Crackers:

FTP is an insecure protocol, and, because it runs as root, there are many exploitable versions of FTP servers. On a side note, FTP also uses plain text to send passwords, so it is insecure in that sense too.

Admins:

There is a large amount of competition for FTP servers—be very careful which one you use.

My personal choice is PureFTPd. Every time I say I use PureFTP, some smart-ass hacker says “haha the one with the root exploit” (showing they have never actually run the root exploit, which was identified as completely fake – yes, it’s always the same exploit re-named). So far, Pure-FTPd has not had any real root exploits. PureFTPd is also feature rich if you need weird features, and is very configurable.

I’m not going to list PureFTPd installation instructions, as it’s fairly simple. I will tell you the configure params that are good to use:

./configure --without-banner --with-paranoidmsg"

• --without-banner makes PureFTPd not tell every user it is PureFTPd, which makes it alot harder to find out.
• --with-paranoidmsg is nice for hosting services, and is really more secure too. It gives less descriptive messages like “Authentication failed” instead of “Invalid password” etc.

When running PureFTPd, use:

This also forces users to stay inside their home directory (and actually makes / appear as their home directory). This is an added security precaution, it’s best to use it.

1. Introduction
2. Linux Distributions & Installation
3. Securing your installation
4. HTTP Servers
5. FTP Servers
6. SSH Servers
7. Keeping your server secure
8. Summary