vsFTPD vs. ProFTPD

Bennett Todd bet at rahul.net
Sun Aug 15 19:45:46 PDT 2004


2004-08-15T21:41:15 Dominic Hilsbos:
> Hey all, whats the difference between vsFTPD and
> ProFTPD?  And under which circumstances would you
> choose one over the other?

Whew. They're _so_ different....

vsftpd is intended to be very secure. Its features are focused on
security, and it tries to avoid being the route by which your system
is burgled. As far as I know, there's only one ftpd I'd trust more
these days, that's publicfile, but that's strictly and solely for
anonymous ftp (and http), not ftp with passwords.

Proftpd certainly mentions security as one of their goals, and I
don't have any reason to believe it's one of the worst, but from a
very quick peek at their website it does look like the sort of
software you need to keep an ear open for, and be ready to upgrade
quick. It's designed to be the most full-featured ftpd around, I
think.

Both have reasonable applications.

In fact, I think the two of them, and publicfile, are probably local
maxima at three different points on a functionality / security
tradeoff scale.

But I'm happy to say I've so completely deprecated ftp in my life,
that I've not kept up particularly closely with the choices
available.

If you possibly can, don't ftp at all. The protocol is a wicked
hangover from the predecessor of TCP, whose name I now forget, that
was if I recall correctly half-duplex, so interleaving commands and
file transfers wasn't performant, hence ftp's creepy, nasty,
revolting command channel that negotiates temporary, transient TCP
connections, a separate one for each data transfer, a pattern
shared only with seriously revolting multimedia protocols that are
worth avoiding if at all possible.

Two big consequences of this blecherous design are big reasons for
abandoning FTP altogether and for all applications:

1. FTP doesn't NAT (requires a protocol-aware fixup module, or a
   proxy); and

2. One end or the other, server or client, has to leave vast numbers
   of ports open, and so can't be particularly tightly firewalled

If you want to publish files, use http, or if your security needs
merit it https. These NAT fine, and interact as graciously as is
practical with firewalls.

-Bennett
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.linuxfromscratch.org/pipermail/lfs-chat/attachments/20040816/290261e1/attachment.sig>


More information about the lfs-chat mailing list