Posts

Evaluating FTP Servers: ProFTPd vs PureFTPd vs vsftpd

Usually, I will try to push clients towards using SCP (via a client such as WinSCP), however inevitably there are clients who do not understand this new method of accessing their files securely online, and who for one reason or another insist on using FTP for their online file access. As they say – the customer is always right?

Anyway, there are currently 3 mainstream FTP servers available via the yum command on CentOS 6.x. PureFTPd, ProFTPd and vsftpd. So which FTP server is the best? I will summarize the servers below, or skip to the summary.

ProFTPd

ProFTPd is a modular FTP server which has been around for a long time. The large control panels (cPanel, DirectAdmin) all support ProFTPd and have for years.

The most feature rich of the bunch is certainly ProFTPd. There are a ton of plugins available for it, and the creator of it modeled its configuration architecture much like Apache’s – it is also using the GPL for licensing.

Configuration of ProFTPd is fairly straight forward, and example configuration files abound at a quick search of Google.

ProFTPd is available on a wide variety of system architectures and operating systems.

ProFTPd Security

Of the bunch, ProFTPd has the most CVE vulnerabilities listed. The high number is most likely an indicator of ProFTPd’s widespread use which makes it a target of hackers.

ProFTPd CVE Entries: 40
Shodan ProFTPd entries: 127

PureFTPd

PureFTPd‘s mantra is ‘Security First.’ This is evident in the low number of CVE entries (see below).

Licensed under the BSD license, PureFTPd is also available on a wide-range of operating systems (but not Windows).

Configuration of PureFTPd is simple, with a no-configuration file option. Although not as widely used as ProFTPd, PureFTPd has many configuration examples listed online.

PureFTPd Security

PureFTPd’s “Security First” mantra puts it at the lead in the security department with the fewest security vulnerabilities.

PureFTPd CVE Entries: 4
Shodan Pure-FTPd Entries: 12

vsftpd

vsftpd is another GPL-licensed FTP server, which stands for “Very Security FTP daemon.” It is a lighweight FTP server built with security in mind.

Its lightweight nature allows it to scale very efficiently, and many large sites (ftp.redhat.com, ftp.debian.org, ftp.freebsd.org) currently utilize vsftpd as their FTP server of choice.

vsftpd Security

vsftpd has a lower number of vulnerabilities listed in CVE than ProFTPd but more than PureFTPd. This could be because, since its name implies it is a secure FTP service, or because it is so widely used on large sites – that it is under more scrutiny than the others.

vsftpd CVE Entries: 12
Shodan vsftpd entries: 41

Summary & FTP Server Recommendations

#

Considering the evaluations above, any server would work in a situation, however generally speaking:

  • If you want a server with the most flexible configuration options and external modules: ProFTPd
  • If you have just a few users and want a simple, secure FTP server: PureFTPd
  • If you want to run a FTP server at scale with many users: vsftpd

Of course, everyone’s requirements are different so make sure you evaluate the options according to your own needs.

Disagree with my assessment? Let me know why!

Memory Allocation Problems on Xen Server & Fix

Recently I started seeing this error while provisioning Xen VPSes on a server with 8GB of RAM:

[2009-03-23 15:51:40 xend.XendDomainInfo 3310] DEBUG (XendDomainInfo:1603) XendDomainInfo.destroy: domid=None
[2009-03-23 15:51:40 xend 3310] ERROR (xmlrpclib2:184) (12, 'Cannot allocate memory')

I checked the memory, and sure enough, all of the VPSes were using up the memory. More specifically, dom0 (the main server) had ‘ballooned’ and begun to take up 3GB of RAM, this is more than the system should need:

[2009-03-22 18:03:08 xend.XendDomainInfo 3310] DEBUG (XendDomainInfo:1113) Setting memory target of domain Domain-0 (0) to 2903 MiB.
[2009-03-22 18:03:09 xend 3310] DEBUG (balloon:127) Balloon: 537840 KiB free; need 537600; done.

Basically when memory ballooning is set, the memory available to the main hypervisor will have a minimum value set and will balloon according to the current requirements. This setting is in the config file which for me is at /etc/xen/xend-config.sxp:

# Dom0 will balloon out when needed to free memory for domU.
# dom0-min-mem is the lowest memory level (in MB) dom0 will get down to.
# If dom0-min-mem=0, dom0 will never balloon out.
(dom0-min-mem 256)

I changed this line to:

(dom0-min-mem 0)

I also modified grub to set an absolute amount of memory to dom0:

title CentOS (2.6.18-92.1.22.el5xen)
root (hd0,0)
kernel /xen.gz-2.6.18-92.1.22.el5 dom0_mem=1536M
module /vmlinuz-2.6.18-92.1.22.el5xen ro root=/dev/vg_root/lv_root
module /initrd-2.6.18-92.1.22.el5xen.img

The value for dom0_mem sets the system memory at boot time. This will be set on the kernel line. Make sure this is large enough to handle system tasks; 1.5G seems to be good for me right now.

Reboot the server to set the memory for dom0.

You could also set the memory usage for dom0 temporarily by using the ‘xm mem-set’ command:

Usage: xm mem-set

This would not apply after a reboot. Good luck!