[NCLUG] Securing ftpd

Michael Dwyer mdwyer at sixthdimension.com
Thu Mar 22 13:47:51 MST 2001 

> ago.  With "help" it seems practically self-explanatory.  Does Windows
> teach people not to read documentation, or does it simply shut down
> their brains?)

I think that the filesystem tree is still a concept that people cannot
understand.  I think it is the loss of the folder metaphor that just
bends the mind.  It is too easy to get lost out there.  Switching
between the two is even more of a pain -- and Windows doesn't help.  Say
you have a file on the Desktop.  Now, you drop into FTP -- how do you
get to it?  Well, in the Explorer, its at the root of the tree.  Not so
in "real life".  No, it actually lives in (depending on the OS version)
c:\windows\Desktop.  Its even worse to get to your Documents:

> CD MY DOCUMENTS
Too Many Parameters - DOCUMENTS

The user has to remember yet one more 'trick'

> CD "My Documents"

or they have to know a /real/ trick:

> CD mydocu~1

> > Using Obtuse SMTPd (part of the Juniper Firewall Toolkit) helps
> > the security of Sendmail quite a bit.
>
> This is a new one to me.  I'll have to check it out.

Its a proxy-like thing that you can use to add mail filtering, and
chrooted mail services to a system.  It delivers to a folder, then a
second daemon delivers it to Sendmail (or other MTA).

> Strangely, the portsentry software rarely shows hits on port 25.  I
> might be missing something.  I need to keep up with all of the
security
> advisories.  They seem overwhelming!

I haven't seen a Sendmail exploit for some time, now.  If people are
scanning port 25, they are probably not looking for exploits so much as
looking for open relays to exploit for spamming.  No, it looks like
Pop/IMAP, Wingate, LPRng, and RPC stuff is the favored scanning ports
right now.

> Just how dangerous is it to run IMAP/POP services?

Its a lot like the Crocodile Hunter guy on TV.  It dangerous to do
everything that he does, but if you play it smart and stay away from the
pointy ends, you are reasonably safe.  You should never feel totally
safe and secure, of course -- if you do, you're doing something wrong.

Here is why I wouldn't run IMAP/POP:
 - My personal impression of the UW IMAP codebase is that it is a hazard
to sanity.  Exploits have existed, and I expect many still exist.  (I've
never tried Courier IMAP)
 - Both require plain-text authentication, allowing sniffing of your
passwords.
 - Its being actively exploited and scanned-for.
 - They must, by nature, be run as root, increasing the danger.

Here's why I /would/ run IMAP/POP:
 - Uhhh... I need to get to my mail.  Duh.

So, yeah.  A point.  Yeah, I was coming that that.  I think you can run
IMAP and POP if you /have/ to, but if you do, remember that it is a
source of exposure, and should be monitored.  Keep up to date on your
patches, and just be smart.

More information about the NCLUG mailing list