Hi Edward, Edward Pollard schrieb:
Hello all,
I'm seeking to improve the security of my website. Content is maintained using Dreamweaver via FTP. Authentication is with LDAPUserFolder 2.3.
I've never been able to get medusa to disallow anonymous/gibberish logins. Please tell me someone knows how to do this. I'd like users who type in passwords incorrectly to be denied access, not stuck in "No Priviledges Land - Population 1".
Those people without passwords and usernames should be denied access entirely, not be allowed to flood my server with commands that are, of course, denied. It's really obnoxious to have to service those that would do this, rather than deny them outright.
I'm game for some monkey patches, if so required.
Zope 2.6.2, for those that would ask.
Beside using an FTP-proxy, you can change some defaults in the Code to use mechanism already built in. Here is something I did: in FTPServer.py, there is the comment at the beginning: 43 FTP Authorization 44 45 Zope supports both normal and anonymous logins. It can be difficult 46 to authorize Zope users since they are defined in distributed user 47 databases. Normally, all logins will be accepted and then the user must 48 proceed to 'cd' to a directory in which they are authorized. In this 49 case for the purpose of FTP limits, the user is considered anonymous 50 until they cd to an authorized directory. 51 52 Optionally, users can login with a special username which indicates 53 where they are defined. Their login will then be authenticated in 54 the indicated directory, and they will not be considered anonymous. 55 The form of the name is '<username>@<path>' where path takes the forrm 56 '<folder id>[/<folder id>...]' For example: 'amos@Foo/Bar' This will 57 authenticate the user 'amos' in the directory '/Foo/Bar'. In addition 58 the user's FTP session will be rooted in the authenticated directory, 59 i.e. they will not be able to cd out of the directory. This means, if we fake logins without @ to have a special folder in it, we can force authentication - and get a changeroot for grant. See: 460 def cmd_pass(self, line): 461 'specify password' 462 if len(line) < 2: 463 pw = '' 464 else: 465 pw = line[1] 466 self.password=pw 467 i=self.userid.find('@') 468 if i ==-1: 469 if self.server.limiter.check_limit(self): 470 self.respond ('230 Login successful.') 471 self.authorized = 1 472 self.anonymous = 1 473 self.log_info ('Successful login.') 474 else: 475 self.respond('421 User limit reached. Closing connection.') 476 self.close_when_done() 477 else: 478 path=self.userid[i+1:] 479 self.userid=self.userid[:i] 480 self.anonymous=None 481 response=make_response(self, self.pass_completion, 482 self._join_paths('/',path)) 483 request=FTPRequest(path,'PASS',self,response) 484 handle(self.module,request,response) The else part is what we want here, so we can simple sourge it out, for example if we modify all userids to contain @ and the desired path, like this: between 466 and 477: self.userid=self.userid.split("@")[0]+"@/rootpathforallusers" HTH Tino Wildenhain