FTP Daemon Options for Linux

Tagged:  

談到在 Linux/UNIX 伺服器內架設 FTP 伺服器, 你會想到用甚麼軟件呢? ftpd? wu-ftpd? proftpd?

­剛巧在找尋 FTP daemons 時找到一篇文章, 原來有這麼多的選擇, :D

FTP Daemon Options for Linux

http://www.linuxmafia.com/faq/Network_Other/ftp-daemons.html


by Rick Moen, <rick@linuxmafia.com>

revised 2002-11-21

Almost all current Linux distributions come equipped with
one of the two standard ftp daemons (servers):

  • wu-ftpd (or the wu-ftpd-academ variant)
  • Proftpd

Both of these are extremely full-featured, but have had a
long history of security exploits. wu-ftpd may be hopeless in
the long term, unless fundamentally rewritten, and ProFTPd
was in that same situation and is being drastically revamped
by new maintainers. I'm not sure I'd trust that work, yet.
(ProFTPd's state at what we might hope was its low point was
summarised at http://lwn.net/1999/0909/a/proftpdesign.html
.)

Additionally, both ftp daemons share the design trait of
being (in my view) overfeatured: It is difficult to write
secure code with very large feature sets, especially when it
must run as a privileged process (as both those daemons
must).

At a fundamental level, the ftp protocol itself poses a
security problem: Like telnet and the normal variety of POP3
e-mail, it sends usernames and passwords unencrypted across the
open Internet. It is trivially easy for hostile parties to
capture ("sniff') those usernames and passwords, and then
remotely login to your system as if they were your authorised
users. Thus, ftp access into your system, generically, tends to
threaten your system's security.

The exception is anonymous ftp access. By tradition, an
anonymous user authenticates his ftp sessions using username
"anonymous" (or "ftp") and gives his e-mail address at the
password prompt. Thus, any "sniffing" of that username/password
information is harmless: It's not secret.

Accordingly, what I'm personally looking for is a good
implementation of anonymous ftp daemon services. I will try
to build a complete list of all ftpd options on Linux, but
please bear in mind my prejudice that non-anonymous file
transfers should never be via ftp, but rather scp (Secure cp,
part of the ssh Secure Shell protocol family).


Name: 4.4BSD/NetBSD ftpd (bsd-ftpd)

Source: ftp://metalab.unc.edu/pub/Linux/system/Network/daemons/

Licence: BSD

Comments: Linux port of the NetBSD ftpd, which in turn was from
4.4BSD. Looks very old and unmaintained.

Name: aftpd (Anonymous FTP Daemon)

Source: http://pubweb.nfr.net/~mjr/pubs/index.shtml

Licence: Any use allowed except inclusion in commercial
products (TIS lic.)

Comments: Stripped-down version of traditional BSD ftpd,
supporting only anonymous access. Also has a read-only option
(recommended). Appears to be an extremely sound design -- but
very BSD-centric. If you've succeeded in making this compile
for Linux, please let me know. In the meanwhile, this is an
excellent choice for BSD (or Solaris?) systems.

Name: aftpd (Another FTP Daemon)

Source: http://vekoll.saturnus.vein.hu/~bazsi/aftpd/

Licence: Unstated.

Comments: Said to be in early alpha. Fine control of access
rights (ACLs) and user accounting. Supports virtual hosts and
"virtual users" (user with no UID).

Name: anonftpd

Source: ftp://koobera2.math.uic.edu/pub/software/

Licence: Free usage.

Comments: Great idea, disasterous implementation: Output (i.e.,
the ftp "LIST" command) is in a human-hostile format the author
calls Easily Parseable List Format. "ls" command fails to
support standard options such as "-l" or "-a". Inherently
secure design because it uses no system calls capable of
writing -- wasted on account of insane design decisions.
Tragic.

Name: BeroFTPD

Source: ftp://bero.x5.net/pub/

Licence: BSD

Comments: Said to be based on wu-ftpd, with a superset of its
features (extra support for virtual hosts).

Name: BetaFTPD

Source: http://members.xoom.com/sneeze/betaftpd.html

Licence: GPL v. 2

Comments: Single-threaded, small, fast. Said to be definitely
not yet ready for prime time.

Name: bftpd (Bruker ftpd)

Source: http://www.bftpd.f2s.com/

Licence: GPL v. 2

Comments: Inetd-based ftp daemon, partly inspired by ideas
drawn fron BetaFTPD, designed for are high configurability,
security and speed. Does on-the-fly tar/gz, chroot without
special configuration, PAM, passwd/shadow support.

Name: CrushFTP

Source: http://crushftp.terrashare.com/

Licence: Proprietary payware. No source code.

Comments: Written in Java. Requires a JVM. Remote
Java-applet-based administration. Multithreaded.

Name: DPFS (Dual-Protocol File Server, formerly
"Demi-FTPd")

Source: http://www.karico.fi/dftpd/

Licence: GPL v. 2

Comments: I'm not sure what to think of this one, yet.
Promising.

Name: fhttpd

Source: http://www.fhttpd.org/

Licence: GPL v. 2

Comments: Does both ftp and http -- still a beta version, at
this writing. Doesn't support passive connections.

Name: FTP4ALL

Source: http://www.ftp4all.de/

Licence: GPL v. 2

Comments: Rare design: Can be compiled/installed by non-root
users.

Name: ftpd-BSD

Source: http://www.owlriver.com/projects/ftpd-BSD/

Licence: BSD with GPL-licensed additions

Comments: OpenBSD's ftpd as portedtto Linux by Owl River
Company, based on early work by Robert R. Wal. Added support
for current PAM, glibc, xinetd, logrotate.

Name: ftpd-BSD

Source: ftp://ftpd-bsd.psychasia.com/pub/ftpd-bsd/

Licence: BSD

Comments: OpenBSD's ftp as ported to Linux by David Madore
(see: http://www.eleves.ens.fr:8080/home/madore/programs/#prog_ftpd-BSD)
and subsequently maintained by Will Estes, based on early work
by Robert R. Wal. Added PAM support (broken a/o 11/2001). This
version reportedly has some build problems with PAM support and
potential problems with IP aliasing -- and has not been
modified since the initial 2001-02-28 version.
IPv6-capable.

Name: ginseng-ftpd

Source: http://mmondor.rubiks.net/software.html

Licence: BSD

Comments: Forked from NetBSD's bsd-ftpd v. 6.5. Single
configuration file, read-only accounts, umask, per-user
directory size limits, PAM and shadow password support,
on-the-fly gunzip, internal ls, IPv6 support, various security
fixes. By Matthew Mondor.

Name: glFtpD

Source: http://www.glftpd.org/

Licence: Free usage, no source code.

Comments: Why do I get the definite feeling this thing has
something to do with warez kiddies? I wouldn't touch it on a
bet.

Name: hftpd (Hoser FTPD)

Source: http://www.zabbo.net/hftpd/

Licence: GPL v. 2

Comments: Heavily threaded; use on Linux 2.2+ w/glibc 2.1+.
Currently Linux and x86-only. Looks promising; very spare
documentation.

Name: Libra FTP Server

Source: http://libraftp.narod.ru/libraindex.html

Licence: GPL v. 2

Comments: Anonymous-only. Read-only mode, extensive logging,
MD5 checksumming of transferred files, IPv6 support. Doesn't
need to run as root, uses no external calls. Can support ftp
proxy. By Andrey Savochkin and Maxim Shesterikov.

Name: Linux-ftpd

Source: ftp://metalab.unc.edu/pub/Linux/system/Network/daemons/

Licence: BSD

Comments: Berkeley ftp daemon, ported from OpenBSD. Obviously
has not been maintained for several years.

Name: lukemftpd

Source: ftp://ftp.netbsd.org/pub/NetBSD/misc/lukemftp/

Licence: BSD

Comments: A portable version (by Luke Mewburn) of
NetBSD-current's ftpd. Described as 90% of wu-ftpd's
functionality with 30% of its footprint.

Name: mmftpd

Source: http://mmondor.gobot.ca/software.html

http://mmondor.rubiks.net/software.html

Licence: BSD w/advertising clause

Comments: By Matthew Mondor, written from scratch as a
successor to his earlier ginseng-ftpd. Virtual users only, runs
non-privileged and optionally chrooted, supports some anti-DoS
measures and bandwidth shaping, supports per-user
permissions/limits. Users' access can be read-only, and is
confined to home directories via careful path-checking.

Name: Muddleftpd

Source: http://www.nongnu.org/muddleftpd

Licence: GPL v. 2

Comments: Can compile & install for non-root user. Designed
from scratch.

Name: NcFTPd

Source: http://www.ncftp.com/ncftpd/

Licence: Proprietary payware. No source code.

Comments: Uses directory caching and avoids forking code.

Name: Net::FTPServer

Source: http://www.cpan.org/modules/by-authors/id/R/RW/RWMJ/

Licence: GPL

Comments: Fully-fledged FTP server written in Perl. Feature
parity with wu-ftpd. Extensible. Virtual filesystem lets you
serve files/images/whatever from a SQL database. See also the
Freshmeat project page at http://freshmeat.net/projects/netftpserver/

Name: oftpd

Source: http://www.time-travellers.org/oftpd/

ftp://ftp.ferrara.linux.it/pub/project6/sources/
(IPv6 patches)

Licence: BSD

Comments: Anonymous-only, sheds root authority for most of its
operation, contains internal cd and ls functions. Said to be an
"early release". Runs stand-alone, i.e., not under inetd.

Name: pftpd (Peter's ftpd)

Source: ftp://ftp.lysator.liu.se/pub/unix/pftpd/

Licence: Free usage.

Comments: Multithreaded, anonymous-only ftp daemon. Also
supports additional anonymous-access directories within your
local users' home directories. Limitations: Doesn't yet support
globbing (*, ?, []) or names lookups on gids. Operates in
read-only mode by default. Does BINARY or ASCII mode (including
restartable transfers), and active or passive connections.
Still gives occasionally buggy output, as of 2000-12.

Name: ProFTPd

Source: http://www.proftpd.org/

ftp://sith.mimuw.edu.pl/pub/users/baggins/IPv6/
(IPv6 patches)

http://www.t17.ds.pwr.wroc.pl/~misiek/ipv6/
(IPv6 patches)

Licence: GPL v. 2

Comments: Extremely full-featured, but saddled with a crufty
design and a sad, ongoing history of security compromises. This
is tragic, since it was a noble ground-up effort to replace and
improve on wu-ftpd. Configuration design inspired by Apache's,
supports virtual domains. Does it all. Fortunately, in 1999, it
was taken over by new maintainers, so we may see drastic
improvements.

Name: Publicfile

Source: http://cr.yp.to/publicfile.html

Licence: Has author's copyright, only, and no licence, and thus
is distributable only directly by the copyright owner --
proprietary software. The author (who seems hostile to
open-source[1] software licencing - see http://cr.yp.to/qmail/dist.html)
seems to have deliberately intended this unfortunate situation.
My understanding is that you have implied licence to retrieve
the package directly from the author's site, to
write/apply/distribute patches, to compile it, and to use it --
but not to redistribute it or works derived from it. The
foregoing applies in the USA: Wholly different rights may
result elsewhere. The author addresses this matter (in the
abstract) at http://cr.yp.to/softwarelaw.html
. Comments: Still an alpha version, at this date. Provides ftp
and http file access, disallows writes to the public file area,
does its work without root authority. By Daniel J. Bernstein,
author of anonftpd (which, please see). Requires Bernstein's
ucspi-tcp and daemontools packages, which are available under
the same non-licence. Does NOT produce standard human-readable
output, only Bernstein's "Easily Parseable List Format" (EPLF),
as with the author's earlier anonftpd.

Name: Pure-FTPd

Source: http://sourceforge.net/projects/pureftpd/

Licence: Free usage.

Comments: Patched, improved version of Troll-ftpd, adding
ASCII-mode transfers, capabilities-model (ACLs) support, PAM
support, built-in "ls" command, IPv6 support, chrooted home
directories, bounded ports for passive mode, FXP protocol
support. Seems like a winner.

Name: Roxen Challenger

Source: http://www.roxen.com/download/source/

Licence: GPL v. 2

Comments: ftpd is part of a large, ambitious, multi-threaded
SSL3-Web/proxy/mirror server. (The strong-crypto version is
proprietary: The 40-bit version is under the GPL.)

Name: SSLftpd

Source: ftp://ftp.psy.uq.oz.au:/pub/Crypto/SSLapps/

Licence: BSD

Comments: Standard wu-ftpd, patched to support SSL
authentication, falling back to standard ftp for non-SSL
(regular) ftp clients.

Name: Todokru

Source: http://www.futuresouth.com/~tomw/todokeru/

Licence: Free usage.

Comments: Written entirely in Perl. (Also requires POE.) Author
says it was written mostly for fun, and could be improved to be
a solid option, but that he personally wouldn't use it.

Name: Troll-ftpd

Source: ftp://ftp.troll.no/freebies/ftpd/

http://www.t17.ds.pwr.wroc.pl/~misiek/ipv6/
(IPv6 patches)

Licence: Free usage.

Comments: Linux-only, cleanly written ftpd by a Troll Tech
employee. Fast, small, secure, and easy to configure for
anonymous-only operation. It even does virtual domains. About
the only thing wrong with it is that it doesn't support ASCII
mode transfers, only binary, and that kills it for me. But
please see also the entry for Pure-ftpd.

Name: TUX

Source: ftp://ftp.redhat.com/pub/redhat/tux/

Licence: GPL v. 2

Comments: Linux-only, kernel-based, threaded,
very-high-performance HTTP and ftp server. Does virtual
domains. Written by Ingo Molnar.

Name: Twoftpd

Source: http://untroubled.org/twoftpd/

Licence: GPL v. 2

Comments: Ftpd in two separate modules: A front-end for
authentication only, and a back-end that carries out all
file-handling and file-transfer. Performs chroot by default. No
external calls. Included twoftpd-anon variant is a
stripped-down version for anonymous ftp only. Written by Bruce
Guenter.

Name: Very Secure ftp Daemon (vs-ftpd)

Source: ftp://ferret.lmh.ox.ac.uk/pub/linux/

Licence: GPL v. 2

Comments: Supports local accounts as well as anonymous. Modular
design, with each module running with minimal privilege. Runs
as an unprivileged user in a chroot jail, with special care in
handling of buffers, and uses all internal functions (e.g., no
external call to ls). Tries to avoid using potentially
dangerous library calls, and encapsulates all library calls
through two of its routines, as auditable points of contact.
Still in beta stages. (vs-ftpd is the current favourite ftpd of
this document's maintainer.)

Name: Washington University FTPd (Wuarchive-ftpd, aka
wu-ftpd)

Source: http://www.wu-ftpd.org/

http://www.t17.ds.pwr.wroc.pl/~misiek/ipv6/
(IPv6 patches)

Licence: BSD

Comments: The most popular ftpd on the Net, and the standard
ftp server. Well documented and supported, and can do just
about anything. Unfortunately, it is considered insecure, and
has a long history of security compromises. From Washington
University in St. Louis, Missouri.

Name: wu-ftpd-academ

Source: ftp://ftp.academ.com/pub/wu-ftpd/private/

Licence: BSD

Comments: When such is available, this is where you get the
patched & enhanced version of wu-ftpd from Academ
Consulting Services in Houston, Texas (Stan Barber,
proprietor). Often, security fixes for wu-ftpd are performed by
Stan, first.

Notes: Dan Kegel is doing a "performance bake-off" of ftp
daemons for Linux: http://www.kegel.com/dkftpbench/bakeoff.html

The page for his ftp-daemon benchmarking tool is extremely
informative, too: http://www.kegel.com/dkftpbench/

[1] As defined by http://www.opensource.org/docs/definition_plain.html
, the standard and essentially sole meaningful yardstick for
that term. Bernstein apologists, who characteristically seem to
think "open source" should mean whatever they want it to, are
invited to eat my shorts. And also to read http://linuxmafia.com/~rick/faq/#djb
.

---

Copyright (C) 2000-2002, Rick Moen,
<rick@linuxmafia.com>.

This information is free; you can redistribute it and/or
modify it under the terms of the GNU General Public License as
published by the Free Software Foundation, version 2.

This work is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public
License along with this work; if not, write to the Free
Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139,
USA.

Alternatively and at the recipient's option, this work may be
used freely under the
Attribution-ShareAlike 1.0 licence.