On Wed, Sep 10, 2003 at 11:45:34AM +0200, Andreas Metzler wrote:
> On Wed, Sep 10, 2003 at 06:44:08AM +0530, Suresh Ramasubramanian wrote:
> > Schalk Erasmus [9/10/2003 12:26 AM] :
> >> I need some advice on which FTP Server Daemon to use for a NEW EXIM FTP
> >> Mirror. I need a secure (but anonymous FTP Server), for just such purpose.
> >> Any advice on how to setup such FTPD Server, would be greatly appreciated.
> >> I don't want to allow Write Access (Only Read).
>
> > ftp.exim.org uses vsftpd, which is really very good. Especially when
> > you run it over Dan Bernstein's tcpserver instead of [x]inetd.
>
> Iirc ftp.redhat.com (and the updates-server) also uses vsftp. I'd
> strongly vote against choosing a feature-monster like wu-ftpd or
> pro-ftpd. As you do not need these feature they are just code that
> might contain an exploit.
We found vsftpd didnt quite cut it for us. We use the OpenBSD
ftpd, which is excellent. It's also minimalist and designed with
security in mind however it also features excellent virtual-host
support and fully working IPv6 support, unlike most out there.
Our ftp server ships a reasonable ammount of traffic without
any trouble;
http://www.hea.net/mrtg/services/canyonero.html
heanet@canyonero:~$ ps -ef | grep -c ftpd
1287
heanet@canyonero:~$ uptime
20:22:07 up 1 day, 5:18, 1 user, load average: 2.44, 1.92, 1.40
(yesterdays downtime was a kernel upgrade, and there's a few
thousand more httpd's, rsyncs running)
As for setting up ftp servers, unless you go for something
truly massive with too many features most stick to the
paradigm of using the home directory of the ftp user as
/ . If the ftp daemon supports high-uiding and chroot'ing
use them. For example, we run our ftpd with the arguments;
-q -D -A -h -S -l -M -6 -u 022
which broken down are;
-q = don't reveal our server version to clients
-D = run in daemonised mode
-A = only allow anonymous ftp, and chroot them
-h = use high ports for passive connects (helps
with most firewalls)
-S = log everything
-l = even log failed sessions
-6 = listen in IPv6
-u 022 , set the umask to 022 (has no real effect for
us)
if your daemon supports similar options, very much worth
setting up. And rate-limiting can be worth looking at
if you have limited resources.
--
Colm MacCárthaigh / HEAnet, Teach Brooklawn, / Innealtóir Ghréasáin
+353 1 6609040 / Bóthar Shelbourne, BÁC, IE / http://www.hea.net/