Go Back   FlashFXP Forums > > > >

ioFTPD General New releases, comments, questions regarding the latest version of ioFTPD.

Reply
 
Thread Tools Rate Thread Display Modes
Old 07-19-2005, 10:36 PM   #1
OngL
Member
FlashFXP Beta Tester
 
Join Date: Aug 2004
Posts: 51
Default IoFTP product inquiries

I'm a huge fans of FlashFXP and wouldn't think of converting to anything else. As for FTP Server, I've been suing Serv-U as my favorite. Now that there is an alternative of IoFTP, I'd like to find out how this can replace Serv-U.

In term of functionality is there any features that present in Serv-U but not covered yet in IoFTP and vice versa? and Is there any comparison of both? There is statement that it is better than other FTP server, but I couldn't find any detailed comparison.

As for upgrade policy, it is different han flashfxp that free only for minor version. So if I purchase now, can I get v1.0 for free? Also what is the charges to upgrade to next level of major version?

Lastly any special deal for personal user like me that already own and support FlashFXP ?
OngL is offline   Reply With Quote
Old 07-20-2005, 12:07 PM   #2
Linkster
Moderator
Administrator
 
Join Date: Oct 2001
Location: New Mexico, USA
Posts: 1,070
Default

I'll let a few of the ioftpd power users answer the functionality question. The upgrade policy is really meant to take affect with 1.0. ALL current and new ioftpd users will of course get 1.x for free. We are still working out the licensing details, but I can tell you that purchasing before 1.0 will be to your benefit . We are also working on the shopping cart so that all registered users will get a discount on our other products. More on that to come.
Linkster is offline   Reply With Quote
Old 07-25-2005, 12:35 AM   #3
OngL
Member
FlashFXP Beta Tester
 
Join Date: Aug 2004
Posts: 51
Default

Will anyone share their experiences with IoFTP especially those converts from Serv-U? It's been a while but no one has shared their views as Linkster mentioned.
OngL is offline   Reply With Quote
Old 07-25-2005, 02:39 AM   #4
Harm
Too much time...
Ultimate Scripter
 
Join Date: Jul 2003
Posts: 1,430
Default

I'm not using Serv-U so I don't really know what its features are nowadays. I've browsed their website and found a comparison table with other ftp daemons. I'll then use this one as a basis to compare Serv-U and ioFTPD's features. Please note that this is only valid for ioFTPD 5.8.4u/5.8.5r. Alot of things are going to change (read: be improved) with the upcoming ioFTPD 1.0.

Code:
					Serv-U Standard			ioFTPD 5.8.5r
Général
SSL/TLS Secure-FTP			Optional			Yes (1)
S/Key one-time passwords		Yes				No
System Service				Yes				No (2)
Log Rotation				Yes				No (3)
Client / Server Chat			Yes				No
Dynamic DNS Integration			Yes				No
File Control
Open Architecture			Yes				Yes (4)
Resuming Interupted Transfers		Yes				Yes (5)
Data Compression			Yes				No (6)
File Integrity Checking			Yes				Yes (7)
Access Control
Temporay User Accounts			Yes				No
Block Site-To-Site Transfers (FXP)	Yes				Yes (8)
Virtual Directories			Yes				Yes (9)
User Ratios				Yes				Yes (10)
IP Access Rules				Yes				Yes (11)
Limiting Connections per IP		Yes				Yes (12)
Banned File Types			Yes				Yes (13)
User Bandwidth Control			Yes				Yes (14)
User Quotas				Yes				No (15)
Concurrent Users			25				Virtually Unlimited (16)
Max User Accounts			100				1024 (17)
Support
Free E-mail Support			Yes				Yes (18)
Author moderated discussion list	Yes				No
IRC Channel				?				Yes (19)
Pricing
Price					$49.95				$15 (20)
Product Maturity			10 Years
Notes:
(1) There are a still a few limitations to SSL/TLS FXP. This will not be the case with ioFTPD 1.0.
(2) ioFTPD 1.0 will run as a native windows service. At the moment, a few wrappers are able to run ioFTPD as a service.
(3) This is not hardcoded but can be scripted. A few scripts are already available for this.
(4) ioFTPD supports modules and version 1.0 will even support customisable user/group databases.
(5) Using REST or APPE
(6) This has to be MODE Z. I don't know if support for this is coming in the future.
(7) ioFTPD computes the crc32 value of the uploaded file. Scripts (known as zipscripts) can then use this value to check the file integrity. Those scripts could also check other kinds of checksums (like md5) easily.
(8) FXP blocking is a per account setting. You can choose if you want to block FXP upload, FXP download or both.
(9) http://www.inicom.net/pages/en.ioftp...tation.php?s=3
(10) 10 differents stats/ratio sections are supported. Scripts can also enforce quotas.
(11) You can define the IP access rules globally and/or per account.
(12) You can define the maximum concurrent connections per IP and per account.
(13) This can be done using ioFTPD's internal "Upload" rules or a script.
(14) You can define these per FTP service and per client.
(15) Scripts can enforce quotas easily. A few are already available.
(16) That has always been my thought. darkone might correct me on this one.
(17) This limit might change with ioFTPD 1.0.
(18) support@inicom.net
(19) #ioFTPD @ EFNet
(20) https://secure.inicom.net/store/home.php?cat=28


As you can see, ioFTPD's scripting abilities allow nearly anything.
I don't know any application that can convert the user database from Serv-U's format to ioFTPD's.

darkone or iniCom's staff might want to complete/correct this list.
Feel free to ask if you want more details.
Harm is offline   Reply With Quote
Old 07-25-2005, 02:48 AM   #5
ADDiCT
Senior Member
FlashFXP Beta Tester
ioFTPD Scripter
 
Join Date: Aug 2003
Posts: 517
Default

My personal view: Serv-U is a nice, easy to setup and feature-rich ftp daemon, with some drawbacks:
- i've seen quite a few remote exploits that will either crash the server or allow an attacker to run code, ioFTPD never had any known exploit
- extending servu is only possible with a DLL, limiting programming languages to a strict set (although FtpServerTools has written some good DLL's that allow executing any kind of script)
- last time i checked, it is a singlethreaded server, and if someone performed a recursive dirlisting, the server hangs for all connected clients (this may be fixed by now)
- no internal virtual file system to keep track which user uploaded what file (all users/groups show up in the directory listings as "user" and "group")

The only things that I miss in ioFTPD that Serv-U has: hiding files (with patterns like *\desktop.ini or ?:\Recycler\)

As a dedicated server machine, ioFTPD is the way to go. If u run a server in the background on a lanparty or so, Serv-U might be faster to set up and easier to keep track of what users are doing.
ADDiCT is offline   Reply With Quote
Old 07-25-2005, 03:54 AM   #6
neoxed
Too much time...
FlashFXP Beta Tester
ioFTPD Scripter
 
Join Date: May 2003
Posts: 1,326
Default

Quote:
Originally Posted by ADDiCT
- i've seen quite a few remote exploits that will either crash the server or allow an attacker to run code, ioFTPD never had any known exploit
Just to be picky, I wouldn't consider this a valid point.

Serv-U has a substantially larger user base and is quite well known (obviously , I hope I haven’t lost your attention already). Greater product exposure tends to yield a larger exploit turn over. ioFTPD has had plenty of possible exploits, but no one took the opportunity to write a proof-of-concept and publish it (to my knowledge anyway). More than likely because ioFTPD is still a beta product and people with the expertise have never heard of ioFTPD. (Count the number of times that buffer/stack overflow is mentioned in ioFTPD's change-log, though this does not mean all were exploitable.) Nevertheless, we are all beta testers, testing an unfinished product, so it is something we have come to accept.

One thing Serv-U does have is a steady release cycle and quick response to published exploits. Which I’m sure will change once ioFTPD reaches a final state. There are several possible exploitable situations in the current version of ioFTPD (Beta-5.8.5). However, there are reasonable workarounds.

- Ability to crash the daemon remotely by using the ‘SITE CHOWN user:group’ command without the directory argument. By default, this command is only available to administrators, so its threat is minimal. To workaround this issue, the command can be completely restricted so users are unable to access it (chown = !*). http://www.inicom.net/forum/showthread.php?t=13133

- A specially crafted .ioFTPD file *could* be and dropped in the site directory to achieve local privilege escalation (assuming ioFTPD is running as a privileged user). This could only occur locally, since ioFTPD forbids the uploading of .ioFTPD files. To workaround this issue, run ioFTPD as a unprivileged user and restrict access to your "ioFTPD\site" directory (or similar). http://www.inicom.net/forum/showthread.php?t=13369

Just my two cents.
neoxed is offline   Reply With Quote
Old 07-25-2005, 10:29 AM   #7
Mr_X
Senior Member
FlashFXP Registered User
ioFTPD Foundation User
 
Join Date: Sep 2003
Posts: 142
Default

ioFTPD could help knowing existing logins:
Try to login with a inexistant login and whatever for password, you'll get disconnected at USER.
If you try an existing login but bad password, you'll get disconnected closed after PASS.

But it's limited because of anti-hammering protection
Mr_X is offline   Reply With Quote
Reply

Tags
flashfxp, free, ftp, ioftp, serv-u

Thread Tools
Display Modes Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 03:08 PM.

Parts of this site powered by vBulletin Mods & Addons from DragonByte Technologies Ltd. (Details)