Go Back   FlashFXP Forums > > > >

International Help Get help in your native language (non-english).

Thread Tools Rate Thread Display Modes
Old 02-02-2013, 06:03 PM   #1
Junior Member
Join Date: Feb 2013
Posts: 2
Default Setting up knocking


I am having some problem with setting up knocking with ioFTPD correctly.

I have set:

Reject_Unknown_Ips = True

Knock_1 = 66788
Knock_2 = 66544
Knock_3 = 66700

If I try ioKnock and correctly knock there is a log entry in ioFTPD.log:

02-02-2013 23:52:51 KNOCK: ""

However, if I try to log on to the server there is still a login prompt, it just rejects my password:

[R] 530 Login failed: Invalid password.

As it claims my password is rejected it logs the following:

02-02-2013 23:52:58 Host '*@' (HOMECOMPUTER) did not match any of user 'admin' allowed hosts.

Also, with my IP added to the allowed hosts I cannot use the command "SITE KNOCK":

[R] 500 'SITE KNOCK': Command not understood.

The manual says that if knocking is not enabled, that command is also disabled.

Have I missed something? Am I supposed to enable knocking some other way except to reject unknown IPs and adding knock ports?

Help would be much appreciated.
Oipple is offline   Reply With Quote
Old 02-03-2013, 12:48 PM   #2
Too much time...
FlashFXP Beta Tester
ioFTPD Administrator
Join Date: May 2005
Posts: 1,194

Hey! Somebody using the knock feature! I wrote that a long time ago and nobody ever used it, but here are a few things you should know...

1) The knock feature ONLY allows you a way to connect to the server, it DOES NOT allow you to bypass the hostmask requirements of the user you are trying to login as. This probably isn't obvious and should definitely be spelled out better somewhere. You'll see that this is necessary because if you knock on the server then you could try to login as another user just by knowing their password and that wouldn't be good!

2) This command was really designed to be used in conjunction with the Dynamic_DNS_Lookup feature (default is ALWAYS in the config file and that's fine). Basically this allows you to use the ":" prefix to a hostmask (see 'site help addip') and a dynamic dns hostname that you keep updated to your current IP such as ":user@me.no-ip.org" and the server will look that up when you try to login and let you in if it matches.

3) Back then I didn't think it a good idea have the server keep updating all of it's dynamic hostmasks to find everyone's current IP so it could allow them to connect to the server when using the Reject_Unknown_IPs option, so the knocking feature was the workaround. I have toyed with the idea of forcing updates every 10 minutes (configurable) to get around having to knock and just waiting a while, but I guess most people don't use the reject feature or something as nobody has complained or ask for it...

4) I didn't add the 'site knock' command until v7.2. However I forgot to register the site command internally so it's currently unusable until the next release. All it does is show you the ports and the order you should connect to them to trigger a knock. Since that is unlikely to change you can as a temporary workaround just put the ports and some text explaining whatever you think your users need to know in a simple .txt file like system/knock.txt and register that under the knock command in the FTP_Custom_Commands setcion with something like
knock = !knock.txt
There should already be a knock permission entry like
knock = !A *
under FTP_SITE_Permissions because the command should have been working...

5) Oh, and you can use 1-5 (example was 3 non-sequential so a sequential port scan wouldn't trip it) knock ports. You might find just having 1 is good enough. There is no reason to use the simple ioKnock.exe to trigger the connections either, but it's handy if using more than 1 port.

Let me know if that helps.
Yil is offline   Reply With Quote
Old 02-08-2013, 06:51 PM   #3
Junior Member
Join Date: Feb 2013
Posts: 2

Oh okay. Now I see, I misinterpreted what it did there.

1, 2) I thought it was a way to force the FTP server not to respond anything if the host mask was not allowed, i.e. not reveal that there's an FTP server on the other end of that port. I probably don't know enough about the FTP protocol to understand if that would even work.

If there's a way to do that at least I would be very much interested.

4) I see.

5) Yeah I understood that. Just thought that 3 was a good number, at least to test it. With fewer you could have it triggered with a port scan (ascending/descending) if they're somewhat close, right? And I don't see the point for more than 3.

I'm only using ioFTPD for a regular home FTP, but with more options and security. So I would like to set it up very secure since it's kind of an hobby. So most my users don't have any dynamic DNS. As I said, I thought it was a way to force the server not to reveal itself if the host wasn't allowed.

Thanks a lot for responding fast and thoroughly.
Oipple is offline   Reply With Quote

command, knock, knocking, password, site

Thread Tools
Display Modes Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump

All times are GMT -5. The time now is 11:18 AM.

Parts of this site powered by vBulletin Mods & Addons from DragonByte Technologies Ltd. (Details)