Joined: 31 Jul 2021 Posts: 2146 Location: All over YOUR webs
Posted: Tue Jul 12, 2022 18:09 Post subject: ProFTPD vs vsftpd, have your say.
So in a recent thread, one of our community members (who may make an entrance here) made some observations that ProFTPD should be removed and vsftpd added instead due to binary size of one vs the other.
So what are your thoughts.
Keep in mind this is an academic discussion and the only person who can make such a decision is @brainslayer and in light of this, a case must be made presented in facts not opinions.
Joined: 26 Mar 2013 Posts: 1856 Location: Hung Hom, Hong Kong
Posted: Wed Jul 13, 2022 16:34 Post subject: Re: ProFTPD vs vsftpd, have your say.
the-joker wrote:
So in a recent thread, one of our community members (who may make an entrance here) made some observations that ProFTPD should be removed and vsftpd added instead due to binary size of one vs the other.
Experienced users could set up ProFTPd via Entware. vsFTPd's website criticizes ProFTPd for poor security. In fact "vs" does mean "Very Secure".
Joined: 31 Jul 2021 Posts: 2146 Location: All over YOUR webs
Posted: Wed Jul 13, 2022 17:02 Post subject:
Experienced users would compile ProFTPD rather than using some unknown maintainers and likely outdated Entware package version.
I do have vsftpd on one of my Linux boxes, but its used for SFTP which is the actual vs part, FTP/FTPS implementation is just as secure as any. FXP however no matter vsftpd or ProFTPD can open you up to FTP Bounce attacks its an inherent flaw if not configured properly locking the remote address of a control data connection to a known and private IP, tag you're it.
In any case very secure depends on the user and their choice of wacky configs. Also comparing years old versions of the servers is moot, since then they have all had CVE fixes, problems with ProFTPD is and always will be that its popular and used by many, so its obviously more of a target to hackers than other perhaps relatively and arguably more secure as it stands today. So this may be a reason to switch to lesser know but there is no evidence either DD-WRT's ProFTPD is a target, not that is any reason not to switch. I am foremost for patched code against known CVE's and reducing the attack surface.
While not wanting to compare old reviews, it must be said that one more relevant review between PureFTPD (more secure then than ProFTPD and vsftpd, where vsftpd came second with the most known CVEs unpatched as shown in SHODAN, PureFTPD was the better (then at time of writing). All moot against then and now in any case, just mentioning as it was brought up since vs stands for very secure in vsftpd, no, there is no such thing, just variant degrees of what is more vs less secure.
Just because a name indicates something it doesn't make it so.
Also, if you just use it for LAN connections and not WAN then security is enhanced, especially if servers are blocked WAN access. You would t wanna use just FTP on the WAN anyway, FTPS and and and...
IDK what the binary size is like on regular Linux DD-WRT side is 577KB for ProFTPD, we also have tftp at 509KB
Just for a LoL factor (Last one Laughing) there is this unrelated article
Joined: 26 Mar 2013 Posts: 1856 Location: Hung Hom, Hong Kong
Posted: Thu Jul 14, 2022 3:13 Post subject:
the-joker wrote:
Just for a LoL factor (Last one Laughing) there is this unrelated article
OpenWRT's Wiki quoted a different article. You could also find it via Google search.
ProFTPd should be the oldest FTP server, then PureFTPd and vsFTPD, if I remember correctly.
Quote:
Experienced users would compile ProFTPD rather than using some unknown maintainers and likely outdated Entware package version.
Compiling from source is more than just experienced users. And Entware does have a very recent ProFTPd.
Code:
/opt# opkg list | grep -i ftp | grep server
...
iputils-tftpd - 20190709-1b - Trivial File Transfer Protocol server
....
proftpd - 1.3.7c-1 - ProFTPD FTP server
pureftpd - 1.0.50-1 - Pure-FTPd is a fast, production-quality, standard-conformant FTP server, based upon Troll-FTPd.
tftpd-hpa - 5.2-1 - An enhanced version of the BSD TFTP server
vsftpd - 3.0.5-1 - Fast and secure FTP server (no TLS)
vsftpd-ext - 3.0.5-1 - A fast and secure FTP server
vsftpd-tls - 3.0.5-1 - Fast and secure FTP server (TLS)
....
_________________ Router: Asus RT-N18U (rev. A1)
Drink, Blink, Stretch! Live long and prosper! May the Force and farces be with you!
Joined: 26 Mar 2013 Posts: 1856 Location: Hung Hom, Hong Kong
Posted: Thu Jul 14, 2022 3:25 Post subject:
Gameman Advanced Kid wrote:
I think the question that should be asked is "what exactly is PROFTPD getting in the way of?"
It really depends on what DD-WRT want to support. For very basic FTP service, both ProFTPd and vsFTPD are way too "complicated". But then, one could always lock down their settings.
I did spent some time with ProFTPd when I was playing with Caldera OpenLinux. That was nearly 20 years ago.
_________________ Router: Asus RT-N18U (rev. A1)
Drink, Blink, Stretch! Live long and prosper! May the Force and farces be with you!
First question: Do we even use the php or sql functionality in proftpd? If not, there is literally zero need for using it.
Second question: Was the choice made for ProFTPD because nothing else was available at the time? If the concern is firmware image size and we are not using 100% of ProFTPD's available features across the board, then it would make much more sense to switch based on the firmware image size savings, reliability, and security points alone.
If you look back far enough, there was never any vsftpd folder in DD-WRT code repo; ProFTPD 1.3.1 was introduced by Tornado. I guess there was never any "discussion" on what to add for FTPD services since most likely vsftpd wasn't available yet.
In regards to "who came first": wu-ftpd, then proftpd, pureftpd, then vsftpd in PC Linux distributions. Regardless of precedence, vsftpd was introduced into stock soho router firmware from the first offering of the functionality and it is written by a black hatter security specialist and DD-WRT is the only firmware not using it. _________________ "The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost
"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio
Joined: 26 Mar 2013 Posts: 1856 Location: Hung Hom, Hong Kong
Posted: Thu Jul 14, 2022 15:18 Post subject:
dale_gribble39 wrote:
...vsftpd was introduced into stock soho router firmware from the first offering of the functionality and it is written by a black hatter security specialist...
Hang on... better take back the last few words. Could end up as troubles for DD-WRT forum. The focus should remain on the program and its history.
_________________ Router: Asus RT-N18U (rev. A1)
Drink, Blink, Stretch! Live long and prosper! May the Force and farces be with you!
Joined: 31 Jul 2021 Posts: 2146 Location: All over YOUR webs
Posted: Thu Jul 14, 2022 16:17 Post subject:
As to why it was included you would have to ask Brainslayer.
My guess is the same reason why its the most popular FTP server in use(for a long time by all sorts of companies and groups of people online) and because vsftpd came later?
vsftpd also has had plenty CVEs, like everything else no matter who writes it there is no sure shot to the moon not even when riding unicorns.
Now binary size reason, sure, compile vsftpd for dd-wrt and compare. I already posted current binary sizes and am slightly wondering why tftp is also in dd-wrt.
Joined: 26 Mar 2013 Posts: 1856 Location: Hung Hom, Hong Kong
Posted: Thu Jul 14, 2022 16:43 Post subject:
the-joker wrote:
vsftpd also has had plenty CVEs, like everything else no matter who writes it there is no sure shot to the moon not even when riding unicorns.
Now binary size reason, sure, compile vsftpd for dd-wrt and compare. I already posted current binary sizes and am slightly wondering why tftp is also in dd-wrt.
There is seemingly a trend to remove the old but simple FTP protocol. Recent versions of Firefox removed it in favor of HTTP, then HTTPS. You have to use a FTP client after that.
But what about uploads? Anonymous? Well... I dunno.
You could use those cloud stuffs, but you would then need a client to sync stuffs and the target server is not of your own. Well...
As to why it was included you would have to ask Brainslayer.
A former developer/maintainer (Tornado) implemented it.
the-joker wrote:
My guess is the same reason why its the most popular FTP server in use(for a long time by all sorts of companies and groups of people online) and because vsftpd came later?
Historically, wu-ftpd was in wide use across the board and was replaced with vsftpd on a large scale over proftpd and others to the best of my real-world knowledge. At the time, wu-ftpd could've been easily implemented and taken up less space.
the-joker wrote:
vsftpd also has had plenty CVEs, like everything else no matter who writes it there is no sure shot to the moon not even when riding unicorns.
One page total, compared to several pages for proftpd. Currently, to the best of my knowledge, all patched on both. You cannot rely on RHEL or other vendors' bugtrackers, because a lot of times, those issues are self-inflicted and not present in official vanilla releases of the package.
the-joker wrote:
Now binary size reason, sure, compile vsftpd for dd-wrt and compare. I already posted current binary sizes and am slightly wondering why tftp is also in dd-wrt.
Please do a "which tftpd" or "which tftp" via ssh or telnet. It's presence in the source tree may be a remnant from Sveasoft.
the-joker wrote:
In the end the best thing is a patch to replace it.
Agreed. _________________ "The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost
"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio
Joined: 31 Jul 2021 Posts: 2146 Location: All over YOUR webs
Posted: Thu Jul 14, 2022 20:24 Post subject:
tftp is present and binary size is quite large at 509KB, if its not used, then should be no need to keep it.
@brainslayer is quite busy but I'll try to approach the subject of tftp.
Indeed what CVEs were present are not now, this doesn't mean its CVE free no matter if its known and disclosed or unknown. There is just no way to make any assertions about ultimate security without a definitive audit.
I agree in principle that DD-WRT should keep up and adapt to better technologies though this is problematic due to the lack of active developers with interest and motivation to actually make meaningful contributions. Contributions require motivation and active engagement otherwise its all academic. Its extremely hard to engage with the community members which have the right skills and asking for patches is easier said than done.
None-the-less the biggest challenge as I see it is still to this day, lower end devices dictate what is available to higher end devices, as far as I know this subject has largely remained unchanged and its not out of the realms of possibility to build and provide different binaries less neutered to higher end devices. Its not easy anyway given the amount of targets DD-WRT supports.
I mention this because its unrealistic to rely on one main developer for all such changes (you cant dev and add support for new targets, bug hunt and fix and add new features remove and cleanup all by yourself, you can but things are missed and some parts will remain in a n inconsistent state.), while not the easiest thing to try and convince the man with the power to press the buttons to make things happen, I know for a fact its not impossible, just has to be done in a manner which is comprehensive.
Joined: 08 May 2018 Posts: 14216 Location: Texas, USA
Posted: Fri Jul 15, 2022 3:22 Post subject:
the-joker wrote:
tftp is present and binary size is quite large at 509KB, if its not used, then should be no need to keep it.
@brainslayer is quite busy but I'll try to approach the subject of tftp.
Let me save you the trouble with a screenshot. Had you done an ls -al /usr/bin/tftp, you would've realized it's compiled into busybox as an applet. WHY, I do not know, but the 5xx KB is the total size of the busybox binary, if I am not mistaken.