[ProgSoc] Re: FTP/POP replacement (Was : Admin, pls fix up POP)

[jedd <jedd@nospam.progsoc.uts.edu.au>]

On Sun, 11 Nov 2001 10:54, marauder@nospam.marauder.tm wrote:
 ] Yup, vital to traffic sniffers everywhere, who would otherwise have to
 ] sniff telnet traffic to get fresh usernames and passwords.

 I agree, it's a wee bit of a security concern, particularly since pop connections
 tend to occur regularly and frequently (compare and contrast ftp or telnet
 sessions) which just makes the casual sniffing task so much more satisfying.

 Like David, I'm using kmail, but unlike him, I'm grabbing mail with fetchmail
 periodically (using POP3), and this hasn't stopped working for me.  What
 *has* stopped working, however, is FTP .. which used to function just fine,
 but now reports errors (ipchains or tcp_wrappers are preventing me connecting
 at the host end).

 Either this is as an (unannounced) result of the decision from the last AGM
 to restrict/dump FTP, or the joy of DHCP at this end, which means I don't
 match ftoomsh's firewall rules no more.  (?)

 A quick search thru apt-cache suggests the following alternatives to FTP :
 vsftpd (requires server side changes), hsftp (requires client-side changes
 and ssh connectivity), ftp(d)-ssl (requires server-side and client-side
 changes).  ftp(d)-ssl seems the best of that bunch, since it can be made
 to look transparent, and falls back to non-secure FTP in the event that
 either side doesn't know about encryption.  I don't know if it'd be possible
 to limit the insecure fall-back option to only certain IP addresses, which
 may or may not be an issue.  I don't know about availability of the client
 for lesser operating systems, either, which may be of interest to some.

 A quick search suggests the following alternatives to POP :
 courier-pop-ssl, fetchmail-ssl (normal fetchmail with SSL, kerberos etc
 compiled in), ipopd-ssl (UoW's old POP server with SSL).  I've no idea
 on fallback with these things (I'm guessing they all would?), or what
 client options exist for the platform-challenged out there.

 Another option is to ssh tunnel both protocols on a pair of arbitrary
 ports up in the 512-1024 range - but I don't know how tricky that is
 for other people to work with.

 Are there any other protocols that need securing, or are IMAP/POP
 and FTP the only two?  Does anyone believe telnetd should remain
 in any guise, for example?

 Jedd.

-- 
 jedd == jedd at progsoc dot org
 "The mark of your ignorance is the depth of your belief in 
  injustice and tragedy. What the caterpillar calls the end 
  of the world, the master calls a butterfly."
              -- Messiah's Handbook : Reminders for the Advanced Soul
-
You are subscribed to the progsoc mailing list. To unsubscribe, send a
message containing "unsubscribe" to progsoc-request@nospam.progsoc.uts.edu.au.
If you are having trouble, ask owner-progsoc@nospam.progsoc.uts.edu.au for help.