this really helps us. i know that steve has a list of bad ftp users to reject out-of-hand, but this exponential backoff keeps the bad guys from bothering our auth server enough to notice. we still get quite a few connections, though
- erik /n/sources/plan9//sys/src/cmd/ip/ftpd.c:519,524 - ftpd.c:519,528 int usercmd(char *name) { + static int usercmds = 1000; + + if(usercmds <<= 1 > 2000) + sleep(usercmds); logit("user %s %s", name, nci->rsys); if(loggedin) return reply("530 Already logged in as %s", user); /n/sources/plan9//sys/src/cmd/ip/ftpd.c:537,542 - ftpd.c:541,548 strcpy(user, "none"); else if(anon_everybody) strcpy(user,"none"); + if(strcmp(user, "Administrator") == 0) + return reply("530 no way jose"); if(strcmp(user, "*none") == 0){ if(!anon_ok) return reply("530 Not logged in: anonymous disallowed"); /n/sources/plan9//sys/src/cmd/ip/ftpd.c:593,600 - ftpd.c:599,606 ch->nresp = strlen(response); ai = auth_response(ch); if(ai == nil) { - static long delay = 100; - + static long delay = 1000; + hoser: sleep(delay); /* deter password-guessers */ if (delay < 60*1000) delay *= 2; /n/sources/plan9//sys/src/cmd/ip/ftpd.c:601,607 - ftpd.c:607,613 return reply("530 Not logged in: %r"); } if(auth_chuid(ai, nil) < 0) - return reply("530 Not logged in: %r"); + goto hoser; auth_freechal(ch); ch = nil;