Hi,
is it possible to make ioFTPD not accept IP change to *@* or *@220.* because it is not specific enough? only allow at least 2 numbers after the @?
eg: *@210.115.* will be allowed because it has a more specific range (210.115)

TIA.

P.S. I am using ver. 4.9.4

This is a VERY intressting issue, coz this is allso needed for Beta 5+ of security reason, not only to be able to force atlest *@xxx.xxx.*.* , but allso be able to force Ident, so indent is needed in "addip" to be able to add ip at all.

anything u could add to ioFTPD, D1 ?


Would be a very appreciated security option :)

perhaps adding this to the hosts.rules file?

Originally posted by MaistroX
anything u could add to ioFTPD, D1 ?

dark specified many times that everything that isn't ftpd related would have to be scripted.

Your request require a script. A couple of lines in tcl/php/whatever would do.

actually I would suggest that ip/ident filtering on adduser be set like glftpd with something secure_ip capabilities, but as long as addip is a staple of ftpd usage, the same settings should apply to that as well....

Originally posted by GOD-EMPEROR
actually I would suggest that ip/ident filtering on adduser be set like glftpd with something secure_ip capabilities, but as long as addip is a staple of ftpd usage, the same settings should apply to that as well....

I agree with u, mate.
This feature should be quite easy to implement, and very useful.

Ok, made this in 10 mins.
It will check ident@ip for addip/adduser/gadduser events

edit ioftpd.ini :
[Pre]
site = ..\scripts\ioSecureAdduser.exe

(tell me if it's any good)

Originally posted by ADDiCT
Ok, made this in 10 mins.
It will check ident@ip for addip/adduser/gadduser events

edit ioftpd.ini :
[Pre]
site = ..\scripts\ioSecureAdduser.exe

(tell me if it's any good)

Is there any chance you could make it not allow adding IPs like:
*@* or even 1 number like *@128.* (an option that will be set in ioftpd.cfg by the admin), for example, something like:
minimumIPnumbers = 0 will allow adding *@*
minimumIPnumbers = 1 will not allow *@*, BUT will allow adding IPs like *@128
minimumIPnumbers = 2 will only allow IPs like *@128.217.*
3 will be 3 numbers and 4 will be only exact IP.

AND the ftp output when somebody try to add *@* (or any other, according to the option in the cfg file) when it is blocked would be something like "Can't add IP, not specific enough"

TIA. :)

P.S. Damn, I wish I was a programmer :(

minimumIPnumbers = 0 will allow adding *@*
----> don't use the tool, or set ident_ip_mask = *

minimumIPnumbers = 1 will not allow *@*, BUT will allow adding IPs like *@128
----> ident_ip_mask = *@*#.*

minimumIPnumbers = 2 will only allow IPs like *@128.217.*
----> ident_ip_mask = *@*#.*#.*

(but now i come to think of it, i will have to change something else important in my tool first)

Thanks mate, work as advertized! :D
SITE ADDUSER tester tester *@*
200-+-----------------------------
200-| BAD: *@*
200-+-----------------------------
200 Command FAILED.

Any chance you can change the BAD: to a custom message that the admin choose, or simply something like "IP NOT SPECIFIC ENOUGH" (like in glFTPD), so that the ops will get the message:

SITE ADDUSER tester tester *@*
200-+-----------------------------
200-| IP NOT SPECIFIC ENOUGH: *@*
200-+-----------------------------
200 Command FAILED.

THX again, bro, best 10min spent!! ;)

Hiya Addict.

Can you add the following option in the cfg. I need to be able to force:

ident@xxx.xxx.xxx.*

OR

*@xxx.xxx.xxx.xxx

For adding valid IP's

Thanks in advance!

Originally posted by Pichento
Hiya Addict.

Can you add the following option in the cfg. I need to be able to force:

ident@xxx.xxx.xxx.*

OR

*@xxx.xxx.xxx.xxx

For adding valid IP's

Thanks in advance!

I *think* that you should just change the included ioSecureAdduser.ini file like this:
for ident@xxx.xxx.xxx.* change it to:
ident_ip_mask = *??@*#.*#.*#.*
and for *@xxx.xxx.xxx.xxx change it to:
ident_ip_mask = *@*#.*#.*#.*#

problem is he needs both possibilities :)
i'm working on that, specify as many masks as u need

- u can specify as many ident_ip_mask entries as needed
- use ### for a numeric ip part (no more *#)

Thanks man!

Really - Really neat work.

ehehe ADDiCT ;) i'll try this one too ;)

thx for your contribution ;)

have fun
bounty

This is the standard .ini file ->

"

; user@12.13.14.15 will work
; *@12.13.14.15 will work
; user@12.13.14.* won't work
; *@12.13.14.* won't work

ident_ip_mask = *@###.###.###.###



; user@12.13.14.15 will work
; user@12.13.14.* will work
; x@12.13.14.15 won't work
; x@12.13.14.* won't work
; *@12.13.14.15 won't work
; *@12.13.14.* won't work

ident_ip_mask = *??@###.###.###.*
"

Could u please explain how I should do and what to change and were to, to force the "adder" to include ex: "indent@111.111.*.*"
or "*@111.111.111.*" .

I´m a lamer at understanding stuff ;), maby others are to!

THX in advance

indent@111.111.*.*

---> *?@###.###.*

the number of questionmarks determine the minimum lenght of the ident name.
*? means at least one character is required.
*???? means u can only add idents of 4 characters and more.


*@111.111.111.*

---> *@###.###.###.*

oki, but were in the .ini file, there are two places, up, down or both to change info ?

ex. please :)

it doesn't matter, all "ident_ip_mask = ..." entries are put in an array, and every ident@ip u try to add is matched against every item in that array.

i think u want this in your ini file :
ident_ip_mask = *?@###.###.*
ident_ip_mask = *@###.###.###.*


u will then be able to add:

ident@111.111.*.*
*@111.111.111.*

but not :
*@111.111.*.*
ident@111.*.*.*
etc...

thx alot :)

Originally posted by ADDiCT
- u can specify as many ident_ip_mask entries as needed
- use ### for a numeric ip part (no more *#)

Thank you very much, mate, EXCELLENT WORK! :D

nice work.. got some suggestions for other versions

password strength check like in gl..

Password not secure enough. It has to have at least:
1 capital letters, 1 lowercase letters, 1 digits, 0 others, 6 length.


some sorta ban user.. so if u deluser someone and another siteop tries to readd them it fails.. checks for username and ip.

added password strength checking.
"banned users" is beyond the scope of this tool imho.

excellent. thanks mate! :)

"added password strength checking.
"banned users" is beyond the scope of this tool imho.

Attachment: iosecureadduser.1.0.6.zip
This has been downloaded 20 time(s)."

Please, please, please, add so u allways see the reason not to add, as a respond i ex: FFXP.
qould be alot easyer for user trying to add a user, to see ex. whats wrong with the IP he´s trying to add, adn so on , anything u could add ? :)

THX in advance, anyway, its working solid, GREAT work :)

add this line in your ini config:

debug = 1

should show some info what is wrong with your addline

oki, tryed, got ->

"
SITE ADDIP MaistroX *@19.*.*.*
200-| DEBUG: ident: *
200-| DEBUG: ip: 019.*.*.*
200-| DEBUG: (-) @019... Not Like *?@###.###.*
200-| DEBUG: (-) @019... Not Like *@###.###.###.*
200-| IDENT@IP NOT SPECIFIC ENOUGH: *@19.*.*.*
200-+-----------------------------
200 Command FAILED.
"

would look alot better if "DEBUG" was not present + some kind of "hint" whats needed for the user trying to add the IP, I mean, not many of my users have access to the "ioSecureAdduser.ini" so they can see the conf, better to have a explaination "hint" what the need to use, ex. of a IP that will work, all according to the "ioSecureAdduser.ini" present !

Please ? :)

THX again.

Is it possible for this to work for hostnames too?

i have not limited the program in any way, so i think u can work with hostnames as well

try this for exemple:

ident_ip_mask = *@*.kabel.telenet.be

for all who are interested theres a new version checking site passwd too ;) check it out on the scripts page. :D