ProFTPD vs vsftpd, have your say.

Post new topic   Reply to topic    DD-WRT Forum Index -> General Questions
Goto page 1, 2  Next
Author Message
the-joker
DD-WRT Developer/Maintainer


Joined: 31 Jul 2021
Posts: 2146
Location: All over YOUR webs

PostPosted: Tue Jul 12, 2022 18:09    Post subject: ProFTPD vs vsftpd, have your say. Reply with quote
So in a recent thread, one of our community members (who may make an entrance here) made some observations that ProFTPD should be removed and vsftpd added instead due to binary size of one vs the other.

So what are your thoughts.

Keep in mind this is an academic discussion and the only person who can make such a decision is @brainslayer and in light of this, a case must be made presented in facts not opinions.

Open and respectful educated discussions to this end are welcome.

_________________
Saving your retinas from the burn!🔥
DD-WRT Inspired themes for routers
DD-WRT Inspired themes for the phpBB Forum
DD-WRT Inspired themes for the SVN Trac & FTP site
Join in for a chat @ #style_it_themes_public:matrix.org or #style_it_themes:discord

DD-WRT UI Themes Bug Reporting and Discussion thread

Router: ANus RT-AC68U E1 (recognized as C1)
Sponsor
mwchang
DD-WRT Guru


Joined: 26 Mar 2013
Posts: 1855
Location: Hung Hom, Hong Kong

PostPosted: Wed Jul 13, 2022 16:34    Post subject: Re: ProFTPD vs vsftpd, have your say. Reply with quote
the-joker wrote:
So in a recent thread, one of our community members (who may make an entrance here) made some observations that ProFTPD should be removed and vsftpd added instead due to binary size of one vs the other.

Experienced users could set up ProFTPd via Entware. vsFTPd's website criticizes ProFTPd for poor security. In fact "vs" does mean "Very Secure".

And Google Search mentioned PureFTPd:
https://www.google.com/search?q=vsftpd+vs+proftpd


_________________
Router: Asus RT-N18U (rev. A1)

Drink, Blink, Stretch! Live long and prosper! May the Force and farces be with you!

Facebook: https://www.facebook.com/changmanwai
Website: https://sites.google.com/site/changmw
SETI@Home profile: http://setiathome.berkeley.edu/view_profile.php?userid=211832
GitHub: https://github.com/changmw/changmw
the-joker
DD-WRT Developer/Maintainer


Joined: 31 Jul 2021
Posts: 2146
Location: All over YOUR webs

PostPosted: Wed Jul 13, 2022 17:02    Post subject: Reply with quote
Experienced users would compile ProFTPD rather than using some unknown maintainers and likely outdated Entware package version.

I do have vsftpd on one of my Linux boxes, but its used for SFTP which is the actual vs part, FTP/FTPS implementation is just as secure as any. FXP however no matter vsftpd or ProFTPD can open you up to FTP Bounce attacks its an inherent flaw if not configured properly locking the remote address of a control data connection to a known and private IP, tag you're it.

In any case very secure depends on the user and their choice of wacky configs. Also comparing years old versions of the servers is moot, since then they have all had CVE fixes, problems with ProFTPD is and always will be that its popular and used by many, so its obviously more of a target to hackers than other perhaps relatively and arguably more secure as it stands today. So this may be a reason to switch to lesser know but there is no evidence either DD-WRT's ProFTPD is a target, not that is any reason not to switch. I am foremost for patched code against known CVE's and reducing the attack surface.

While not wanting to compare old reviews, it must be said that one more relevant review between PureFTPD (more secure then than ProFTPD and vsftpd, where vsftpd came second with the most known CVEs unpatched as shown in SHODAN, PureFTPD was the better (then at time of writing). All moot against then and now in any case, just mentioning as it was brought up since vs stands for very secure in vsftpd, no, there is no such thing, just variant degrees of what is more vs less secure.

Just because a name indicates something it doesn't make it so.

Also, if you just use it for LAN connections and not WAN then security is enhanced, especially if servers are blocked WAN access. You would t wanna use just FTP on the WAN anyway, FTPS and and and... Wink

IDK what the binary size is like on regular Linux DD-WRT side is 577KB for ProFTPD, we also have tftp at 509KB

Just for a LoL factor (Last one Laughing) there is this unrelated article

Grab your unicorns folks.

_________________
Saving your retinas from the burn!🔥
DD-WRT Inspired themes for routers
DD-WRT Inspired themes for the phpBB Forum
DD-WRT Inspired themes for the SVN Trac & FTP site
Join in for a chat @ #style_it_themes_public:matrix.org or #style_it_themes:discord

DD-WRT UI Themes Bug Reporting and Discussion thread

Router: ANus RT-AC68U E1 (recognized as C1)
Gameman Advanced Kid
DD-WRT Guru


Joined: 18 Nov 2012
Posts: 1158

PostPosted: Thu Jul 14, 2022 1:14    Post subject: Reply with quote
Do you have the source of where this discussion came from?

Is 128MB Flash ROM not enough? AFAIK, that is usually what the size is in most SOHO routers nowadays.

I think the question that should be asked is "what exactly is PROFTPD getting in the way of?"

_________________
For people who are new to the dd-wrt forums >> http://www.catb.org/~esr/faqs/smart-questions.html#rtfm

barryware wrote:
It takes a "community" to raise a router..


Internet Connection 1
Some Techicolor modem > Linksys WRT3200ACM

Internet connection 2
Ubiquiti Powerbeam Gen 2 > Netgear R9000

Official (but not really) dd-wrt General Discussion element/matrix chat

https://matrix.to/#/#dd-wrt-private-non-offical:matrix.org
mwchang
DD-WRT Guru


Joined: 26 Mar 2013
Posts: 1855
Location: Hung Hom, Hong Kong

PostPosted: Thu Jul 14, 2022 3:13    Post subject: Reply with quote
the-joker wrote:
Just for a LoL factor (Last one Laughing) there is this unrelated article

OpenWRT's Wiki quoted a different article. You could also find it via Google search.

ProFTPd should be the oldest FTP server, then PureFTPd and vsFTPD, if I remember correctly.
Quote:
Experienced users would compile ProFTPD rather than using some unknown maintainers and likely outdated Entware package version.

Compiling from source is more than just experienced users. And Entware does have a very recent ProFTPd.

Code:
/opt# opkg list | grep -i ftp | grep server
...
iputils-tftpd - 20190709-1b - Trivial File Transfer Protocol server
....
proftpd - 1.3.7c-1 - ProFTPD FTP server
pureftpd - 1.0.50-1 - Pure-FTPd is a fast, production-quality, standard-conformant FTP server, based upon Troll-FTPd.
tftpd-hpa - 5.2-1 - An enhanced version of the BSD TFTP server
vsftpd - 3.0.5-1 - Fast and secure FTP server (no TLS)
vsftpd-ext - 3.0.5-1 - A fast and secure FTP server
vsftpd-tls - 3.0.5-1 - Fast and secure FTP server (TLS)
....



_________________
Router: Asus RT-N18U (rev. A1)

Drink, Blink, Stretch! Live long and prosper! May the Force and farces be with you!

Facebook: https://www.facebook.com/changmanwai
Website: https://sites.google.com/site/changmw
SETI@Home profile: http://setiathome.berkeley.edu/view_profile.php?userid=211832
GitHub: https://github.com/changmw/changmw
mwchang
DD-WRT Guru


Joined: 26 Mar 2013
Posts: 1855
Location: Hung Hom, Hong Kong

PostPosted: Thu Jul 14, 2022 3:25    Post subject: Reply with quote
Gameman Advanced Kid wrote:
I think the question that should be asked is "what exactly is PROFTPD getting in the way of?"

It really depends on what DD-WRT want to support. For very basic FTP service, both ProFTPd and vsFTPD are way too "complicated". But then, one could always lock down their settings. Smile

I did spent some time with ProFTPd when I was playing with Caldera OpenLinux. That was nearly 20 years ago.


_________________
Router: Asus RT-N18U (rev. A1)

Drink, Blink, Stretch! Live long and prosper! May the Force and farces be with you!

Facebook: https://www.facebook.com/changmanwai
Website: https://sites.google.com/site/changmw
SETI@Home profile: http://setiathome.berkeley.edu/view_profile.php?userid=211832
GitHub: https://github.com/changmw/changmw
dale_gribble39
DD-WRT Guru


Joined: 11 Jun 2022
Posts: 1899

PostPosted: Thu Jul 14, 2022 4:13    Post subject: Reply with quote
The thread that sparked this one is "Combining/Splitting FTP speed".

First question: Do we even use the php or sql functionality in proftpd? If not, there is literally zero need for using it.

Second question: Was the choice made for ProFTPD because nothing else was available at the time? If the concern is firmware image size and we are not using 100% of ProFTPD's available features across the board, then it would make much more sense to switch based on the firmware image size savings, reliability, and security points alone.

If you look back far enough, there was never any vsftpd folder in DD-WRT code repo; ProFTPD 1.3.1 was introduced by Tornado. I guess there was never any "discussion" on what to add for FTPD services since most likely vsftpd wasn't available yet.

In regards to "who came first": wu-ftpd, then proftpd, pureftpd, then vsftpd in PC Linux distributions. Regardless of precedence, vsftpd was introduced into stock soho router firmware from the first offering of the functionality and it is written by a black hatter security specialist and DD-WRT is the only firmware not using it.

_________________
"The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost

"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio

<fact>code knows no gender</fact>

This is me, knowing I've ruffled your feathers, and not giving a ****
Some people are still hard-headed.

--------------------------------------
Mac Pro (Mid 2012) - Two 2.4GHz 6-Core Intel Xeon E5645 processors 64GB 1333MHz DDR3 ECC SDRAM OpenSUSE Leap 15.5
mwchang
DD-WRT Guru


Joined: 26 Mar 2013
Posts: 1855
Location: Hung Hom, Hong Kong

PostPosted: Thu Jul 14, 2022 15:18    Post subject: Reply with quote
dale_gribble39 wrote:
...vsftpd was introduced into stock soho router firmware from the first offering of the functionality and it is written by a black hatter security specialist...

Hang on... better take back the last few words. Could end up as troubles for DD-WRT forum. The focus should remain on the program and its history.


_________________
Router: Asus RT-N18U (rev. A1)

Drink, Blink, Stretch! Live long and prosper! May the Force and farces be with you!

Facebook: https://www.facebook.com/changmanwai
Website: https://sites.google.com/site/changmw
SETI@Home profile: http://setiathome.berkeley.edu/view_profile.php?userid=211832
GitHub: https://github.com/changmw/changmw
the-joker
DD-WRT Developer/Maintainer


Joined: 31 Jul 2021
Posts: 2146
Location: All over YOUR webs

PostPosted: Thu Jul 14, 2022 16:17    Post subject: Reply with quote
As to why it was included you would have to ask Brainslayer.

My guess is the same reason why its the most popular FTP server in use(for a long time by all sorts of companies and groups of people online) and because vsftpd came later?

vsftpd also has had plenty CVEs, like everything else no matter who writes it there is no sure shot to the moon not even when riding unicorns.

Now binary size reason, sure, compile vsftpd for dd-wrt and compare. I already posted current binary sizes and am slightly wondering why tftp is also in dd-wrt.

In the end the best thing is a patch to replace it.

_________________
Saving your retinas from the burn!🔥
DD-WRT Inspired themes for routers
DD-WRT Inspired themes for the phpBB Forum
DD-WRT Inspired themes for the SVN Trac & FTP site
Join in for a chat @ #style_it_themes_public:matrix.org or #style_it_themes:discord

DD-WRT UI Themes Bug Reporting and Discussion thread

Router: ANus RT-AC68U E1 (recognized as C1)
mwchang
DD-WRT Guru


Joined: 26 Mar 2013
Posts: 1855
Location: Hung Hom, Hong Kong

PostPosted: Thu Jul 14, 2022 16:43    Post subject: Reply with quote
the-joker wrote:
vsftpd also has had plenty CVEs, like everything else no matter who writes it there is no sure shot to the moon not even when riding unicorns.

Now binary size reason, sure, compile vsftpd for dd-wrt and compare. I already posted current binary sizes and am slightly wondering why tftp is also in dd-wrt.

There is seemingly a trend to remove the old but simple FTP protocol. Recent versions of Firefox removed it in favor of HTTP, then HTTPS. You have to use a FTP client after that.

But what about uploads? Anonymous? Well... I dunno.

You could use those cloud stuffs, but you would then need a client to sync stuffs and the target server is not of your own. Well... Smile

Related:

Built-in FTP implementation to be removed in Firefox 90 | Mozilla Add-ons Community Blog
https://blog.mozilla.org/addons/2021/04/15/built-in-ftp-implementation-to-be-removed-in-firefox-90/


_________________
Router: Asus RT-N18U (rev. A1)

Drink, Blink, Stretch! Live long and prosper! May the Force and farces be with you!

Facebook: https://www.facebook.com/changmanwai
Website: https://sites.google.com/site/changmw
SETI@Home profile: http://setiathome.berkeley.edu/view_profile.php?userid=211832
GitHub: https://github.com/changmw/changmw
dale_gribble39
DD-WRT Guru


Joined: 11 Jun 2022
Posts: 1899

PostPosted: Thu Jul 14, 2022 19:02    Post subject: Reply with quote
the-joker wrote:
As to why it was included you would have to ask Brainslayer.

A former developer/maintainer (Tornado) implemented it.
the-joker wrote:
My guess is the same reason why its the most popular FTP server in use(for a long time by all sorts of companies and groups of people online) and because vsftpd came later?

Historically, wu-ftpd was in wide use across the board and was replaced with vsftpd on a large scale over proftpd and others to the best of my real-world knowledge. At the time, wu-ftpd could've been easily implemented and taken up less space.
the-joker wrote:
vsftpd also has had plenty CVEs, like everything else no matter who writes it there is no sure shot to the moon not even when riding unicorns.

One page total, compared to several pages for proftpd. Currently, to the best of my knowledge, all patched on both. You cannot rely on RHEL or other vendors' bugtrackers, because a lot of times, those issues are self-inflicted and not present in official vanilla releases of the package.
the-joker wrote:
Now binary size reason, sure, compile vsftpd for dd-wrt and compare. I already posted current binary sizes and am slightly wondering why tftp is also in dd-wrt.

Please do a "which tftpd" or "which tftp" via ssh or telnet. It's presence in the source tree may be a remnant from Sveasoft.
the-joker wrote:
In the end the best thing is a patch to replace it.

Agreed.

_________________
"The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost

"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio

<fact>code knows no gender</fact>

This is me, knowing I've ruffled your feathers, and not giving a ****
Some people are still hard-headed.

--------------------------------------
Mac Pro (Mid 2012) - Two 2.4GHz 6-Core Intel Xeon E5645 processors 64GB 1333MHz DDR3 ECC SDRAM OpenSUSE Leap 15.5
the-joker
DD-WRT Developer/Maintainer


Joined: 31 Jul 2021
Posts: 2146
Location: All over YOUR webs

PostPosted: Thu Jul 14, 2022 20:24    Post subject: Reply with quote
tftp is present and binary size is quite large at 509KB, if its not used, then should be no need to keep it.

@brainslayer is quite busy but I'll try to approach the subject of tftp.

Indeed what CVEs were present are not now, this doesn't mean its CVE free no matter if its known and disclosed or unknown. There is just no way to make any assertions about ultimate security without a definitive audit.

I agree in principle that DD-WRT should keep up and adapt to better technologies though this is problematic due to the lack of active developers with interest and motivation to actually make meaningful contributions. Contributions require motivation and active engagement otherwise its all academic. Its extremely hard to engage with the community members which have the right skills and asking for patches is easier said than done.

None-the-less the biggest challenge as I see it is still to this day, lower end devices dictate what is available to higher end devices, as far as I know this subject has largely remained unchanged and its not out of the realms of possibility to build and provide different binaries less neutered to higher end devices. Its not easy anyway given the amount of targets DD-WRT supports.

I mention this because its unrealistic to rely on one main developer for all such changes (you cant dev and add support for new targets, bug hunt and fix and add new features remove and cleanup all by yourself, you can but things are missed and some parts will remain in a n inconsistent state.), while not the easiest thing to try and convince the man with the power to press the buttons to make things happen, I know for a fact its not impossible, just has to be done in a manner which is comprehensive.

Im all for bettering the project I love and is loved by others in many ways more than one and many hands make hard work light.

_________________
Saving your retinas from the burn!🔥
DD-WRT Inspired themes for routers
DD-WRT Inspired themes for the phpBB Forum
DD-WRT Inspired themes for the SVN Trac & FTP site
Join in for a chat @ #style_it_themes_public:matrix.org or #style_it_themes:discord

DD-WRT UI Themes Bug Reporting and Discussion thread

Router: ANus RT-AC68U E1 (recognized as C1)
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14125
Location: Texas, USA

PostPosted: Fri Jul 15, 2022 3:22    Post subject: Reply with quote
the-joker wrote:
tftp is present and binary size is quite large at 509KB, if its not used, then should be no need to keep it.

@brainslayer is quite busy but I'll try to approach the subject of tftp.

Let me save you the trouble with a screenshot. Had you done an ls -al /usr/bin/tftp, you would've realized it's compiled into busybox as an applet. WHY, I do not know, but the 5xx KB is the total size of the busybox binary, if I am not mistaken.



Screenshot_2022-07-14_22-12-25.png
 Description:
 Filesize:  16.83 KB
 Viewed:  2345 Time(s)

Screenshot_2022-07-14_22-12-25.png



_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
blkt
DD-WRT Guru


Joined: 20 Jan 2019
Posts: 5660

PostPosted: Fri Jul 15, 2022 5:00    Post subject: Reply with quote
Whichever has the smallest minimal options install size, most likely will be vsftpd, there is also Pure-FTPd.
the-joker
DD-WRT Developer/Maintainer


Joined: 31 Jul 2021
Posts: 2146
Location: All over YOUR webs

PostPosted: Fri Jul 15, 2022 8:41    Post subject: Reply with quote
We need tftp but idk if we need such a big binary anyway.
_________________
Saving your retinas from the burn!🔥
DD-WRT Inspired themes for routers
DD-WRT Inspired themes for the phpBB Forum
DD-WRT Inspired themes for the SVN Trac & FTP site
Join in for a chat @ #style_it_themes_public:matrix.org or #style_it_themes:discord

DD-WRT UI Themes Bug Reporting and Discussion thread

Router: ANus RT-AC68U E1 (recognized as C1)
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> General Questions All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum