vsftpd
vsftpd is a secure and fast FTP server for UNIX-like systems that is used on many large and critical Internet sites. Its rich feature set includes SSL encryption, IPv6, bandwidth throttling, PAM integration, virtual users, virtual IPs and per-user / per-IP configuration.
| Tags | Internet FTP |
|---|---|
| Licenses | GPL |
| Implementation | C |
Last announcement
I still need a fix 28 Nov 2009
@markhobley: The issue described is not a "security flaw", despite various misinformation on the internet about the issue.
Hi Chris. I know that...
Recent releases
- 13 Mar 2011 09:28
Release Notes: This release corrects a DoS vulnerability where an attacker permitted to login to an FTP server would be able to cause the vsftpd child processes spawned for their sessions to consume excessive amounts of CPU time (CVE-2011-0762). If the attack is carried out on a sufficient number of FTP sessions (possibly from multiple source IP addresses to exceed a possible per-source limit), the FTP service would become unavailable and other services of the system would be greatly impacted. Some other bugs with no apparent security impact have been fixed at the same time.
- 20 Aug 2010 05:48
Release Notes: The version number was fixed. Version 2.3.1 incorrectly reported itself as version 2.3.0.
- 19 Aug 2010 08:24
Release Notes: A silly regression introduced in 2.3.0 was fixed - the log files are no longer overwritten from the start when vsftpd is restarted.
- 06 Aug 2010 07:58
Release Notes: A couple of regressions were fixed: port_promiscuous now works again and SSL data transfers with ASCII transforms should work reliably again. It is now possible to overwrite files partially with REST + STOR. A minimal, experimental HTTP mode was added.
- 17 Nov 2009 22:16
Release Notes: Most notably, a regression was fixed in the built-in listener. Under heavy load, new FTP sessions could sometimes get disconnected right way. This is now fixed. If you saw "OOPS: child died" just after connecting, it was likely this bug.
Recent comments
@markhobley: The issue described is not a "security flaw", despite various misinformation on the internet about the issue.
The whole point of the feature is to kick out the FTP client _before_ it sends a password. This idea goes way, way back and was typically used to list accounts such as "root" where you didn't want a plain text password for that account to ever go over the wire!
If you don't like the feature, don't use it. If you want to deny a given user always, after the password check, use a PAM module.
Re: vsftpd contains a security flaw, which causes the system to skip asking for a password
if the username is invalid, when the system is configured to use an explicit userlist.
A user has suggested that vsftpd-not-whitelisted users never get
passed to pam, so all the pam configuration in the world won't do
anything until you disable the vsftpd userlist.
I would rather not disable the username whitelisting to work around this.
IDoes anyone know how to fix this so that we could incorporate a configuration option as to whether or not to abort after username is entered, or to reverse the polarity of the userlist_deny switch in this context, so that userlist_deny=NO asks for a password, but userlist_deny=YES aborts without a password?
I would be happy to make this change on a local fork (but I need some guidance on this)
if the fix will not get implemented upstream. I am interested in hearing from anyone who knows
their way around this code sufficiently to make the fix.
IPv6 passive issue ?
Hi,
I have an issue when a client, connected through IPv6, request a PASV session.
vsftpd replies with :
227 Entering Passive Mode (0,0,0,0,xx,yy)
and consequent connections fails because of the 0,0,0,0 IP.
Is it possible to add a 'pasv_address6' just like for IPv4 ?
Ionel
By default, vsftpd contains a security flaw, which causes the system to skip asking for a password
if the username is invalid, when the system is configured to use an explicit userlist.
Apparently a workaround for this is to configure pam to prompt for a password, even though the username is
invalid. I am interested in hearing from anyone who knows how to reconfigure pam, to cause the system to prompt
for a password, without disabling the facility to use an explicit userlist, or from anyone that can send me
a patched fork of this package with the vulnerability fixed.
markhobley at yahoo dot co dot uk
I am looking to configure pam to workaround the username mining vulnerability when vsftpd is used with an explicit userlist (ie userlist_enable=YES and userlist_deny=NO).
Apparently the vulnerability can be also be addressed by making a change to the pam configuration, so that the system asks for both a username and password before failing with an invalid login, rather than immediately failing on an invalid username. Unfortunately to date, I have not found anyone that knows how to make such a change. I am interested in hearing from anyone who knows how to fix this markhobley at yahoo dot co dot uk.
cevans
01 Feb 2001 21:16
Heartbeat
- Popularity Score
- 685.23
- Vitality Score
- 14.00
- Subscriptions
- 200
