Sujet : Re: ISC will likely be shutting down FTP access to ftp.isc.org soon (https will remain)
De : rek2 (at) *nospam* hispagatos.org.invalid (rek2 hispagatos)
Groupes : news.admin.hierarchies news.software.nntpSuivi-à : news.admin.hierarchiesDate : 27. Sep 2024, 16:58:15
Autres entêtes
Organisation : Hispagatos
Message-ID : <vd6kmn$h9b2$1@matrix.hispagatos.org>
References : 1 2
User-Agent : slrn/1.0.3 (Linux)
If any software, such as INN, ships with the "ftp"
protocol baked-in, this gives enough time for people to put out new
releases and docs that point at the change, or at least add the
change to their README's, and the like.
>
Might be true, but be aware that most systems run on operating systems
that don't always have the latest upstream packages. Systems like
Debian have package versions that are sometimes older than 1 or 2 years
with security backports.
>
If there are objections or considerations, please feel free to reply
here or contact me directly.
>
I don't see a real reason to shut down the ftp server. If some of your
customers don't like the FTP protocol, they don't need to use it.
>
I agree with Marcos, also I work and before it wa a job it was my way
of life, trying,testing and breaking into systems and finding vulnerabilities,
FTP with public information, anonymous access, and an up to date ftp server
updated and well configured does not imply any security risc whatsoever,
true is that we have a lot of non-hackers that come from academy that pass a
test and learn by the book and they will indeed by default with out knowing
what is used for,parrot their minimal knowladge got from a 101 cybersecurity
book they learn by heart in any of this academies, or an automatic security audit
tool they do not know how to filter false positives, or understand how the results
should be interpreted in relation to the organization and use, mostly because
people is scared of what they do not understand so "turn it off" is their weak solution.
the HTTP/s protocol does NOT replaces FTP, the only thing that encrypts
your data on transfer between client and server is SFTP and other
solutions over the table that mimic ftp, but not HTTPS is a diff protocol, and unless
used with webdav is not mean to upload files, and again if the
information in the ftp is **public** and there is no private authentification
system in place there is no concern of anyone sniffing your data, let the script
kiddies sit down in a coffee shop sniffing your "open", "clear" ftp
public files if that entertaines them, but is no security risk in this
situation. The situation may change if there is auth involved, outdated
software that may have security implications like breaking out of the
allowed ftp hearchy and read the rest of the system files etc. Basically
just like any other program, you have to configure it well, no mistakes
that could get abused and keep it updated.
PS: sorry about my English, first language is Spanish.
my 2 cents
Happy Hacking
ReK2
ISC will likely be shutting down FTP access to ftp.isc.org soon (https will remain)
Re: ISC will likely be shutting down FTP access to ftp.isc.org soon (https will remain)
