NcFTPd : Frequently Asked Questions : Security

 

My Nessus security scanner is reporting vulnerabilities.

Nessus tends to report false alarms and jump to incorrect conclusions when testing a NcFTPd server.  To see this yourself, you could run NcFTPd in verbose mode, and look at the logs and see how NcFTPd is reacting to the tests being run by the scanner.

We have prepared a page with an example Nessus report and the corresponding NcFTPd verbose log entries, with notes about how NcFTPd is handling each test.  It is advisable to compare our report with yours and let us know if your report has any additional messages which could indicate a new false alarm which should be documented in our report, or an actual vulnerability.

Is NcFTPd compiled using the StackGuard compiler, and if not, will it be in the future?

No, it is not.  This has been strongly considered for the Linux/x86 version of NcFTPd, but right now the Linux/x86 package already includes three different versions which can be a little intimidating as it is for a novice user trying to choose which NcFTPd they need to run.  If we reach a point where we have only one Linux version in the package, then we may be able to include a StackGuard version with it.   

Does NcFTPd support any kind of encryption to prevent packet sniffers from stealing passwords or data?

No.  NcFTPd does not contain any encryption support for the fact that there aren’t any non-proprietary FTP clients that support it.

The FTP protocol itself is flawed in a few ways, one of which is that the username and password are sent in plaintext that could be intercepted by a packet sniffer.  If you’re in a high-security environment you may want to avoid non-anonymous FTP altogether.

You can also experiment having the underlying link encrypted, so any TCP/IP traffic is encrypted at that level.  For example, that’s how Virtual Private Networks and IPsec work.  Still another option is to try and use the ssh package to provide secure tunnels.

NcFTPd allows data connections to a different IP address from the control connection!

The problem is that proxy connections are a feature of the FTP protocol, and technically it is legitimate to have one host initiate a transfer for the purpose of another host to actually receive/send the data.  So by allowing proxy connections, there is a possibility that an attacker could steal a data connection that was intended for another client if that client was downloading, or replace the data if the client was uploading.  We'd love to have proxy connections disabled by default, but the last time we tried it we got too many "bug" reports that turned out be related to FTP proxy programs or clients behind proxy servers.

By default, NcFTPd disallows certain types of proxy connections which NcFTPd can tell are not really legitimate addresses.  For example, it is possible to abuse the FTP protocol to use it to connect to system services in order to determine service availability or to abuse the service.  Therefore, NcFTPd disallows proxy connections when the port number is less than 1024.

You can disable all proxy connections using the allow-proxy-connections option, if you’re willing to put up cranky users who want to use a proxy.  

 

Up
 NcFTPd Home