Hi Yil, thank you for your quick support
i`ve tested your instructions, but i get always the same error at login: 530 Login failed: Your IP/hostname is not authorized.
I want, if a user receives a new ip by his provider, ioftpd the ip updated independently.
Since then i`ve used the entry f.e. *@234.12.*.* but after a indefinite time he get a complete new ip-adress.
Can you look on my ioftpd.ini file, maybe i set wrong settings?
Quote:
[Network]
# list of services (you just defined them above!) to start
Active_Services = FTP_Service
# If Ident_Timeout set to 0 the server won't send any IDENT requests,
# in which case you'll need "*@..." for all user hostmasks or you need
# to enable the Ignore_Hostmasks_Idents option.
Ident_Timeout = 5 # Set ident timeout (10)
Hostname_Cache_Duration = 1800 # Seconds cached hostname is valid
Ident_Cache_Duration = 600 # Seconds cached ident is valid (1800)
# Ignore ident portion of hostmasks. If you set this to true then the system
# will ignore any ident difference and just examine the host/IP portion of
# the hostmask.
Ignore_Hostmask_Idents = False
# To be removed from the ban list a user MUST NOT attempt to connect during
# the temp ban time else he'll just keep pushing the ban farther out...
Connections_To_Ban = 50 # 6 connections without a reset and
# IP is temp banned (5)
Ban_Counter_Reset_Interval = 60
Temporary_Ban_Duration = 300 # 300 Seconds host remains banned
# Maximum time to suppress log entries for the same reason from the same IP.
# Default is 10.
;Max_Log_Suppression = 10
# Number of minutes to increase the delay between each suppressed message
# until Max_Log_Suppression is reached. Default is 1 additional minute per.
# You can now array to get 1,2,etc messages per Max_Log_Suppression window
# which with large values means you can reduce logfile spam if needed.
;Log_Suppression_Increment = 9
# this controls how often the socket bandwidth scheduling thread is run. If
# you are not limiting bandwidth then this can be disabled.
# Valid values: HIGH/NORMAL/LOW/DISABLED
Scheduler_Update_Speed = HIGH
# List of space separated wildcard IP/hosts that are immune from banning.
# NOTE: There is a difference between IP addresses and hostname masks. The
# decision about whether to reject an address for too many connection
# attempts (i.e. auto-ban) is made immediately after the connection is
# established. This means that the reverse DNS lookup to get the
# fully qualified hostname hasn't even started yet (unless a cached
# answer is still around and valid). This is usually fine since you
# obviously can't be banned on the first attempt, but if you tried 10
# connection attempts all at the same time this might result in a ban
# and rejection for some of them until the name finally resolves.
# Once the name has been resolved the next connection attempt will
# ignore and clear the temp ban.
# NOTE: 127.0.0.1 is always immune.
;Immune_Hosts = 192.168.0.*
# Permission list for user's whose IP/host masks should be immune from auto-
# banning. Essentially this is the same as collecting up all the IP/host
# parts of the matching user's hostmasks and automaticaly specifying them as
# Immune_Hosts. The user list and associated IP/hosts are only updated at
# startup and rehashes.
# WARNING: just one user with *@* or something similiar (or changed to that
# later on!) will effectively turn off auto-banning and thus use of
# this option is discouraged!
;Immune_Users = I
# Requirements/rules for adding IP masks by the specified users. You can
# have up to 20 consecutive entries starting at 1 which will be processed in
# numerical order with the first satisfied rule allowing the change. If
# no rule is matched then the change is prohibited and the user shown a list
# of valid rules for them. If Secure_Ip_1 is not defined everything is
# acceptable for backwardward compatibility.
#
# Format: <ident> <type> <min-fields> <users>
# <ident> = 0 -> User ident not required (*@...)
# 1 -> User ident must be supplied (ident@...)
# <type> = 0 -> Only sets of numeric IPs allowed
# 1 -> Allow fully qualified hostnames (...@hostname)
# 2 -> Allow fully qualified hostnames that will be resolved
# at login time allowed (:ident@hostname).
# 3 -> any hostname/IP (may include wildcards OR be dynamic)
# <min-fields> = Minimum number of non-wildcard fields separated by periods.
# NOTE: A fully qualified hostname doesn't need to pass the minimum field
# test so <type>'s 1 and 2 ignore the <min-fields> argument.
#
# Master accounts can do whatever they want, but if they don't match a rule
# the log entry and status message will indicate that a "master override"
# was used.
#
# If you want to support *@* and other such things without that message
# set this rule to match M (or whoever else) accounts instead of nobody (!*).
;Secure_Ip_1 = 0 3 0 !*
# Allow *@1.2.*.* or ident@1.2.*.* or more specific style masks
;Secure_Ip_2 = 0 0 2 G1M
# Allow ident@foo.bar.com style masks
;Secure_Ip_3 = 1 1 0 G1M
# Allow dynamic :ident@foo.bar.com style masks
Secure_Ip_4 = 1 2 0 G1M
# Allow ident@*.bar.com style masks
;Secure_Ip_5 = 1 3 2 G1M
# NOTE: Only M accounts can set *@* with these defaults
# Maximum number of worker threads to use to resolve hosts. If you raise
# this make sure to raise the number of Worker_Threads at the top of the
# file to a larger value to keep from creating/destroying threads.
Max_Resolver_Threads = 2
# If a user hostmask begins with a colon ":" and is a hostname without any
# wildcards then during the login event you can control what happens.
# undefined -> do nothing
# "NEVER" -> do nothing
# "KNOCKED" -> only do lookups if the user has successfully KNOCKED.
# "ALWAYS" -> always lookup the specified hostname
Dynamic_DNS_Lookup = ALWAYS
# If Dynamic_DNS_Lookup is set to KNOCKED/ALWAYS or you are using an external
# user module then in theory someone could watch for delayed responses to
# the login command and try to statistically determine usernames. To prevent
# this you can set this to the maximum number of seconds to randomly delay
# all responses to the login command.
;Random_Login_Delay = 5
# Set this to true to automatically disconnect connections from hosts who
# do not match any user's IP/host mask.
Reject_Unknown_Ips = True
# When using Reject_Unknown_Ips there is no way to even get to a login prompt
# if your IP has changed. This can now be a common problem for people using
# dynamic hostmasks. The solution is a very simple knock-knock system which
# will add the knocking IP to a temporary list so you can connect.
# Knocking essentially means connecting via TCP to between 1 and 5 ports in a
# short amount of time (60 seconds per). This can easily be done in most FTP
# programs by just setting up fake ftp servers on the knock ports and trying
# to connecting in order, or by using the ioKnock GUI on windows machines.
#
# NOTE: You must connect in order! Thus using at least 3 non-sequential ports
# means a sequential port scan won't trigger the knock and produce a
# prompt on the real FTP port.
;Knock_1 = 15121
;Knock_2 = 11123
;Knock_3 = 12123
# How many elements of the dotted IP address should be obscured with * in
# the logfiles. IP=1.2.3.4 with 1 -> 1.2.3.*, 2 -> 1.2.*.*, 3 -> 1.*.*.*
# and 4 -> -hidden-.
;Obscure_IP = 2
# How many elements of the dotted hostname should be obscured with * in
# the logfiles. NAME=baz.foo.bar.com with 1 -> *.foo.bar.com, 3 -> *.*.*.com
# and if the name is totally obscured -hidden- will be shown instead.
;Obscure_Host = 2
# Log OpenSSL library errors during transfer to Debug.log. Default is false.
Log_OpenSSL_Transfer_Errors = True
|
I`ve tested the knocking-feature too, but the error are the same...