⚝
One Hat Cyber Team
⚝
Your IP:
216.73.216.93
Server IP:
65.108.141.171
Server:
Linux server.heloix.com 5.4.0-214-generic #234-Ubuntu SMP Fri Mar 14 23:50:27 UTC 2025 x86_64
Server Software:
Apache
PHP Version:
7.4.33
Buat File
|
Buat Folder
Eksekusi
Dir :
~
/
usr
/
share
/
doc
/
proftpd-doc
/
contrib
/
View File Name :
mod_digest.html
<!DOCTYPE html> <html> <head> <title>ProFTPD module mod_digest</title> </head> <body bgcolor=white> <hr> <center> <h2><b>ProFTPD module <code>mod_digest</code></b></h2> </center> <hr><br> <p> The <code>mod_digest</code> module offers functionality for calculating the hash (or <em>digest</em>) value of files. This is particularly useful when verifying the integrity of files. This functionality is used by the following custom FTP commands: <ul> <li><code>XCRC</code> (requests CRC32 digest/checksum) <li><code>MD5/XMD5</code> (requests MD5 digest/checksum) <li><code>XSHA</code>/<code>XSHA1</code> (requests SHA1 digest/checksum) <li><code>XSHA256</code> (requests SHA256 digest/checksum) <li><code>XSHA512</code> (requests SHA512 digest/checksum) </ul> In addition, <code>mod_digest</code> supports the more modern <a href="https://tools.ietf.org/html/draft-bryan-ftpext-hash-02"><code>HASH</code></a> command. <p> Depending on the file size and the hash function, it takes a fair amount of CPU and IO resources to calculate the result. Therefore decide wisely where to enable the features and set the <a href="#DigestMaxSize">DigestMaxSize</a> configuration directive appropriately. <p> This module was compiled and tested against ProFTPD 1.3.3 Installation instructions are discussed <a href="#Installation">here</a>. <p> The most current version of <code>mod_digest</code> is distributed with the ProFTPD source code. <h2>Author</h2> <p> Please contact TJ Saunders <tj <i>at</i> castaglia.org> with any questions, concerns, or suggestions regarding this module. <h2>Thanks</h2> <p> <i>2016-01-09</i>: Thanks to Mathias Berchtold <mb <i>at</i> smartftp.com> for his original <code>mod_digest</code>, upon which this version is based. <h2>Directives</h2> <ul> <li><a href="#DigestAlgorithms">DigestAlgorithms</a> <li><a href="#DigestCache">DigestCache</a> <li><a href="#DigestDefaultAlgorithm">DigestDefaultAlgorithm</a> <li><a href="#DigestEnable">DigestEnable</a> <li><a href="#DigestEngine">DigestEngine</a> <li><a href="#DigestMaxSize">DigestMaxSize</a> <li><a href="#DigestOptions">DigestOptions</a> </ul> <hr> <h3><a name="DigestAlgorithms">DigestAlgorithms</a></h3> <strong>Syntax:</strong> DigestAlgorithms <em>["crc32"|"md5"|"sha1"|"sha256"|"sha512"|"all"]</em><br> <strong>Default:</strong> DigestAlgorithms all<br> <strong>Context:</strong> server config, <VirtualHost>, <Global>, <Anonymous><br> <strong>Module:</strong> mod_digest<br> <strong>Compatibility:</strong> 1.3.6rc2 or later <p> The <code>DigestAlgorithms</code> directive configures the enabled digest algorithms. If no <code>DigestAlgorithms</code> directive is configured, then <b>all</b> supported digest algorithms are enabled. <p> Enabled digest algorithms are announced/discovered via the <code>FEAT</code> response. The following algorithms are currently supported by <code>mod_digest</code>: <ul> <li><code>crc32</code> (<i>e.g.</i> for the <code>XCRC</code> command) <li><code>md5</code> (<i>e.g.</i> for the <code>XMD5</code> command) <li><code>sha1</code> (<i>e.g.</i> for the <code>XSHA</code>/<code>XSHA1</code> commands) <li><code>sha256</code> (<i>e.g.</i> for the <code>XSHA256</code> command) <li><code>sha512</code> (<i>e.g.</i> for the <code>XSHA512</code> command) </ul> <p> <hr> <h3><a name="DigestCache">DigestCache</a></h3> <strong>Syntax:</strong> DigestCache <em>on|off|"size" count ["maxAge" secs]</em><br> <strong>Default:</strong> DigestCache size 10000 maxAge 30s<br> <strong>Context:</strong> server config, <VirtualHost>, <Global>, <Anonymous><br> <strong>Module:</strong> mod_digest<br> <strong>Compatibility:</strong> 1.3.6rc2 or later <p> The <code>mod_digest</code> module will cache the results of any checksum command, on a per-file basis. This improves performance, and reduces computational overhead. To disable this caching for any reason, use this directive: <pre> # Disable checksum caching DigestCache off </pre> <b>This is not recommended.</b> <p> The <code>DigestCache</code> directive can also be used to configure/tune the <em>max-size</em> of the in-memory cache. Note that once the maximum cache size is reached, any checksum FTP commands will be temporarily refused: <pre> # Use a smaller cache size DigestCache size 100 </pre> Cached digests will be expired/ignored after 30 seconds, by default. To change the expiration, you would use: <pre> # Retain cached entries longer DigestCache maxAge 60s </pre> <p> If <em>on</em> is used, <code>mod_digest</code> will use the default <em>max-size</em> of 10000: <pre> DigestCache on </pre> <p> <hr> <h3><a name="DigestDefaultAlgorithm">DigestDefaultAlgorithm</a></h3> <strong>Syntax:</strong> DigestDefaultAlgorithm <em>algo</em><br> <strong>Default:</strong> DigestDefaultAlgorithm sha1<br> <strong>Context:</strong> server config, <VirtualHost>, <Global><br> <strong>Module:</strong> mod_digest<br> <strong>Compatibility:</strong> 1.3.6rc3 or later <p> The default digest algorithm that the <code>mod_digest</code> module uses, for <i>e.g.</i> opportunistic digesting of file transfers, is SHA1. For selecting a different default algorithm, use the <code>DigestDefaultAlgorithm</code> directive: <pre> # Use MD5 rather than SHA1 as the default algorithm DigestDefaultAlgorithm md5 </pre> <p> <b>Note</b> that the <code>DigestAlgorithms</code> directive takes precedence; if the <code>DigestDefaultAlgorithm</code> is not included in the <code>DigestAlgorithms</code>, the default algorithm setting will be ignored. <p> <hr> <h3><a name="DigestEnable">DigestEnable</a></h3> <strong>Syntax:</strong> DigestEnable <em>on|off</em><br> <strong>Default:</strong> Non<br> <strong>Context:</strong> <code><Directory></code>, <code>.ftpaccess</code><br> <strong>Module:</strong> mod_digest<br> <strong>Compatibility:</strong> 1.3.6rc2 or later <p> The <code>DigestEnable</code> directive can be used to block or prevent checksumming/digests on files in the configured <code><Directory></code>. This can be <b>very</b> useful for preventing checksumming of files located on network-mounted filesystems, for example. <p> <hr> <h3><a name="DigestEngine">DigestEngine</a></h3> <strong>Syntax:</strong> DigestEngine <em>on|off</em><br> <strong>Default:</strong> DigestEngine on<br> <strong>Context:</strong> server config, <VirtualHost>, <Global>, <Anonymous><br> <strong>Module:</strong> mod_digest<br> <strong>Compatibility:</strong> 1.3.6rc2 or later <p> The <code>DigestEngine</code> directive enables or disables the handling of the checksum-related FTP commands by <code>mod_digest</code>, <i>i.e.</i>: <ul> <li><code>XCRC</code> <li><code>XMD5</code> <li><code>XSHA</code> <li><code>XSHA1</code> <li><code>XSHA256</code> <li><code>XSHA512</code> </ul> If the parameter is <em>off</em>, then these commands will be ignored. <p> <hr> <h3><a name="DigestMaxSize">DigestMaxSize</a></h3> <strong>Syntax:</strong> DigestMaxSize <em>number [units]</em><br> <strong>Default:</strong> None<br> <strong>Context:</strong> server config, <VirtualHost>, <Global>, <Anonymous><br> <strong>Module:</strong> mod_digest<br> <strong>Compatibility:</strong> 1.3.6rc2 or later <p> The <code>DigestMaxSize</code> directive configures the maximum number of bytes a single hash command is allowed to read from a file. If the number of bytes to be read from the file is greater than the configured <em>number</em> the server will refuse that command. <p> If no <code>DigestMaxSize</code> directive is configured, then there is no limit. It is highly <b>recommended</b> to set an upper limit. <p> Example: <pre> # Limit hashing to 1GB of data DigestMaxSize 1 GB </pre> <p> <hr> <h3><a name="DigestOptions">DigestOptions</a></h3> <strong>Syntax:</strong> DigestOptions <em>opt1 ...</em><br> <strong>Default:</strong> None<br> <strong>Context:</strong> server config, <code><VirtualHost></code>, <code><Global></code><br> <strong>Module:</strong> mod_digest<br> <strong>Compatibility:</strong> 1.3.6rc2 and later <p> The <code>DigestOptions</code> directive is used to configure various optional behavior of <code>mod_digest</code>. <p> The currently implemented options are: <ul> <li><code>NoTransferCache</code><br> <p> The <code>mod_digest</code> module will automatically calculate <b>and</b> cache the results of any transferred file, on a per-file basis. This is done assuming that many FTP clients will want to verify the integrity of the file just uploaded/downloaded. This improves performance, and reduces computational overhead. To disable this caching for any reason, use this option. <b>Not recommended.</b> <p> <b>Note</b>: The <code>NoTransferCache</code> option is <em>automatically</em> enabled when using ProFTPD versions before 1.3.6rc2, due to bugs/missing support in the older versions. </li> </ul> <p> <hr> <h2><a name="Installation">Installation</a></h2> The <code>mod_digest</code> module is distributed with ProFTPD. Follow the normal steps for using third-party modules in ProFTPD: <pre> $ ./configure --enable-openssl --with-modules=mod_digest </pre> To build <code>mod_digest</code> as a shared/DSO module: <pre> $ ./configure --enable-dso --enable-openssl --with-shared=mod_digest </pre> Then follow the usual steps: <pre> $ make $ make install </pre> <p> Alternatively, if your proftpd was compiled with DSO support, you can use the <code>prxs</code> tool to build <code>mod_digest</code> as a shared module: <pre> $ prxs -c -i -d mod_digest.c </pre> <p> <hr> <h2>Usage</h2> Example Configuration <pre> <IfModule mod_digest.c> # Set a limit on file sizes that can be digested DigestMaxSize 1 GB </IfModule> </pre> <p> <b>Recording Uploaded/Downloaded File Checksums</b><br> One particular use case that comes up is whether the <code>mod_digest</code> can be used to record the digests ("checksums") of uploaded/downloaded files in <i>e.g.</i> a SQL database. The answer is "yes", with some caveats. <p> First, here is a configuration excerpt showing show such functionality might be implemented, using <code>mod_digest</code> and <code>mod_sql</code>: <pre> <IfModule mod_digest.c> </IfModule> <IfModule mod_sql.c> ... SQLNamedQuery log-file-checksum FREEFORM "INSERT INTO file_checksums (user, file, algo, checksum) VALUES ('%u', '%f', '%{note:mod_digest.algo}', '%{note:mod_digest.digest}')" SQLLog RETR,STOR log-file-checksum ... </IfModule> </pre> As you can see, this makes use of the <code>%{note:...}</code> syntax of the <code>SQLLog</code> directive; the same syntax <em>also</em> works for <code>LogFormat</code> definitions as well. The <code>mod_digest</code> module uses the following notes: <ul> <li><em>mod_digest.algo</em> <p> Name of the digest algorithm used, <i>e.g.</i> "SHA1". </li> <p> <li><em>mod_digest.digest</em> <p> Calculated digest of the file as a hex-encoded lowercase string. </li> </ul> <p> Now, the caveats with this technique: <ul> <li>Does <b>not</b> work if the <code>NoTransferCache</code> <a href="#DigestOption">DigestOption</a> is used. <li>Only works for binary, not ASCII, FTP uploads/downloads currently. <li>Only works for uploads (<code>STOR</code>) and downloads (<code>RETR</code>), but not for appends (<code>APPE</code>) <b>or</b> resumed uploads/downloads (<code>REST</code> + <code>RETR/STOR</code>). <li>Does <b>not</b> work for FTP downloads if <code>UseSendfile</code> is in effect. </ul> In addition, the order in which the <code>mod_digest</code> and <code>mod_sql</code> appear in your build command is important; <code>mod_digest</code> <em>must come <b>after</b></em> <code>mod_sql</code>, otherwise the note values will <b>not</b> be populated properly in the <code>SQLLog</code> statement. Thus, if you are building static modules, your <code>--with-modules</code> parameter would look something like: <pre> $ ./configure --with-modules=mod_sql:mod_sql_mysql:mod_digest ... </pre> Or, if you are using shared modules, then your <code>LoadModule</code> directives must look like: <pre> LoadModule mod_sql.c LoadModule mod_sql_mysql.c LoadModule mod_digest.c </pre> <!-- Why? TCP-level checksums packet-level checksums _file_-level checksums (which is really what most people usually have in mind) transfers interrupted by timeouts SFTP has different ways of achieving this, via extensions (link to mod_sftp docs on extensions) validating uploads AND downloads (did I download everything? Did the upload succeed?) <p> It's also recommended to disable all features within the <Anonymous> context. How? <Anonymous> <IfModule mod_digest.c> DigestEngine off </IfModule> </Anonymous> <p> <b>Supported FTP Commands</b><br> cmd path cmd path [end] cmd path [off] [len] <pre> XCRC "/path/to/file with spaces" 0 100 </pre> --> <p> <hr> <font size=2><b><i> © Copyright 2016 TJ Saunders<br> All Rights Reserved<br> </i></b></font> <hr> </body> </html>