake of future courses taught on centos.)
> 
>    from this RHEL doc page:
> 
>
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/s1-openssh-server-config.html
> 
> the reader is advised to, for the sake of security, remove/disable
> vsftpd, ostensibly in favour of sftp/sftp-server.  really?
> 
>    i can obviously see disallowing stuff like telnet and rsh and
> rlogin, that's a no-brainer.  but advising against vsftpd for the sake
> of security?  i'm not sure i see the logic in that.  thoughts?
> 
> rday
> 
We use vsftpd as an FTPS only server in CHROOT mode.  The only reason we
don't user sftp instead is because it cannot (easily?) CHROOT users.

Emmett