proftpd is secure?

Lem0nHead

Verified User
Joined
Nov 28, 2004
Messages
265
hello

an other control panel is saying that it's better to update to pureftpd, since proftpd isn't secure (maybe a vuln not fixed yet)...
anyone know if it's true with the version supported by DA (I belive it's 1.2.10)?
also, why don't you change to pureftpd? it really seens to be better (less memory footprint, less vulns in past..)
 
If you're not going to mention the other control panel or any other source for your information, we only have your word.

Personally I believe ProFTPd is quite secure. The most recent stable (read: production) version is 1.2.10. There have been two release candidates for 1.3.0, but as long as they're only candidates you might not want to try them.

The website at www.proftpd.org has answered clearly the so-called "timing attack", and what they plan to do about it and why. I see no such information on the PureFTPd site; I don't know if that means they're not vulnerable, or if it means they haven't discovered any vulnerabilities. I like software that shows histories of vulnerabilities and fixes better than I like software that just says there aren't any vulnerabilities. Of course your mileage may vary.

Who has said ProFTPd is less secure, and what examples have they given?

How do you configure pureFTPd so that different users have different rights/login directories, etc.?

Does pureFTPd have a configuration file similar to that used by proFTPd?

There isn't anything anywhere in the documentation for such a file, and it's a critical requirement of hosting companies.

PureFTPd has been brought up several times on our forums (look here), but no one has given any real reasons to do the work of switching.

If you're a user of PureFTPd then you can probably answer the question I ask above and give us some good reasons. But if you're just reading about it somewhere, that's hardly enough of a reason for the DA folk to consider it.

Jeff
 
Security At this time, it is recommended that all customers using proftpd Switch to pure-ftpd as soon as possible to eliminate a potential security hole. Please note that all released versions of proftpd are belived to be affected and the exact problem is not yet known. Customers who experience the problems switching are welcomed to bypass the normal support procedure and submit a ticket directly at http://support.cpanel.net

From cPanel too (advantages of PureFTPd):
* Faster Login Time
* Smaller Memory Footprint
* Allows Virtual Access on any ip address
* Better Security Model
* Virtual User Quotas
* Deals better with Software Raid systems

also, http://www.tweakgeek.com/node/61

a search for proftpd vs pureftpd will give many results, the majority favorable to pureftpd :)
 
Back
Top