I have just recently got annoyed enough at my own dedicated server's FTP connection delay to go hunting for what causes delay.
"Perpetrator" was IdentLookups configuration option. It defaults to on, thus causing noticeable delay on connection attempt. When switched off, connections are done instantly.
So, my question is: what's intended use of indent lookups? Not just in context of FTP server, but in general? Most firewalls block ident probes, so I don't see the point...
Can somebody enlighten me, please?
The
identprotocol is used to provide the username related to a TCP connection, mainly when there are many users using a single IP address like shared hosts, etc. It's not very common those days, so for FTP I think it's safe to disable it. IRC still uses it a lot. You can say it's a dying protocol but hey, you never know.It works querying pairs of tcp ports, like, the
identclient asks aport on server:port on clientpair to theidentserver that answer who is the user responsible for that connection.Security people don't like this very much, that's why most firewalls block it too, and I tend to agree with them: you can easily enumerate pretty much all users on your servers using it.
RFC 1413 defines a 60-180 second timeout window on the server time, and a minimum wait time of 30 seconds on the client side, that can cause some nasty delays.
With IdentLookups on proftpd will attempt to get the username of a new connection using the RFC 1413 ident protocol. The delay will be caused by proftpd waiting for the ident protocol to timeout.