It's a rare day in the life of the systems administrator when he doesn't want to limit the access a user or network has to a resource. Whether the limits are prohibitions on access or limits on the amount of use that can be made they are a fact of life on anything but the simplest of configurations.
There are a number of methods for controlling how long the daemon waits for connections to complete, and how long a connection is held open by the daemon while waiting for traffic. The times given in the various Timeout* directives are in seconds.
Setting the various timeouts too high can result in problems because of connections being held open too long. Setting the timeout to zero is definately recommended against, infinate timeouts are bad without a very good reason.
TimeoutIdle Syntax: TimeoutIdle seconds Default: TimeoutIdle 600 Context: server config Compatibility: 0.99.0 and later
The TimeoutIdle directive configures the maximum number of seconds that proftpd will allow clients to stay connected without receiving any data on either the control or data connection. If data is received on either connection, the idle timer is reset. Setting TimeoutIdle to 0 disables the idle timer completely (clients can stay connected for ever, without sending data). This is generally a bad idea as a "hung" tcp connection which is never properly disconnected (the remote network may have become disconnected from the Internet, etc) will cause a child server to never exit (at least not for a considerable period of time) until manually killed
Your attempt to post to the ProFTPD mailing list at i've got a problem with people who "hammer" my ftp site when its quite busy..........i have my max connections per IP set at 1, but when people hammer, they try connecting several times per second! this sometimes allows them to connect many times, often using up all the users for the account. i have looked through the documentation and have been unable to find something to eliminate this. is there anything? something i can configure to, let's say "if user connects X times in X seconds, then ban. or ignore for X minutes" etc. any help would be appreciated. eric
You mean you have MaxClientsPerHost set to 1 already ? If so then this and a user from the same IP address can connect more than once then this is presumably a bug (check the logs to make sure that they are coming from the same IP address) or do you mean that they connect and disconnect quickly ?
How do I go about using the class directive in proftpd. Under wu-ftpd, I could limit function base on define class (anonymous, guest, etc) How would you do this under proftpd? (ie anonymous could only do this, real user from this ip could do this, where real user from this other IP could do this!) Class Syntax: Class "name" limit|regex|ip value Default: None Context: server config Compatibility: 1.2.0pre9 and later Controls class based access. Class base access allows each connecting IP to be classified into a separate class. Each class has its own maximum number of connections. limit sets the maximum number of connections for that class name, regex sets a hostname regex (POSIX) for inclusion in the class and ip sets an IP/netmask based inclusion. The default class is called default. Example: Classes on Class local limit 100 Class default limit 10 Class local regex .*foo.com Class local ip 172.16.1.0/24 This creates two classes, local and default, with local being everything in *.foo.com and 172.16.1.* combined. Classes Syntax: Classes on|off Default: Off Context: server config Compatibility: 1.2.0pre9 and later Controls class based access. Enables class based access control. see: Class
Ok, been playing again :) Example of a real life classes based config.
Example 14-1. Configuration using classes
ServerName "Frostbite FTPserver" ServerType standalone DeferWelcome on Port 21 Umask 002 User ftp Group ftp TransferLog /var/spool/syslog/proftpd/xferlog.legacy DefaultRoot /ftp/ftp.linux.co.uk TimeoutLogin 120 TimeoutIdle 600 TimeoutNoTransfer 900 TimeoutStalled 3600 ScoreboardFile /var/run/proftpd LogFormat default "%h %l %u %t \"%r\" %s %b" LogFormat auth "%v [%P] %h %t \"%r\" %s" LogFormat write "%h %l %u %t \"%r\" %s %b" UseReverseDNS off MultilineRFC2228 on AllowFilter ".*/[a-zA-Z0-9 ]+$" Port 0 <Global> DisplayLogin welcome.msg DisplayFirstChdir readme AllowOverwrite yes AccessGrantMsg "Welcome to Tux's kingdom oh chilly %u" DisplayConnect /ftp/ftp.linux.co.uk/login.msg IdentLookups off ExtendedLog /var/spool/syslog/proftpd/access.log WRITE,READ write ExtendedLog /var/spool/syslog/proftpd/auth.log AUTH auth ServerIdent on "Linux.co.uk server" AllowForeignAddress on PathDenyFilter "(\.htaccess)|(\.ftpaccess)$" </Global> # ---------------------------------------------------- # ftp.linux.co.uk ("Linux.co.uk FTP Archive") # Contact : firstname.lastname@example.org # <VirtualHost 18.104.22.168> ServerAdmin email@example.com ServerName "Linux.co.uk FTP Archive" TransferLog /var/spool/syslog/xfer/ftp.linux.co.uk MaxLoginAttempts 3 RequireValidShell no DefaultRoot /ftp/ftp.linux.co.uk User linux Group linux AllowOverwrite yes DefaultServer yes LoginPasswordPrompt off "Wibble" # # Allow 50 users from Local network, local WAN # Limit everyone else to 20 connections # Classes on Class local limit 50 Class default limit 20 Class local regex .*ftech.co.uk Class local ip 22.214.171.124/19 Class local ip 126.96.36.199/17 Class local ip 192.168.0.0/16 <Anonymous /ftp/ftp.linux.co.uk> User ftp Group ftp UserAlias anonymous ftp RequireValidShell no ##MaxClients 200 MaxClientsPerHost 5 "Please don't be a hog and open any more sessions" AccessGrantMsg "Welcome to Tux's kingdom oh chilly anonymous user" AllowForeignAddress on # # Global upload, no download or browsing. # <Directory pub/incoming/*> AllowOverwrite off <Limit STOR CWD XCWD CDUP MKD> AllowAll </Limit> <Limit READ DELE WRITE DIRS> DenyAll </Limit> </Directory> </Anonymous> </VirtualHost>
As of 1.2.0rc1 it is possible to prevent end users from altering the permissions on files in directories they have modify rights to. The AllowChmod directive, which defaults to deny, can be used to allow chmod on a server, global, virtualhost or directory basis. Giving a much finer degree of control over what the end users are capable of.