Using tcpd_wrappers with pure-ftpd – September 19, 2007
My external "authentication" script is the following:
#!/bin/sh
checkedIP=$(echo $AUTHD_REMOTE_IP | sed -ne "s~^\([0-9]\{1,3\}\)\.\([0-9]\{1,3\}\)\.\([0-9]\{1,3\}\)\.\([0-9]\{1,3\}\)$~\1.\2.\3.\4~p")
if test "x$checkedIP" = "x"; then
checkedIP="Unknown"
fi
if test "$checkedIP" = "Unknown"; then
# unknown will be allowed for now. Probably should output the ip to see when this happens
echo 'auth_ok:0'
else
# note, this is checking for all services, rather than just a particular one
grep $checkedIP /etc/hosts.deny
if [ "$?" = 0 ]; then
echo 'auth_ok:-1'
else
echo 'auth_ok:0'
fi
fi
echo 'end'
Then you need to start the authd:
pure-authd -B -s /var/run/ftpd.sock -r /etc/pure-ftpd/denyhosts
Then make a file called /etc/pure-ftpd/conf/ExtAuth (I use pure-ftpd-wrapper, since I am on Debian) with the following line:
/var/run/ftpd.sock
And then make a symlink named /etc/pure-ftpd/auth/20extauth that points to /etc/pure-ftpd/conf/ExtAuth
That's it! As you might guess based on the name of the script, I will eventually get this to work automatically with the denyhosts project, which is an excellent program for ssh, and I want to extend it to pure-ftpd as well; just need to get the regular expressions correct.
Questions? Have Anything to Add?
(your comments will be published on this site - click here for private questions)
Are you trying to server *really* big files? Why not scp or sftp?
I think the bigger problem here is that there is apparently a way for hackers to guess something and determine from your server's behavior useful information like 'valid username'. I don't understand why it fails differently depending on whether a correct username is entered (assuming a bad password).
P.S. send me an email so I can contact you.
I have to do regular FTP, because it is harder for most people to figure out how to do scp or sftp. I never use ftp myself, but most of my customers do. I suppose that Microsoft may have done the security world a favor by breaking FTP in the latest version of Internet Explorer - people will get used to using other clients, and then sftp or scp are about the same, from the non-technical user's viewpoint.
The return value for them is the same whether they get a wrong password or wrong username. The trouble is that hackers have basically unlimited resources (by hacking into unprotected machines all over the world (probably mostly in the US) and then using those hacked machines as a large network of coordinated attack machines).
When I said they occasionally get good usernames, that means out of all of their random guessing (and sometimes not so random - like "salemsattic", or "limedaley", etc.) sometimes they get real usernames, and then I have to count on the strength of my customers' passwords. If the hacker has a wrong username, I don't really care how many times he tries to login, as long as the CPU load stays low.
Denyhosts is great because it only allows so many attempts before blocking the IP. I no longer have to even think about ssh hack attempts, because the hacker has about 15-30 seconds at most to guess a username and valid password. If he guesses wrong usernames (or worse, privileged usernames (that wouldn't have ssh access anyway, so it is kind of silly to guess those), he only has one attempt before his ip is blocked forever (and broadcast to a blacklist, so he will be blocked before he even tries anything on other people's machines).
I'll try sending you an email, but I thought you didn't accept non-secured email, and I am not sure if I have the floppy with your key on it... :)
For documentation purposes, my first attempts at the regular expressions were:
SSHD_FORMAT_REGEX=.* (sshd.*:|\[sshd\]|pure-ftpd:) (?P.*)
USERDEF_FAILED_ENTRY_REGEX=\(\?@(?P.*)\) \[WARNING\] Authentication failed for user \[(?P.*)\]