tnftpd no tcp wrappers on freebsd

[pierre-philipp braun]

Hi Luke, hi NetBSD tech-userlevel,

I installed tnftpd as my favorite FTP daemon on a FreeBSD box but I
observed that I couldn't reject some dirty hackers trying to brute force
it, as it isn't linked against libwrap on that system. I guess or I
hope it is TCP wrappers capable on NetBSD, but that feature seems to be
missing on FreeBSD which also has a specific /etc/hosts.allow mechanism.

Compiling ot from the ports tree or getting the prepared binary brings
the same. I also looked at ./configure --help output and didn't see
anything about tcp wrappers nor libwrap.

Is there some way that I can keep my daemon up while still being able to
refuse specific IP or hostnames trying to brute force?

Thanks
Best regards,
Pierre-Philipp

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-...@muc.de

[Christos Zoulas]

In article <559A697E...@nethence.com>,

pierre-philipp braun <pbr...@nethence.com> wrote:
>Hi Luke, hi NetBSD tech-userlevel,
>
>I installed tnftpd as my favorite FTP daemon on a FreeBSD box but I
>observed that I couldn't reject some dirty hackers trying to brute force
>it, as it isn't linked against libwrap on that system. I guess or I
>hope it is TCP wrappers capable on NetBSD, but that feature seems to be
>missing on FreeBSD which also has a specific /etc/hosts.allow mechanism.
>
>Compiling ot from the ports tree or getting the prepared binary brings
>the same. I also looked at ./configure --help output and didn't see
>anything about tcp wrappers nor libwrap.
>
>Is there some way that I can keep my daemon up while still being able to
>refuse specific IP or hostnames trying to brute force?

tnftpd on NetBSD has been changed to use blacklistd to mitigate DoS attacks.
If you want to add TCP wrappers support in addition to that, please go ahead
and we'll integrate the patches.

christos

[pierre-philipp braun]

Hello Christos

> tnftpd on NetBSD has been changed to use blacklistd to mitigate DoS attacks.
> If you want to add TCP wrappers support in addition to that, please go ahead
> and we'll integrate the patches.

As I am not a developer I will simply use my firewall and/or try to
integrate tnftpd into the freebsd inetd.

Thanks.
Pierre-Ph

[Luke Mewburn]

On Mon, Jul 06, 2015 at 01:41:50PM +0200, pierre-philipp braun wrote:
| Hi Luke, hi NetBSD tech-userlevel,
|
| I installed tnftpd as my favorite FTP daemon on a FreeBSD box but
| I observed that I couldn't reject some dirty hackers trying to
| brute force it, as it isn't linked against libwrap on that system.
| I guess or I hope it is TCP wrappers capable on NetBSD, but that
| feature seems to be missing on FreeBSD which also has a specific
| /etc/hosts.allow mechanism.
|
| Compiling ot from the ports tree or getting the prepared binary
| brings the same. I also looked at ./configure --help output and
| didn't see anything about tcp wrappers nor libwrap.

Neither ftpd (in base NetBSD) nor tnftpd (the portable version of the
former) have support for the TCP wrappers (libwrap).
I don't know if FreeBSD has modifications for that - at first glance
it does not appear to.

| Is there some way that I can keep my daemon up while still being
| able to refuse specific IP or hostnames trying to brute force?

The ftpd in NetBSD-current appears to support <blacklist.h>
but that isn't documented in ftpd(8) how it operates, and I
don't think it's reusable outside of NetBSD as a standalone
project (yet). (I didn't add blacklist.h to ftpd - Christos did)

regards,
Luke.