Author Topic: Always allow IP  (Read 1220 times)

Offline Trond

  • New user
  • *
  • Posts: 11
    • View Profile
Always allow IP
« on: March 01, 2016, 02:05:34 pm »
Hi
I have a server with configparamater BanOnEvent like this:
BanOnEvent ClientConnectRate 5/00:01:00 01:00:00 "Stop connecting frequently"

Is there a way to never ban a spesific IP, and still have this parameters set in the config-file?

Offline castaglia

  • Administrator
  • Support Hero
  • *****
  • Posts: 5373
    • View Profile
    • http://www.castaglia.org/
Re: Always allow IP
« Reply #1 on: March 01, 2016, 04:23:18 pm »
Yes, using the mod_ifsession module, and Classes:

  http://www.proftpd.org/docs/howto/Classes.html
  http://www.proftpd.org/docs/contrib/mod_ifsession.html

For example:

  <Class special-client>
    # Add your special client's IP address here
    From 1.2.3.4
  </Class>

  <IfModule mod_ban.c>
    <IfClass special-client>
      # Disable mod_ban for these clients
      BanEngine off
    </IfClass>

    <IfClass !special-client>
      # Enable mod_ban for all other clients
      BanEngine on
    </IfClass>
  </IfModule>

Hope this helps!

Offline Trond

  • New user
  • *
  • Posts: 11
    • View Profile
Re: Always allow IP
« Reply #2 on: March 29, 2016, 01:00:52 pm »
The ip is still banned. Tried also to remove "BanEngine on" higher up in the config-file, but no sucsess: 

From my config:

  LoadModule                    mod_ban.c
#  BanEngine                    on
  BanLog                        /var/log/proftpd/ban.log
  BanTable                      /var/run/proftpd/ban.tab

  # If the same client reaches the MaxLoginAttempts limit 2 times
  # within 10 minutes, automatically add a ban for that client that
  # will expire after one hour.
  BanOnEvent                    MaxLoginAttempts 2/00:10:00 01:00:00
  BanOnEvent ClientConnectRate 5/00:01:00 01:00:00 "Stop connecting frequently"

  # Inform the user that it's not worth persisting
  BanMessage                    "Host %a has been banned"

  # Allow the FTP admin to manually add/remove bans
  # BanControlsACLs             all allow user ftpadm
  BanControlsACLs               all allow user xxxxx



And the bottom of my config:
<Class special-client>
        From 1.2.3.4
</Class>

<IfModule mod_ban.c>
        <IfClass special-client>
           BanEngine off
        </IfClass>

        <IfClass !special-client>
           BanEngine on
        </IfClass>
</IfModule>




Offline castaglia

  • Administrator
  • Support Hero
  • *****
  • Posts: 5373
    • View Profile
    • http://www.castaglia.org/
Re: Always allow IP
« Reply #3 on: March 29, 2016, 04:12:19 pm »
What does proftpd debug logging, debug level 10, show?  What does `proftpd -V` show?

Offline Trond

  • New user
  • *
  • Posts: 11
    • View Profile
Re: Always allow IP
« Reply #4 on: April 03, 2017, 01:00:26 pm »
- using TCP receive buffer size of 87380 bytes
 - using TCP send buffer size of 16384 bytes
 - testing Unix domain socket using S_ISFIFO
 - testing Unix domain socket using S_ISSOCK
 - using S_ISSOCK macro for Unix domain socket detection
 - mod_tls/2.4.2: using OpenSSL 1.0.1e-fips 11 Feb 2013
 - disabling runtime support for IPv6 connections
 - retrieved UID 99 for user 'nobody'
 - retrieved GID 99 for group 'nobody'
 - loading 'mod_ctrls_admin.c'
 - loading 'mod_sftp.c'
 - mod_sftp/0.9.7: using OpenSSL 1.0.1e-fips 11 Feb 2013
 - loading 'mod_wrap2.c'
 - loading 'mod_wrap2_file.c'
 - loading 'mod_ifsession.c'
 - ROOT PRIVS at mod_ctrls.c:110
 - RELINQUISH PRIVS at mod_ctrls.c:112
 - <IfModule>: using 'mod_ctrls_admin.c' section at line 294
 - <IfModule>: using 'mod_vroot.c' section at line 301
 - <IfDefine>: skipping 'TLS' section at line 306
 - loading 'mod_ban.c'
 - <IfDefine>: skipping 'QOS' section at line 346
 - <IfDefine>: skipping 'ANONYMOUS_FTP' section at line 372
 - <IfModule>: using 'mod_sftp.c' section at line 428
 - <IfModule>: using 'mod_wrap2.c' section at line 452
 - <IfModule>: using 'mod_ban.c' section at line 466
 - UseReverseDNS off, returning IP address instead of DNS name
10.27.77.10 -
10.27.77.10 - Config for sftp.test.infotorg.no:
10.27.77.10 - <IfClass>
10.27.77.10 -  BanEngine
10.27.77.10 - <IfClass>
10.27.77.10 -  BanEngine
10.27.77.10 - ServerIdent
10.27.77.10 - DefaultServer
10.27.77.10 - DefaultRoot
10.27.77.10 - AuthPAMConfig
10.27.77.10 - AuthOrder
10.27.77.10 - AuthUserFile
10.27.77.10 - AuthGroupFile
10.27.77.10 - IdentLookups
10.27.77.10 - UserID
10.27.77.10 - UserName
10.27.77.10 - GroupID
10.27.77.10 - GroupName
10.27.77.10 - UseSendfile
10.27.77.10 - TransferLog
10.27.77.10 - VRootEngine
10.27.77.10 - HiddenStores
10.27.77.10 - SFTPEngine
10.27.77.10 - SFTPLog
10.27.77.10 - SFTPHostKey
10.27.77.10 - SFTPHostKey
10.27.77.10 - SFTPAuthorizedUserKeys
10.27.77.10 - SFTPOptions
10.27.77.10 - SFTPClientMatch
10.27.77.10 - SFTPClientMatch
10.27.77.10 - SFTPClientMatch
10.27.77.10 - SFTPClientMatch
10.27.77.10 - SFTPClientMatch
10.27.77.10 - SFTPClientMatch
10.27.77.10 - SFTPClientMatch
10.27.77.10 - SFTPClientMatch
10.27.77.10 - WrapEngine
10.27.77.10 - WrapTables
10.27.77.10 - WrapDenyMsg
10.27.77.10 - WrapLog
10.27.77.10 - Limit
10.27.77.10 -  AllowAll
10.27.77.10 - Umask
10.27.77.10 - AllowOverwrite
10.27.77.10 - ROOT PRIVS at mod_delay.c:354
10.27.77.10 - RELINQUISH PRIVS at mod_delay.c:359
10.27.77.10 - ROOT PRIVS at mod_ctrls.c:1139
10.27.77.10 - RELINQUISH PRIVS at mod_ctrls.c:1141
10.27.77.10 - mod_lang/0.9: binding to text domain 'proftpd' using locale path '/usr/share/locale'
10.27.77.10 - mod_lang/0.9: using locale files in '/usr/share/locale'
10.27.77.10 - mod_lang/0.9: added the following supported languages: ja_JP, zh_TW, fr_FR, bg_BG, zh_CN, it_IT, ko_KR, ru_RU, en_US
10.27.77.10 - ROOT PRIVS at keys.c:552
10.27.77.10 - RELINQUISH PRIVS at keys.c:554
10.27.77.10 - ROOT PRIVS at keys.c:552
10.27.77.10 - RELINQUISH PRIVS at keys.c:554
10.27.77.10 - ROOT PRIVS at mod_ban.c:2057
10.27.77.10 - RELINQUISH PRIVS at mod_ban.c:2059
10.27.77.10 - ROOT PRIVS at mod_ban.c:2089
10.27.77.10 - RELINQUISH PRIVS at mod_ban.c:2091
10.27.77.10 - retrieved group ID: 99
10.27.77.10 - setting group ID: 99
10.27.77.10 - SETUP PRIVS at main.c:3133
10.27.77.10 - ROOT PRIVS at main.c:2155
10.27.77.10 - RELINQUISH PRIVS at main.c:2162
10.27.77.10 - ROOT PRIVS at main.c:2490
10.27.77.10 - deleting existing scoreboard '/var/run/proftpd/proftpd.scoreboard'
10.27.77.10 - opening scoreboard '/var/run/proftpd/proftpd.scoreboard'
10.27.77.10 - RELINQUISH PRIVS at main.c:2516
10.27.77.10 - ROOT PRIVS at mod_ctrls_admin.c:1180
10.27.77.10 - opening scoreboard '/var/run/proftpd/proftpd.scoreboard'
10.27.77.10 - RELINQUISH PRIVS at mod_ctrls_admin.c:1182
10.27.77.10 - Failed binding to 0.0.0.0, port 2222: Address already in use
10.27.77.10 - Check the ServerType directive to ensure you are configured correctly.
10.27.77.10 - ROOT PRIVS at mod_delay.c:1346
10.27.77.10 - RELINQUISH PRIVS at mod_delay.c:1351
10.27.77.10 - mod_sftp/0.9.7: scrubbing 2 passphrases from memory
10.27.77.10 - ROOT PRIVS at mod_ban.c:1758
10.27.77.10 - RELINQUISH PRIVS at mod_ban.c:1760


proftpd -v
ProFTPD Version 1.3.3g



Offline Trond

  • New user
  • *
  • Posts: 11
    • View Profile
Re: Always allow IP
« Reply #5 on: April 03, 2017, 01:01:38 pm »
proftpd -V

Compile-time Settings:
  Version: 1.3.3g (maint)
  Platform: LINUX [Linux 2.6.32-642.13.1.el6.x86_64 x86_64]
  Built: Sat Jun 11 2016 10:16:46 UTC
  Built With:
    configure  '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--localstatedir=/var' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--libexecdir=/usr/libexec/proftpd' '--localstatedir=/var/run/proftpd' '--disable-strip' '--enable-ctrls' '--enable-dso' '--enable-facl' '--enable-ipv6' '--enable-nls' '--enable-openssl' '--enable-shadow' '--with-libraries=/usr/lib64/mysql' '--with-includes=/usr/include/mysql' '--with-modules=mod_readme:mod_auth_pam:mod_tls:mod_vroot' '--with-shared=mod_sql:mod_sql_passwd:mod_sql_mysql:mod_sql_postgres:mod_quotatab:mod_quotatab_file:mod_quotatab_ldap:mod_quotatab_radius:mod_quotatab_sql:mod_ldap:mod_ban:mod_wrap:mod_ctrls_admin:mod_facl:mod_load:mod_radius:mod_ratio:mod_rewrite:mod_site_misc:mod_exec:mod_shaper:mod_geoip:mod_wrap2:mod_wrap2_file:mod_wrap2_sql:mod_sftp:mod_sftp_pam:mod_sftp_sql:mod_tls_shmcache:mod_ifsession' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic'

  CFLAGS: -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -Wall
  LDFLAGS: -L$(top_srcdir)/lib  -L/usr/lib64/mysql
  LIBS: -lacl  -lssl -lcrypto -lssl -lcrypto -lcap  -lssl -lcrypto  -lpam -lsupp -lcrypt -ldl  -ldl -lz

  Files:
    Configuration File:
      /etc/proftpd.conf
    Pid File:
      /var/run/proftpd/proftpd.pid
    Scoreboard File:
      /var/run/proftpd/proftpd.scoreboard
    Header Directory:
      /usr/include/proftpd
    Shared Module Directory:
      /usr/libexec/proftpd

  Features:
    - Autoshadow support
    + Controls support
    + curses support
    - Developer support
    + DSO support
    + IPv6 support
    + Largefile support
    - Lastlog support
    + ncursesw support
    + NLS support
    + OpenSSL support
    + POSIX ACL support
    + Shadow file support
    + Sendfile support
    + Trace support

  Tunable Options:
    PR_TUNABLE_BUFFER_SIZE = 1024
    PR_TUNABLE_DEFAULT_RCVBUFSZ = 8192
    PR_TUNABLE_DEFAULT_SNDBUFSZ = 8192
    PR_TUNABLE_GLOBBING_MAX_MATCHES = 100000
    PR_TUNABLE_GLOBBING_MAX_RECURSION = 8
    PR_TUNABLE_HASH_TABLE_SIZE = 40
    PR_TUNABLE_NEW_POOL_SIZE = 512
    PR_TUNABLE_SCOREBOARD_BUFFER_SIZE = 80
    PR_TUNABLE_SCOREBOARD_SCRUB_TIMER = 30
    PR_TUNABLE_SELECT_TIMEOUT = 30
    PR_TUNABLE_TIMEOUTIDENT = 10
    PR_TUNABLE_TIMEOUTIDLE = 600
    PR_TUNABLE_TIMEOUTLINGER = 30
    PR_TUNABLE_TIMEOUTLOGIN = 300
    PR_TUNABLE_TIMEOUTNOXFER = 300
    PR_TUNABLE_TIMEOUTSTALLED = 3600
    PR_TUNABLE_XFER_SCOREBOARD_UPDATES = 10