View Single Post
Old 02-03-2013, 12:48 PM  
Too much time...
Join Date: May 2005
Posts: 1,194

Hey! Somebody using the knock feature! I wrote that a long time ago and nobody ever used it, but here are a few things you should know...

1) The knock feature ONLY allows you a way to connect to the server, it DOES NOT allow you to bypass the hostmask requirements of the user you are trying to login as. This probably isn't obvious and should definitely be spelled out better somewhere. You'll see that this is necessary because if you knock on the server then you could try to login as another user just by knowing their password and that wouldn't be good!

2) This command was really designed to be used in conjunction with the Dynamic_DNS_Lookup feature (default is ALWAYS in the config file and that's fine). Basically this allows you to use the ":" prefix to a hostmask (see 'site help addip') and a dynamic dns hostname that you keep updated to your current IP such as "" and the server will look that up when you try to login and let you in if it matches.

3) Back then I didn't think it a good idea have the server keep updating all of it's dynamic hostmasks to find everyone's current IP so it could allow them to connect to the server when using the Reject_Unknown_IPs option, so the knocking feature was the workaround. I have toyed with the idea of forcing updates every 10 minutes (configurable) to get around having to knock and just waiting a while, but I guess most people don't use the reject feature or something as nobody has complained or ask for it...

4) I didn't add the 'site knock' command until v7.2. However I forgot to register the site command internally so it's currently unusable until the next release. All it does is show you the ports and the order you should connect to them to trigger a knock. Since that is unlikely to change you can as a temporary workaround just put the ports and some text explaining whatever you think your users need to know in a simple .txt file like system/knock.txt and register that under the knock command in the FTP_Custom_Commands setcion with something like
knock = !knock.txt
There should already be a knock permission entry like
knock = !A *
under FTP_SITE_Permissions because the command should have been working...

5) Oh, and you can use 1-5 (example was 3 non-sequential so a sequential port scan wouldn't trip it) knock ports. You might find just having 1 is good enough. There is no reason to use the simple ioKnock.exe to trigger the connections either, but it's handy if using more than 1 port.

Let me know if that helps.
Yil is offline   Reply With Quote