[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ProgSoc] Re: FTP/POP replacement (Was : Admin, pls fix up POP)
On Sun, 11 Nov 2001 10:54, email@example.com wrote:
] Yup, vital to traffic sniffers everywhere, who would otherwise have to
] sniff telnet traffic to get fresh usernames and passwords.
I agree, it's a wee bit of a security concern, particularly since pop connections
tend to occur regularly and frequently (compare and contrast ftp or telnet
sessions) which just makes the casual sniffing task so much more satisfying.
Like David, I'm using kmail, but unlike him, I'm grabbing mail with fetchmail
periodically (using POP3), and this hasn't stopped working for me. What
*has* stopped working, however, is FTP .. which used to function just fine,
but now reports errors (ipchains or tcp_wrappers are preventing me connecting
at the host end).
Either this is as an (unannounced) result of the decision from the last AGM
to restrict/dump FTP, or the joy of DHCP at this end, which means I don't
match ftoomsh's firewall rules no more. (?)
A quick search thru apt-cache suggests the following alternatives to FTP :
vsftpd (requires server side changes), hsftp (requires client-side changes
and ssh connectivity), ftp(d)-ssl (requires server-side and client-side
changes). ftp(d)-ssl seems the best of that bunch, since it can be made
to look transparent, and falls back to non-secure FTP in the event that
either side doesn't know about encryption. I don't know if it'd be possible
to limit the insecure fall-back option to only certain IP addresses, which
may or may not be an issue. I don't know about availability of the client
for lesser operating systems, either, which may be of interest to some.
A quick search suggests the following alternatives to POP :
courier-pop-ssl, fetchmail-ssl (normal fetchmail with SSL, kerberos etc
compiled in), ipopd-ssl (UoW's old POP server with SSL). I've no idea
on fallback with these things (I'm guessing they all would?), or what
client options exist for the platform-challenged out there.
Another option is to ssh tunnel both protocols on a pair of arbitrary
ports up in the 512-1024 range - but I don't know how tricky that is
for other people to work with.
Are there any other protocols that need securing, or are IMAP/POP
and FTP the only two? Does anyone believe telnetd should remain
in any guise, for example?
jedd == jedd at progsoc dot org
"The mark of your ignorance is the depth of your belief in
injustice and tragedy. What the caterpillar calls the end
of the world, the master calls a butterfly."
-- Messiah's Handbook : Reminders for the Advanced Soul
You are subscribed to the progsoc mailing list. To unsubscribe, send a
message containing "unsubscribe" to firstname.lastname@example.org.
If you are having trouble, ask email@example.com for help.