View Full Version : ioSecureAdduser - don't allow too big ip-range
Pharaoh
09-17-2003, 01:55 AM
Hi,
is it possible to make ioFTPD not accept IP change to *@* or *@220.* because it is not specific enough? only allow at least 2 numbers after the @?
eg: *@210.115.* will be allowed because it has a more specific range (210.115)
TIA.
P.S. I am using ver. 4.9.4
MaistroX
09-17-2003, 02:34 AM
This is a VERY intressting issue, coz this is allso needed for Beta 5+ of security reason, not only to be able to force atlest *@xxx.xxx.*.* , but allso be able to force Ident, so indent is needed in "addip" to be able to add ip at all.
anything u could add to ioFTPD, D1 ?
Would be a very appreciated security option :)
Stardog
09-17-2003, 09:15 AM
perhaps adding this to the hosts.rules file?
Mouton
09-17-2003, 09:58 AM
Originally posted by MaistroX
anything u could add to ioFTPD, D1 ?
dark specified many times that everything that isn't ftpd related would have to be scripted.
Your request require a script. A couple of lines in tcl/php/whatever would do.
GOD-EMPEROR
09-21-2003, 01:13 AM
actually I would suggest that ip/ident filtering on adduser be set like glftpd with something secure_ip capabilities, but as long as addip is a staple of ftpd usage, the same settings should apply to that as well....
Pharaoh
09-21-2003, 01:17 AM
Originally posted by GOD-EMPEROR
actually I would suggest that ip/ident filtering on adduser be set like glftpd with something secure_ip capabilities, but as long as addip is a staple of ftpd usage, the same settings should apply to that as well....
I agree with u, mate.
This feature should be quite easy to implement, and very useful.
ADDiCT
09-21-2003, 09:03 AM
Ok, made this in 10 mins.
It will check ident@ip for addip/adduser/gadduser events
edit ioftpd.ini :
[Pre]
site = ..\scripts\ioSecureAdduser.exe
(tell me if it's any good)
Pharaoh
09-21-2003, 09:12 AM
Originally posted by ADDiCT
Ok, made this in 10 mins.
It will check ident@ip for addip/adduser/gadduser events
edit ioftpd.ini :
[Pre]
site = ..\scripts\ioSecureAdduser.exe
(tell me if it's any good)
Is there any chance you could make it not allow adding IPs like:
*@* or even 1 number like *@128.* (an option that will be set in ioftpd.cfg by the admin), for example, something like:
minimumIPnumbers = 0 will allow adding *@*
minimumIPnumbers = 1 will not allow *@*, BUT will allow adding IPs like *@128
minimumIPnumbers = 2 will only allow IPs like *@128.217.*
3 will be 3 numbers and 4 will be only exact IP.
AND the ftp output when somebody try to add *@* (or any other, according to the option in the cfg file) when it is blocked would be something like "Can't add IP, not specific enough"
TIA. :)
P.S. Damn, I wish I was a programmer :(
ADDiCT
09-21-2003, 09:19 AM
minimumIPnumbers = 0 will allow adding *@*
----> don't use the tool, or set ident_ip_mask = *
minimumIPnumbers = 1 will not allow *@*, BUT will allow adding IPs like *@128
----> ident_ip_mask = *@*#.*
minimumIPnumbers = 2 will only allow IPs like *@128.217.*
----> ident_ip_mask = *@*#.*#.*
(but now i come to think of it, i will have to change something else important in my tool first)
Pharaoh
09-21-2003, 09:37 AM
Thanks mate, work as advertized! :D
SITE ADDUSER tester tester *@*
200-+-----------------------------
200-| BAD: *@*
200-+-----------------------------
200 Command FAILED.
Any chance you can change the BAD: to a custom message that the admin choose, or simply something like "IP NOT SPECIFIC ENOUGH" (like in glFTPD), so that the ops will get the message:
SITE ADDUSER tester tester *@*
200-+-----------------------------
200-| IP NOT SPECIFIC ENOUGH: *@*
200-+-----------------------------
200 Command FAILED.
THX again, bro, best 10min spent!! ;)
Pichento
09-21-2003, 10:14 AM
Hiya Addict.
Can you add the following option in the cfg. I need to be able to force:
ident@xxx.xxx.xxx.*
OR
*@xxx.xxx.xxx.xxx
For adding valid IP's
Thanks in advance!
Pharaoh
09-21-2003, 10:23 AM
Originally posted by Pichento
Hiya Addict.
Can you add the following option in the cfg. I need to be able to force:
ident@xxx.xxx.xxx.*
OR
*@xxx.xxx.xxx.xxx
For adding valid IP's
Thanks in advance!
I *think* that you should just change the included ioSecureAdduser.ini file like this:
for ident@xxx.xxx.xxx.* change it to:
ident_ip_mask = *??@*#.*#.*#.*
and for *@xxx.xxx.xxx.xxx change it to:
ident_ip_mask = *@*#.*#.*#.*#
ADDiCT
09-21-2003, 10:26 AM
problem is he needs both possibilities :)
i'm working on that, specify as many masks as u need
ADDiCT
09-21-2003, 11:38 AM
- u can specify as many ident_ip_mask entries as needed
- use ### for a numeric ip part (no more *#)
Pichento
09-21-2003, 11:57 AM
Thanks man!
Really - Really neat work.
bounty
09-21-2003, 03:36 PM
ehehe ADDiCT ;) i'll try this one too ;)
thx for your contribution ;)
have fun
bounty
MaistroX
09-21-2003, 04:55 PM
This is the standard .ini file ->
"
; user@12.13.14.15 will work
; *@12.13.14.15 will work
; user@12.13.14.* won't work
; *@12.13.14.* won't work
ident_ip_mask = *@###.###.###.###
; user@12.13.14.15 will work
; user@12.13.14.* will work
; x@12.13.14.15 won't work
; x@12.13.14.* won't work
; *@12.13.14.15 won't work
; *@12.13.14.* won't work
ident_ip_mask = *??@###.###.###.*
"
Could u please explain how I should do and what to change and were to, to force the "adder" to include ex: "indent@111.111.*.*"
or "*@111.111.111.*" .
I´m a lamer at understanding stuff ;), maby others are to!
THX in advance
ADDiCT
09-21-2003, 05:01 PM
indent@111.111.*.*
---> *?@###.###.*
the number of questionmarks determine the minimum lenght of the ident name.
*? means at least one character is required.
*???? means u can only add idents of 4 characters and more.
*@111.111.111.*
---> *@###.###.###.*
MaistroX
09-21-2003, 05:04 PM
oki, but were in the .ini file, there are two places, up, down or both to change info ?
ex. please :)
ADDiCT
09-21-2003, 05:10 PM
it doesn't matter, all "ident_ip_mask = ..." entries are put in an array, and every ident@ip u try to add is matched against every item in that array.
i think u want this in your ini file :
ident_ip_mask = *?@###.###.*
ident_ip_mask = *@###.###.###.*
u will then be able to add:
ident@111.111.*.*
*@111.111.111.*
but not :
*@111.111.*.*
ident@111.*.*.*
etc...
MaistroX
09-21-2003, 05:14 PM
thx alot :)
Pharaoh
09-21-2003, 07:19 PM
Originally posted by ADDiCT
- u can specify as many ident_ip_mask entries as needed
- use ### for a numeric ip part (no more *#)
Thank you very much, mate, EXCELLENT WORK! :D
SomeoneWhoCares_2
09-24-2003, 02:07 PM
nice work.. got some suggestions for other versions
password strength check like in gl..
Password not secure enough. It has to have at least:
1 capital letters, 1 lowercase letters, 1 digits, 0 others, 6 length.
some sorta ban user.. so if u deluser someone and another siteop tries to readd them it fails.. checks for username and ip.
ADDiCT
09-24-2003, 03:13 PM
added password strength checking.
"banned users" is beyond the scope of this tool imho.
Pharaoh
09-25-2003, 06:18 AM
excellent. thanks mate! :)
MaistroX
09-26-2003, 08:14 AM
"added password strength checking.
"banned users" is beyond the scope of this tool imho.
Attachment: iosecureadduser.1.0.6.zip
This has been downloaded 20 time(s)."
Please, please, please, add so u allways see the reason not to add, as a respond i ex: FFXP.
qould be alot easyer for user trying to add a user, to see ex. whats wrong with the IP he´s trying to add, adn so on , anything u could add ? :)
THX in advance, anyway, its working solid, GREAT work :)
ADDiCT
09-26-2003, 08:17 AM
add this line in your ini config:
debug = 1
should show some info what is wrong with your addline
MaistroX
09-26-2003, 08:36 AM
oki, tryed, got ->
"
SITE ADDIP MaistroX *@19.*.*.*
200-| DEBUG: ident: *
200-| DEBUG: ip: 019.*.*.*
200-| DEBUG: (-) @019... Not Like *?@###.###.*
200-| DEBUG: (-) @019... Not Like *@###.###.###.*
200-| IDENT@IP NOT SPECIFIC ENOUGH: *@19.*.*.*
200-+-----------------------------
200 Command FAILED.
"
would look alot better if "DEBUG" was not present + some kind of "hint" whats needed for the user trying to add the IP, I mean, not many of my users have access to the "ioSecureAdduser.ini" so they can see the conf, better to have a explaination "hint" what the need to use, ex. of a IP that will work, all according to the "ioSecureAdduser.ini" present !
Please ? :)
THX again.
surtin
10-07-2003, 10:03 PM
Is it possible for this to work for hostnames too?
ADDiCT
10-07-2003, 11:43 PM
i have not limited the program in any way, so i think u can work with hostnames as well
try this for exemple:
ident_ip_mask = *@*.kabel.telenet.be
ioUSER
05-15-2006, 10:30 AM
for all who are interested theres a new version checking site passwd too ;) check it out on the scripts page. :D
vBulletin® v3.8.11 Alpha 3, Copyright ©2000-2024, vBulletin Solutions, Inc.