| Deutsch English Français Italiano |
|
<vd6kmn$h9b2$1@matrix.hispagatos.org> View for Bookmarking (what is this?) Look up another Usenet article |
Path: ...!eternal-september.org!feeder3.eternal-september.org!news.hispagatos.org!.POSTED!not-for-mail From: rek2 hispagatos <rek2@hispagatos.org.invalid> Newsgroups: news.admin.hierarchies,news.software.nntp Subject: Re: ISC will likely be shutting down FTP access to ftp.isc.org soon (https will remain) Followup-To: news.admin.hierarchies Date: Fri, 27 Sep 2024 15:58:15 -0000 (UTC) Organization: Hispagatos Message-ID: <vd6kmn$h9b2$1@matrix.hispagatos.org> References: <1f19a554-8a81-ce8c-8ac6-7ab1e053a632@isc.org> <vd6ips$ou6o$1@dont-email.me> Reply-To: ReK2 <rek2@hispagatos.org> Injection-Date: Fri, 27 Sep 2024 15:58:15 -0000 (UTC) Injection-Info: matrix.hispagatos.org; logging-data="566626"; mail-complaints-to="abuse@hispagatos.org" User-Agent: slrn/1.0.3 (Linux) Bytes: 3492 Lines: 46 >> If any software, such as INN, ships with the "ftp" >> protocol baked-in, this gives enough time for people to put out new >> releases and docs that point at the change, or at least add the >> change to their README's, and the like. > > Might be true, but be aware that most systems run on operating systems > that don't always have the latest upstream packages. Systems like > Debian have package versions that are sometimes older than 1 or 2 years > with security backports. > >> If there are objections or considerations, please feel free to reply >> here or contact me directly. > > I don't see a real reason to shut down the ftp server. If some of your > customers don't like the FTP protocol, they don't need to use it. > I agree with Marcos, also I work and before it wa a job it was my way of life, trying,testing and breaking into systems and finding vulnerabilities, FTP with public information, anonymous access, and an up to date ftp server updated and well configured does not imply any security risc whatsoever, true is that we have a lot of non-hackers that come from academy that pass a test and learn by the book and they will indeed by default with out knowing what is used for,parrot their minimal knowladge got from a 101 cybersecurity book they learn by heart in any of this academies, or an automatic security audit tool they do not know how to filter false positives, or understand how the results should be interpreted in relation to the organization and use, mostly because people is scared of what they do not understand so "turn it off" is their weak solution. the HTTP/s protocol does NOT replaces FTP, the only thing that encrypts your data on transfer between client and server is SFTP and other solutions over the table that mimic ftp, but not HTTPS is a diff protocol, and unless used with webdav is not mean to upload files, and again if the information in the ftp is **public** and there is no private authentification system in place there is no concern of anyone sniffing your data, let the script kiddies sit down in a coffee shop sniffing your "open", "clear" ftp public files if that entertaines them, but is no security risk in this situation. The situation may change if there is auth involved, outdated software that may have security implications like breaking out of the allowed ftp hearchy and read the rest of the system files etc. Basically just like any other program, you have to configure it well, no mistakes that could get abused and keep it updated. PS: sorry about my English, first language is Spanish. my 2 cents Happy Hacking ReK2