0

I am trying to configure the Apache FtpServer for windows, and i've got most of it running already, however I am having difficulty understanding the database user manager...

I am more or less a complete newbie to this and SQL, however I already have an FTP server up and running in Linux using VSFTPD. the company wants to migrate from linux to windows, and I have to create accounts for close to 5,000 users (which is why I want to use the database manager).

Here are my questions:

  1. I can see that the xml configuration controls the connection to the database, but how does it control authentication? can someone explain which section handles user authentication from the database? EDIT: by user authentication, I do not mean the database connection itself, but rather how FTPServer authenticates a connection THROUGH the database.

  2. How can I prevent / detect brute-force attempts against my server? our current linux ftp server uses DenyHosts for port 22 (ssh) and is hit by attacks at LEAST 20+ times a week, is there any kind of built-in authentication protection, and if not, can anyone suggest a way to create one? I know that the xml config has themax-login-failuressetting, which closes the connection after a certain number of attempts, but I need it to completely deny any further access from that IP, and not just close the connection.

Example:

Any attempt to log in with the following usernames results in immediate IP-BAN:

  • Root
  • Admin
  • Administrator
  • System
  • etc

Other settings

  • Attempts for non-existing users results in IP-BAN after # attempts for IP (including different users)
  • Attempts for existing users results in 60-second time out after # attempts (including different users)

Any and all help would be greatly appreciated. If you have any questions or require clarification on anything, please post a comment and I will make any necessary changes / replies.

Thanks.

Community
  • 1
  • 1
Jason
  • 185
  • 3
  • 11

1 Answers1

0

  1. See the example under Data source configuration here

  2. Apache Ftpserver does not provide this functionallity out of the box. You either have to extend it and program this yourself, or use some external system that parses its log files and dynamically add/remove firewall rules (something like what fail2ban does on linux)

nos
  • 223,662
  • 58
  • 417
  • 506
  • Do you know where the log files are stored? – Jason Jul 06 '11 at 19:33
  • By user authentication, I did not mean the database connection itself, but rather how FTPServer authenticates a connection THROUGH the database. Sorry if that was not clear. – Jason Jul 06 '11 at 19:36
  • The page contains the select statement it uses to fetch user information from the database, that's where it fetches the username/password pair from , which is used to compare the ftp login credentioals with (with optional hashing of the stored password) – nos Jul 06 '11 at 21:25