FlashFXP Forums - View Single Post

Yil · 04-29-2007, 03:53 AM

Bad news on #10: Stealth ftp server for non-recognized IPs.

I redid a whole bunch of stuff to try to stealth the port, but I guess my documentation was out of date. Seems MS changed the behavior of WSAAccept with XP SP2 to always do the preliminary TCP handshake to avoid denial of service attacks and therefor FTP clients will still see the connected message. My docs suggested this was a potential issue and to be careful with using the option, but not that they had forced the option to be utterly meaningless... GRRR

So ioFTPD will do what everybody else is being forced to do and accept the connection and then immediately close it without sending anything...

The good news, of course, is the server now has an option to reject connections unless the IP/hostname is listed for at least one user. It just can't completely stealth the port for unknown IPs.

I've also added a command "site findip" that will return users who match a specific IP address or hostname and what hostmask of theirs matched.

Thus "site findip 127.0.0.1" will return things like:
ioFTPD: 127.0.0.1
test1: *

This is especially useful to find poorly configured users. In the above case test1 is going to make the new reject IP option useless since it's got * for allowed hosts. At least now you can find them without searching each user...

04-29-2007, 03:53 AM
Yil Too much time... Join Date: May 2005 Posts: 1,194	No Stealth, just rejection! Bad news on #10: Stealth ftp server for non-recognized IPs. I redid a whole bunch of stuff to try to stealth the port, but I guess my documentation was out of date. Seems MS changed the behavior of WSAAccept with XP SP2 to always do the preliminary TCP handshake to avoid denial of service attacks and therefor FTP clients will still see the connected message. My docs suggested this was a potential issue and to be careful with using the option, but not that they had forced the option to be utterly meaningless... GRRR So ioFTPD will do what everybody else is being forced to do and accept the connection and then immediately close it without sending anything... The good news, of course, is the server now has an option to reject connections unless the IP/hostname is listed for at least one user. It just can't completely stealth the port for unknown IPs. I've also added a command "site findip" that will return users who match a specific IP address or hostname and what hostmask of theirs matched. Thus "site findip 127.0.0.1" will return things like: ioFTPD: 127.0.0.1 test1: * This is especially useful to find poorly configured users. In the above case test1 is going to make the new reject IP option useless since it's got * for allowed hosts. At least now you can find them without searching each user...