In order to offer anonymous ftp services we are using WU FTPD. The box
happens to be a LINUX box, but I can see using it on an HP-UX host
too... I've heard it should be more secure than most vendor supplied
Anyway, I was wondering if its a good idea that the default behavior
of 'wuftpd' tells EXACTLY what version the ftpd server is (down to the
beta) when anyone connects to the server. This seems to me like giving
someone more information than they need (unless its required by an
RFC or something.) Suppose you've neglected the server for a while and
it turns out there is a well known bug in your particular version....
the information is offered to everyone right upon connection.
So I discovered a simple fix to remove ALL the version information by
replacing it with an empty string -- now when I compile the program, the
file vers.c contains only the line:
char version = "";
Are there any drawbacks to doing this, does it open up other
problems?? Maybe its trivial because there is some other way for an
outsider to get the server version??
Thanks for any thoughts,