On Tue, Dec 30, 2014 at 04:37:14PM +0000, Alain Williams wrote: > On Tue, Dec 30, 2014 at 10:30:59AM -0600, Kevin Kinsey wrote: > > > Having FTP/TCP:21 open to the WWW is the equivalent of (and forgive me, but...) > > removing your pants, handcuffing your wrists to your ankles, standing on the street > > in a large city and painting "rape me" on your bum. It's the 21st century, for crying > > out loud; there are many more secure mechanisms. If anyone is reading this and has > > FTPD open to any and all comers on the WWW, please consider this an earnest plea to > > find someone who understands security and hire them right away. > > Not entirely true. If it is an authenticated login (username/password) yes, but > anonymous FTP is quite OK for serving files that you are content for anyone to read. I'll give you that, given no uploads. Allowing anonymous uploads is possibly a good way to get compromised as well --- I've seen that more than once. > There are levels of security needed: HTTP authentication is not very secure if > not done over HTTPS, but for some it is sufficient. Obviously, depending on your intent in making resources available. But if you're allowing unknown users to connect to resources that have any sort of input capability, you had better be quite certain your outward-facing app is robustly protected (e.g., pay for those patches / updates). Which might bring up WordPress security. The standard approach (in their control panel) is via letting WordPress.com have access to FTP PUT, right? Maybe I should be preaching to them ;-) ;-) Kevin Kinsey -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
