Nessus tends to report false alarms and jump to incorrect conclusions when testing a NcFTPd server. To see this yourself, you could run NcFTPd in verbose mode, and look at the logs and see how NcFTPd is reacting to the tests being run by the scanner.
We have prepared a page with an example Nessus report and the corresponding NcFTPd verbose log entries, with notes about how NcFTPd is handling each test. It is advisable to compare our report with yours and let us know if your report has any additional messages which could indicate a new false alarm which should be documented in our report, or an actual vulnerability.
No, it is not. This has been
strongly considered for the Linux/x86 version of NcFTPd, but right now
the Linux/x86 package already includes three different versions which can be a
little intimidating as it is for a novice user trying to choose which NcFTPd
they need to run. If we reach a
point where we have only one Linux version in the package, then we may be able
to include a StackGuard version with it.
No. NcFTPd does not contain any encryption support for the fact that there aren’t any non-proprietary FTP clients that support it.
The FTP protocol itself is flawed in a few ways, one of which is that the username and password are sent in plaintext that could be intercepted by a packet sniffer. If you’re in a high-security environment you may want to avoid non-anonymous FTP altogether.
You can also experiment having the underlying link encrypted, so any TCP/IP traffic is encrypted at that level. For example, that’s how Virtual Private Networks and IPsec work. Still another option is to try and use the ssh package to provide secure tunnels.
The problem is that proxy
connections are a feature of the FTP protocol, and technically it is legitimate
to have one host initiate a transfer for the purpose of another host to actually
receive/send the data. So by
allowing proxy connections, there is a possibility that an attacker could steal
a data connection that was intended for another client if that client was
downloading, or replace the data if the client was uploading.
We'd love to have proxy connections disabled by default, but the last
time we tried it we got too many "bug" reports that turned out be
related to FTP proxy programs or clients behind proxy servers.
By default, NcFTPd disallows
certain types of proxy connections which NcFTPd can tell are not really
legitimate addresses. For example,
it is possible to abuse the FTP protocol to use it to connect to system services
in order to determine service availability or to abuse the service.
Therefore, NcFTPd disallows proxy connections when the port number
is less than 1024.
You can disable all proxy
connections using the allow-proxy-connections
option, if you’re willing to put up cranky users who want to use a proxy.
