PDA

View Full Version : IoFTP product inquiries


OngL
07-19-2005, 10:36 PM
I'm a huge fans of FlashFXP and wouldn't think of converting to anything else. As for FTP Server, I've been suing Serv-U as my favorite. Now that there is an alternative of IoFTP, I'd like to find out how this can replace Serv-U.

In term of functionality is there any features that present in Serv-U but not covered yet in IoFTP and vice versa? and Is there any comparison of both? There is statement that it is better than other FTP server, but I couldn't find any detailed comparison.

As for upgrade policy, it is different han flashfxp that free only for minor version. So if I purchase now, can I get v1.0 for free? Also what is the charges to upgrade to next level of major version?

Lastly any special deal for personal user like me that already own and support FlashFXP ?

Linkster
07-20-2005, 12:07 PM
I'll let a few of the ioftpd power users answer the functionality question. The upgrade policy is really meant to take affect with 1.0. ALL current and new ioftpd users will of course get 1.x for free. We are still working out the licensing details, but I can tell you that purchasing before 1.0 will be to your benefit :). We are also working on the shopping cart so that all registered users will get a discount on our other products. More on that to come.

OngL
07-25-2005, 12:35 AM
Will anyone share their experiences with IoFTP especially those converts from Serv-U? It's been a while but no one has shared their views as Linkster mentioned.

Harm
07-25-2005, 02:39 AM
I'm not using Serv-U so I don't really know what its features are nowadays. I've browsed their website and found a comparison table (http://www.serv-u.com/comparison.asp) with other ftp daemons. I'll then use this one as a basis to compare Serv-U and ioFTPD's features. Please note that this is only valid for ioFTPD 5.8.4u/5.8.5r. Alot of things are going to change (read: be improved) with the upcoming ioFTPD 1.0.


Serv-U Standard ioFTPD 5.8.5r
Général
SSL/TLS Secure-FTP Optional Yes (1)
S/Key one-time passwords Yes No
System Service Yes No (2)
Log Rotation Yes No (3)
Client / Server Chat Yes No
Dynamic DNS Integration Yes No
File Control
Open Architecture Yes Yes (4)
Resuming Interupted Transfers Yes Yes (5)
Data Compression Yes No (6)
File Integrity Checking Yes Yes (7)
Access Control
Temporay User Accounts Yes No
Block Site-To-Site Transfers (FXP) Yes Yes (8)
Virtual Directories Yes Yes (9)
User Ratios Yes Yes (10)
IP Access Rules Yes Yes (11)
Limiting Connections per IP Yes Yes (12)
Banned File Types Yes Yes (13)
User Bandwidth Control Yes Yes (14)
User Quotas Yes No (15)
Concurrent Users 25 Virtually Unlimited (16)
Max User Accounts 100 1024 (17)
Support
Free E-mail Support Yes Yes (18)
Author moderated discussion list Yes No
IRC Channel ? Yes (19)
Pricing
Price $49.95 $15 (20)
Product Maturity 10 Years

Notes:
(1) There are a still a few limitations to SSL/TLS FXP. This will not be the case with ioFTPD 1.0.
(2) ioFTPD 1.0 will run as a native windows service. At the moment, a few wrappers are able to run ioFTPD as a service.
(3) This is not hardcoded but can be scripted. A few scripts are already available for this.
(4) ioFTPD supports modules and version 1.0 will even support customisable user/group databases.
(5) Using REST or APPE
(6) This has to be MODE Z. I don't know if support for this is coming in the future.
(7) ioFTPD computes the crc32 value of the uploaded file. Scripts (known as zipscripts) can then use this value to check the file integrity. Those scripts could also check other kinds of checksums (like md5) easily.
(8) FXP blocking is a per account setting. You can choose if you want to block FXP upload, FXP download or both.
(9) http://www.inicom.net/pages/en.ioftpd-documentation.php?s=3
(10) 10 differents stats/ratio sections are supported. Scripts can also enforce quotas.
(11) You can define the IP access rules globally and/or per account.
(12) You can define the maximum concurrent connections per IP and per account.
(13) This can be done using ioFTPD's internal "Upload" rules or a script.
(14) You can define these per FTP service and per client.
(15) Scripts can enforce quotas easily. A few are already available.
(16) That has always been my thought. darkone might correct me on this one.
(17) This limit might change with ioFTPD 1.0.
(18) support@inicom.net
(19) #ioFTPD @ EFNet
(20) https://secure.inicom.net/store/home.php?cat=28


As you can see, ioFTPD's scripting abilities allow nearly anything.
I don't know any application that can convert the user database from Serv-U's format to ioFTPD's.

darkone or iniCom's staff might want to complete/correct this list.
Feel free to ask if you want more details.

ADDiCT
07-25-2005, 02:48 AM
My personal view: Serv-U is a nice, easy to setup and feature-rich ftp daemon, with some drawbacks:
- i've seen quite a few remote exploits that will either crash the server or allow an attacker to run code, ioFTPD never had any known exploit
- extending servu is only possible with a DLL, limiting programming languages to a strict set (although FtpServerTools has written some good DLL's that allow executing any kind of script)
- last time i checked, it is a singlethreaded server, and if someone performed a recursive dirlisting, the server hangs for all connected clients (this may be fixed by now)
- no internal virtual file system to keep track which user uploaded what file (all users/groups show up in the directory listings as "user" and "group")

The only things that I miss in ioFTPD that Serv-U has: hiding files (with patterns like *\desktop.ini or ?:\Recycler\)

As a dedicated server machine, ioFTPD is the way to go. If u run a server in the background on a lanparty or so, Serv-U might be faster to set up and easier to keep track of what users are doing.

neoxed
07-25-2005, 03:54 AM
- i've seen quite a few remote exploits that will either crash the server or allow an attacker to run code, ioFTPD never had any known exploit
Just to be picky, I wouldn't consider this a valid point. :)

Serv-U has a substantially larger user base and is quite well known (obviously ;), I hope I haven’t lost your attention already). Greater product exposure tends to yield a larger exploit turn over. ioFTPD has had plenty of possible exploits, but no one took the opportunity to write a proof-of-concept and publish it (to my knowledge anyway). More than likely because ioFTPD is still a beta product and people with the expertise have never heard of ioFTPD. (Count the number of times that buffer/stack overflow is mentioned in ioFTPD's change-log, though this does not mean all were exploitable.) Nevertheless, we are all beta testers, testing an unfinished product, so it is something we have come to accept. :)

One thing Serv-U does have is a steady release cycle and quick response to published exploits. Which I’m sure will change once ioFTPD reaches a final state. There are several possible exploitable situations in the current version of ioFTPD (Beta-5.8.5). However, there are reasonable workarounds.

- Ability to crash the daemon remotely by using the ‘SITE CHOWN user:group’ command without the directory argument. By default, this command is only available to administrators, so its threat is minimal. To workaround this issue, the command can be completely restricted so users are unable to access it (chown = !*). http://www.inicom.net/forum/showthread.php?t=13133

- A specially crafted .ioFTPD file *could* be and dropped in the site directory to achieve local privilege escalation (assuming ioFTPD is running as a privileged user). This could only occur locally, since ioFTPD forbids the uploading of .ioFTPD files. To workaround this issue, run ioFTPD as a unprivileged user and restrict access to your "ioFTPD\site" directory (or similar). http://www.inicom.net/forum/showthread.php?t=13369

Just my two cents. ;)

Mr_X
07-25-2005, 10:29 AM
ioFTPD could help knowing existing logins:
Try to login with a inexistant login and whatever for password, you'll get disconnected at USER.
If you try an existing login but bad password, you'll get disconnected closed after PASS.

But it's limited because of anti-hammering protection