Escolar Documentos
Profissional Documentos
Cultura Documentos
Security precaution: Slowly but surely, I have been adding security feat
ures
to 3CDaemon. One of the biggest security holes is the ability of a remot
e
user to overwrite one of 3CDaemon's config files, in order to allow them
self
wider access to the host system. (I warn against making any of 3CDaemon'
s
config directories accessible via TFTP or FTP, but who reads help files?
)
So, from now on, there will be certain file names (e.g. 3CDaemon.ini) th
at
will be "off-limits" to transfer (either upload or download). This will
mess up remote administration for some folks, but I think the added secu
rity
is worth that loss. So, if you get an "access denied" when you try to do
something with one of 3CDaemon's config files, it is intentional.
Implemented 10 minute inactivity timer. If user doesn't enter a command
within 10 minutes of entering the last one, his session is automatically
disconnected. The timer is NOT ticking during actual file transfers, but
starts fresh as soon as the transfer is complete. For now, I haven't mad
e
the timeout interval configurable, but just hardcoded it at 10 minutes.
If someone needs it configurable, send me an email, and I will see what
I
can do.
Just to avoid false alarms on the inactivity feature: If 3CDaemon discon
nects
a user due to inactivity, it will send a message to the remote user:
221 Service closing control connection. Timeout.
This message will also be logged in the ftpd.log file. If you don't see
this message, the user was disconnected for some other reason.
Rev 8: Ooops, Syslog "Log by IP Address" didn't actually work. It should now,
(I hope....)
Rev 9: Send a "522" response to the net-bsd ftp client when it sends an EPSV
or EPRT command. EPSV and EPRT are FTP extensions defined in RFC 2428.
They mostly have to
do with IPv6 compatability. Sending the 522 tell
s
the client that we don't do IPv6, so use the more standard PASV and
PORT commands. I suppose at some point I will have to implement RFC
2428, but it is too much work at the moment. Wait until more clients
start requesting it.
Rev 10: Security thing. Will not display the password for any user (other than
anonymous) - either on the screen or in the logs. Instead, you will
see "PASS XXXXX". You will still see the password for anonymous. This
is intentional.