Force all users except anonymous users to login using SSL - When this option is selected, all users except anonymous users must switch to SSL mode to login. To use this option, the FTP Server must be configured to use either explicit or implicit SSL.
Enable CCC (Clear Command Channel) command - CCC (Clear Command Channel) command is used to revert the FTP control channel from SSL encryption to not encrypted clear text mode. The reversion is made only after finishing user authentication, so the user's password is not sent in clear text. This command is mainly used when the FTP Server is behind a firewall and that firewall can not work well with SSL encryption in the FTP control channel.
FTP command speed before users log in - Control the allowed speed of executing FTP commands (commands/second) before users login. The value is between 0-1000. 0(default) means 10 commands/second.
FTP command speed after users log in - Control the allowed speed of executing FTP commands (commands/second) after users login. The value is between 0-1000. 0(default) means unlimited.
It is not necessary to let a user execute an FTP command as fast as possible. 10-20 FTP commands per second are quite enough in most scenarios. Fast FTP command speed gives users the chance to occupy the FTP server's CPU usage, which may reduce the FTP server's capacity and impact other users' transferring speed. Give fast command speed only when necessary. The FTP command speed option will have no impact on users' file transferring speed.
For PORT command, control and data connections must be from the same IP -
After enabling this option, the FTP server will check the destination IP in the PORT command to make sure that the destination IP is from the same IP of the user's FTP control connection. Enabling this option will prevent the FTP bounce attack, but the side effect is that it will block site-to-site file transfer(it is also called as FXP).
For PASV command, control and data connections must be from the same IP -
After enabling this option, the FTP server will check the source IP of the FTP data connection in the PASV mode to make sure that it is from the same IP of the user's FTP control connection. Enabling this option will block site-to-site file transfer(it is also called FXP), but enhance the server's security.
Enable ip address auto blocking for making hammer connections - After enabling this option and setting up proper parameters, the FTP server will use its protection mechanism to prevent users from making hammer connections or internal attacks.
IP auto blocking last for - The time in seconds that the IP auto-block will block an IP address. The block time is between 0 - 65535 seconds.
When any of following IP address auto blocking conditions is met, this user will be disconnected from the FTP server and forbidden to access the virtual server within the "IP auto blocking last for" time defined above.
Hammer connections - Define hammer conditions for automatically blocking IP. Note: if either the "connections in" or "second" field is the value 0, this option will be disabled.
Number of failed logins - Maximum allowed number of failed login attempts of each FTP session. The value is between 0-255, value 0 will disable this option.
Number of malicious behaviors -
Maximum allowed malicious attempts of each FTP session. The value is between 0-255, value 0 will disable this option. The following conditions will be considered as malicious behavior:
- A user tries to make buffer overflow by sending oversized commands, strings or filenames to the server.
- A user tries to delete files or directories that he doesn't have the permission to delete.
- A user tries to remove directories that he doesn't have the permission to remove.
- A user tries to upload files to a directory that he doesn't have the permission to upload.
- A user tries to rename files that he doesn't have the permission to rename.
- Other malicious behaviors internally judged by the FTP server.
Message for IP address auto blocking - If this message has been set and a user with auo-blocked IP connects with the FTP server, the FTP server will send this message to this user and his connection will be closed after this message. If this message has not been set and a user with auo-blocked IP connects with the FTP server, his connection will be closed, but no message will be sent.
Other IP allowed/denied file - File for a lot of IP addresses and subnet masks. Each line of the file can only have one IP address with subnet mask.
If you don’t set up any denied or allowed IP list, then all IPs are allowed by default. So there is no need to set up an allowed IP List alone because all IPs are allowed by default. If you only want to deny some IP, you can just setup denied IP Lists. Other IPs not in the denied IP list will be allowed, because it is the default behavior.If there is an overlap between denied IP and allowed IP, the following is how the allowed IP and denied IP list work together:
1. The server first checks if the IP is inside the denied IP list, if it is not, then this IP is allowed.
2. If the IP is inside the denied IP list, then the server will make an additional check to see if it is in the allowed IP list, if it is, then this IP is allowed, otherwise this IP is denied.
Xlight FTP provides a new mechanism for anti-leech protection, where it will automatically add a random path part before all FTP links. For example, if the previous FTP link is "/public/download/test.txt", after enabling anti-leech protection, the link will become "/xxxx/public/download/test.txt", where "xxxx" is the random path part added by Xlight FTP Server. Xlight can be configured to change "xxxx" periodically, so the whole download link "/xxxx/public/download/test.txt" will change also. Without knowing the top path "xxxx", leecher can not download anything from the FTP server.
Whenever the anti-leech random path part changes, xlight FTP can be configured to either output the changed random part "xxxx" to a file or to execute an external program and pass the random part "xxxx" as the argument to the external program. So you can use these methods to update the download links in your websites.
In the xferlog of the Xlight FTP Server, the part of the random anti-leech path is removed, so anti-leech protection won't impact the download statistics of the Xlight FTP Server.
Enable path anti-leech protection - This will turn on anti-leech protection in the virtual server.
Generate a new anti-leech path every (minute) - How often the anti-leech path will change.
After path changes, keep the old anti-leech path valid for (minutes) - Because there could be some delay between the time FTP server changed the anti-leech path and the website finally updated its download links with the new anti-leech path. Because the website could still use the old anti-leech path, the user who clicks the download link during this period may use the invalid link. This option can be used to prevent this scenario. When you set a time value for this option, after the change of anti-leech path, during this time, both the old and new links can work at the same time. Make sure the period won't be larger than the period anti-leech will change (the previous option).
Hide anti-leech path from directory list - the random anti-leech path "xxxx" can be hidden from the directory list, so that no one (even go directly to FTP server) will not see the "xxxx" except getting download links from the website.
Update anti-leech path change to file - whenever the anti-leech path is changed in FTP server, the new anti-leech path part "xxxx" can be written to a file at the same time.The external program can read this file periodically and update download links in the website when the anti-leech path changes.
Execute program when the anti-leech path changes - whenever anti-leech path changes in FTP server, FTP server can execute an external program at the same time and pass the new anti-leech path "xxxx" as the first argument to this program.