PDA

View Full Version : ioSecureAdduser - don't allow too big ip-range


Pharaoh
09-17-2003, 01:55 AM
Hi,
is it possible to make ioFTPD not accept IP change to *@* or *@220.* because it is not specific enough? only allow at least 2 numbers after the @?
eg: *@210.115.* will be allowed because it has a more specific range (210.115)

TIA.

P.S. I am using ver. 4.9.4

MaistroX
09-17-2003, 02:34 AM
This is a VERY intressting issue, coz this is allso needed for Beta 5+ of security reason, not only to be able to force atlest *@xxx.xxx.*.* , but allso be able to force Ident, so indent is needed in "addip" to be able to add ip at all.

anything u could add to ioFTPD, D1 ?


Would be a very appreciated security option :)

Stardog
09-17-2003, 09:15 AM
perhaps adding this to the hosts.rules file?

Mouton
09-17-2003, 09:58 AM
Originally posted by MaistroX
anything u could add to ioFTPD, D1 ?

dark specified many times that everything that isn't ftpd related would have to be scripted.

Your request require a script. A couple of lines in tcl/php/whatever would do.

GOD-EMPEROR
09-21-2003, 01:13 AM
actually I would suggest that ip/ident filtering on adduser be set like glftpd with something secure_ip capabilities, but as long as addip is a staple of ftpd usage, the same settings should apply to that as well....

Pharaoh
09-21-2003, 01:17 AM
Originally posted by GOD-EMPEROR
actually I would suggest that ip/ident filtering on adduser be set like glftpd with something secure_ip capabilities, but as long as addip is a staple of ftpd usage, the same settings should apply to that as well....

I agree with u, mate.
This feature should be quite easy to implement, and very useful.

ADDiCT
09-21-2003, 09:03 AM
Ok, made this in 10 mins.
It will check ident@ip for addip/adduser/gadduser events

edit ioftpd.ini :
[Pre]
site = ..\scripts\ioSecureAdduser.exe

(tell me if it's any good)

Pharaoh
09-21-2003, 09:12 AM
Originally posted by ADDiCT
Ok, made this in 10 mins.
It will check ident@ip for addip/adduser/gadduser events

edit ioftpd.ini :
[Pre]
site = ..\scripts\ioSecureAdduser.exe

(tell me if it's any good)

Is there any chance you could make it not allow adding IPs like:
*@* or even 1 number like *@128.* (an option that will be set in ioftpd.cfg by the admin), for example, something like:
minimumIPnumbers = 0 will allow adding *@*
minimumIPnumbers = 1 will not allow *@*, BUT will allow adding IPs like *@128
minimumIPnumbers = 2 will only allow IPs like *@128.217.*
3 will be 3 numbers and 4 will be only exact IP.

AND the ftp output when somebody try to add *@* (or any other, according to the option in the cfg file) when it is blocked would be something like "Can't add IP, not specific enough"

TIA. :)

P.S. Damn, I wish I was a programmer :(

ADDiCT
09-21-2003, 09:19 AM
minimumIPnumbers = 0 will allow adding *@*
----> don't use the tool, or set ident_ip_mask = *

minimumIPnumbers = 1 will not allow *@*, BUT will allow adding IPs like *@128
----> ident_ip_mask = *@*#.*

minimumIPnumbers = 2 will only allow IPs like *@128.217.*
----> ident_ip_mask = *@*#.*#.*

(but now i come to think of it, i will have to change something else important in my tool first)

Pharaoh
09-21-2003, 09:37 AM
Thanks mate, work as advertized! :D
SITE ADDUSER tester tester *@*
200-+-----------------------------
200-| BAD: *@*
200-+-----------------------------
200 Command FAILED.

Any chance you can change the BAD: to a custom message that the admin choose, or simply something like "IP NOT SPECIFIC ENOUGH" (like in glFTPD), so that the ops will get the message:

SITE ADDUSER tester tester *@*
200-+-----------------------------
200-| IP NOT SPECIFIC ENOUGH: *@*
200-+-----------------------------
200 Command FAILED.

THX again, bro, best 10min spent!! ;)

Pichento
09-21-2003, 10:14 AM
Hiya Addict.

Can you add the following option in the cfg. I need to be able to force:

ident@xxx.xxx.xxx.*

OR

*@xxx.xxx.xxx.xxx

For adding valid IP's

Thanks in advance!

Pharaoh
09-21-2003, 10:23 AM
Originally posted by Pichento
Hiya Addict.

Can you add the following option in the cfg. I need to be able to force:

ident@xxx.xxx.xxx.*

OR

*@xxx.xxx.xxx.xxx

For adding valid IP's

Thanks in advance!

I *think* that you should just change the included ioSecureAdduser.ini file like this:
for ident@xxx.xxx.xxx.* change it to:
ident_ip_mask = *??@*#.*#.*#.*
and for *@xxx.xxx.xxx.xxx change it to:
ident_ip_mask = *@*#.*#.*#.*#

ADDiCT
09-21-2003, 10:26 AM
problem is he needs both possibilities :)
i'm working on that, specify as many masks as u need

ADDiCT
09-21-2003, 11:38 AM
- u can specify as many ident_ip_mask entries as needed
- use ### for a numeric ip part (no more *#)

Pichento
09-21-2003, 11:57 AM
Thanks man!

Really - Really neat work.

bounty
09-21-2003, 03:36 PM
ehehe ADDiCT ;) i'll try this one too ;)

thx for your contribution ;)

have fun
bounty

MaistroX
09-21-2003, 04:55 PM
This is the standard .ini file ->

"

; user@12.13.14.15 will work
; *@12.13.14.15 will work
; user@12.13.14.* won't work
; *@12.13.14.* won't work

ident_ip_mask = *@###.###.###.###



; user@12.13.14.15 will work
; user@12.13.14.* will work
; x@12.13.14.15 won't work
; x@12.13.14.* won't work
; *@12.13.14.15 won't work
; *@12.13.14.* won't work

ident_ip_mask = *??@###.###.###.*
"

Could u please explain how I should do and what to change and were to, to force the "adder" to include ex: "indent@111.111.*.*"
or "*@111.111.111.*" .

I´m a lamer at understanding stuff ;), maby others are to!

THX in advance

ADDiCT
09-21-2003, 05:01 PM
indent@111.111.*.*

---> *?@###.###.*

the number of questionmarks determine the minimum lenght of the ident name.
*? means at least one character is required.
*???? means u can only add idents of 4 characters and more.


*@111.111.111.*

---> *@###.###.###.*

MaistroX
09-21-2003, 05:04 PM
oki, but were in the .ini file, there are two places, up, down or both to change info ?

ex. please :)

ADDiCT
09-21-2003, 05:10 PM
it doesn't matter, all "ident_ip_mask = ..." entries are put in an array, and every ident@ip u try to add is matched against every item in that array.

i think u want this in your ini file :
ident_ip_mask = *?@###.###.*
ident_ip_mask = *@###.###.###.*


u will then be able to add:

ident@111.111.*.*
*@111.111.111.*

but not :
*@111.111.*.*
ident@111.*.*.*
etc...

MaistroX
09-21-2003, 05:14 PM
thx alot :)

Pharaoh
09-21-2003, 07:19 PM
Originally posted by ADDiCT
- u can specify as many ident_ip_mask entries as needed
- use ### for a numeric ip part (no more *#)

Thank you very much, mate, EXCELLENT WORK! :D

SomeoneWhoCares_2
09-24-2003, 02:07 PM
nice work.. got some suggestions for other versions

password strength check like in gl..

Password not secure enough. It has to have at least:
1 capital letters, 1 lowercase letters, 1 digits, 0 others, 6 length.


some sorta ban user.. so if u deluser someone and another siteop tries to readd them it fails.. checks for username and ip.

ADDiCT
09-24-2003, 03:13 PM
added password strength checking.
"banned users" is beyond the scope of this tool imho.

Pharaoh
09-25-2003, 06:18 AM
excellent. thanks mate! :)

MaistroX
09-26-2003, 08:14 AM
"added password strength checking.
"banned users" is beyond the scope of this tool imho.

Attachment: iosecureadduser.1.0.6.zip
This has been downloaded 20 time(s)."

Please, please, please, add so u allways see the reason not to add, as a respond i ex: FFXP.
qould be alot easyer for user trying to add a user, to see ex. whats wrong with the IP he´s trying to add, adn so on , anything u could add ? :)

THX in advance, anyway, its working solid, GREAT work :)

ADDiCT
09-26-2003, 08:17 AM
add this line in your ini config:

debug = 1

should show some info what is wrong with your addline

MaistroX
09-26-2003, 08:36 AM
oki, tryed, got ->

"
SITE ADDIP MaistroX *@19.*.*.*
200-| DEBUG: ident: *
200-| DEBUG: ip: 019.*.*.*
200-| DEBUG: (-) @019... Not Like *?@###.###.*
200-| DEBUG: (-) @019... Not Like *@###.###.###.*
200-| IDENT@IP NOT SPECIFIC ENOUGH: *@19.*.*.*
200-+-----------------------------
200 Command FAILED.
"

would look alot better if "DEBUG" was not present + some kind of "hint" whats needed for the user trying to add the IP, I mean, not many of my users have access to the "ioSecureAdduser.ini" so they can see the conf, better to have a explaination "hint" what the need to use, ex. of a IP that will work, all according to the "ioSecureAdduser.ini" present !

Please ? :)

THX again.

surtin
10-07-2003, 10:03 PM
Is it possible for this to work for hostnames too?

ADDiCT
10-07-2003, 11:43 PM
i have not limited the program in any way, so i think u can work with hostnames as well

try this for exemple:

ident_ip_mask = *@*.kabel.telenet.be

ioUSER
05-15-2006, 10:30 AM
for all who are interested theres a new version checking site passwd too ;) check it out on the scripts page. :D