# mldonkey security bug?

## queen

I installed few days ago mldonkey. To my amazement i found out today in /home 

```
drwxr-xr-x  2 p2p    root    48 Jul 17 00:37 p2p
```

Is that normal? I also found in /etc/passwd  

p2p:x:103:100:added by portage for mldonkey:/home/p2p:/bin/bash

----------

## Rob1n

Looks about right, yes - mldonkey will run in the background as a daemon process using the non-priveleged p2p account.  You then connect to the daemon using one of the client interfaces (grphical client, web client, etc) from your account.  This means that any security holes in the mldonkey process don't allow access to your (or any other user's) files.

----------

## queen

 *Rob1n wrote:*   

> Looks about right, yes - mldonkey will run in the background as a daemon process using the non-priveleged p2p account.  You then connect to the daemon using one of the client interfaces (grphical client, web client, etc) from your account.  This means that any security holes in the mldonkey process don't allow access to your (or any other user's) files.

 

ok, thanks. 

BTW, when i tried to configure it, i couldn't see the servers, couldn't add new servers. weird. Am I doing something wrong?

----------

## Rob1n

Dunno really - I've not used mldonkey in years.  Have you downloaded an updated server list?  Last time I used it none of the server list sources they provided worked, so I had to search for one online.

----------

## wrdaniel

 *queen wrote:*   

>  BTW, when i tried to configure it, i couldn't see the servers, couldn't add new servers. weird. Am I doing something wrong?

 

you may need to forward some ports in your router?!

----------

## queen

 *wrdaniel wrote:*   

>  *queen wrote:*    BTW, when i tried to configure it, i couldn't see the servers, couldn't add new servers. weird. Am I doing something wrong? 
> 
> you may need to forward some ports in your router?!

 

I have the ports forwarded from previous amule 4662, 4672. Do I need to reconfigure them again? It didn't have any servers at all.  from where i have to dl the servers list?

I want to configure it for bittorent and dc++ too so for these I will have to add the relevant ports.

----------

## GNUtoo

first do you see your daemon?

can the client connect to the daemon?

----------

## queen

 *GNUtoo wrote:*   

> first do you see your daemon?
> 
> can the client connect to the daemon?

 

I can see the daemon. 

```
  mlnet -daemon

2007/07/21 21:53:19 [cO] Starting MLDonkey 2.8.7 ...

2007/07/21 21:53:19 [cO] Language EN, locale ANSI_X3.4-1968, ulimit for open files 1024

2007/07/21 21:53:19 [cO] MLDonkey is working in .

2007/07/21 21:53:19 [Gettext] Loading language resource mlnet_strings.EN_ANSI_X3.4-1968

2007/07/21 21:53:19 [cO] loaded language resource file

2007/07/21 21:53:19 [DNS] Resolving [carin] ...

2007/07/21 21:53:19 [DNS] Resolving [www.mldonkey.org] ...

2007/07/21 21:53:19 [cO] Logging in ./mlnet.log

```

I don't know how to connect the client to the daemon. I don't see in the documentation of mldonkey something like this. When I open mldonkey I see reconnect to-> and there I have localhost:4001

Here is what I tried so far: 

```
ssh 127.0.0.1 4000
```

 (because i don't have telnet)

```
The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established.

RSA key fingerprint is 73:22:33:44:8a:c5:46:37:b1:17:bd:91:ab:77:b2:3a.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '127.0.0.1' (RSA) to the list of known hosts.

Password:

```

 I didn't know the passwd in this case. 

I also tried 

```
ssh 192.168.1.100 4000

The authenticity of host '192.168.1.100 (192.168.1.100)' can't be established.

RSA key fingerprint is 73:22:33:44:8a:c5:46:37:b1:17:bd:91:ab:77:b2:3a.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '192.168.1.100' (RSA) to the list of known hosts.

Password:

```

Also here I don't know the passwd. 

Please excuse me for the noob questions. I can't seem to find a decent documentation how to work with it. It's spread all over different links, and no proper step by step how to make it work.

----------

## GNUtoo

don't ssh into the machine like this...if the daemon running on the same machine as the client do the following:

it's easy:

```
ssh -L 4001:localhost:4001 youruser@yourmachine -p yourport
```

yourport is the port you defined in sshd_config

if you don't know what is it only run:

```
ssh -L 4001:localhost:4001 youruser@yourmachine
```

after run(in a locale console not in ssh):

```
mlgui
```

telnet is another interface and you need telnet that is in portage but it's less complete...

andother interface would be the web interface...

----------

## queen

 *GNUtoo wrote:*   

> don't ssh into the machine like this...if the daemon running on the same machine as the client do the following:
> 
> it's easy:
> 
> ```
> ...

 

OK. I ran 

```
ssh -L 4001:localhost:4001 youruser@yourmachine
```

 and it worked. 

Then I launched 

```
mlgui

2007/07/21 23:43:39 [cO] Starting MLDonkey 2.8.7 ...

2007/07/21 23:43:39 [cO] Language EN, locale ANSI_X3.4-1968, ulimit for open files 1024

2007/07/21 23:43:39 [cO] MLDonkey is working in /home/carin/.mldonkey

2007/07/21 23:43:39 [Gettext] Loading language resource mlnet_strings.EN_ANSI_X3.4-1968

2007/07/21 23:43:39 [cO] loaded language resource file

2007/07/21 23:43:39 [DNS] Resolving [carin] ...

2007/07/21 23:43:39 Starting MLGui 2.8.7 ...

2007/07/21 23:43:39 MLGui is working in /home/carin/.mldonkey

2007/07/21 23:43:39 [Gettext] Loading language resource ./mlgui_strings.EN_ANSI_X3.4-1968

GuiConfig: Parameter type: Language

   name : gtk_client_lang

   value : English

GuiConfig: Parameter type: Toolbar

   name : gtk_look_toolbars_style

   value : both

2007/07/21 23:43:39 [DNS] Resolving [localhost] ...

GuiConfig: Parameter type: Language

   name : gtk_client_lang

   value : English

GuiConfig: Parameter type: Toolbar

   name : gtk_look_toolbars_style

   value : both

GuiConfigWindow: Help box width 477

GuiConfigWindow: Help box width 477

GuiConfigWindow: Help box width 477

GuiConfigWindow: Help box width 477

GuiConfigWindow: Help box width 477

GuiConfig: MLgui option saved

   name: gtk_look_toolbars_icon_size

   value: 14
```

But still, I don't see a list of servers and it doesn't connect to localhost:4001. Tries and then fails after few seconds. I opened port 4001 in the router, although I am not sure it's needed.

----------

## GNUtoo

for torrent open the following ports(/home/p2p/mldonkey/bittorrent.ini):

6881 for the connection to the others clients

6882 for the tracker

for edonkey open the following ports:(/home/p2p/mldonkey):

14935 for the connection to others clients(donkey)

13013 for the connection to others clients(overnet)

21631 for the connection to others clients(kad)

----------

## queen

 *GNUtoo wrote:*   

> for torrent open the following ports(/home/p2p/mldonkey/bittorrent.ini):
> 
> 6881 for the connection to the others clients
> 
> 6882 for the tracker
> ...

 

OK. I opened the ports. The problem is that in the gui I don't see servers. I can't add servers as well. Yet the servers list appears in mldonkey directory. Is something wrong with the servers list? I tried to find an alternative server list on the web but couldn't find any server.ini.

AND the main problem it doesn't connect to the host.

----------

## GNUtoo

mabe your Internet Service Provider is blocking all the p2p ports?

does it work with another client?

and what's your provider?

----------

## queen

 *GNUtoo wrote:*   

> mabe your Internet Service Provider is blocking all the p2p ports?
> 
> does it work with another client?
> 
> and what's your provider?

 

The ISP doesn't block any ports. I checked that long time ago. I have a fixed ip to connect directly to the internet and I use my linksys wrt54gc router in which i open the ports I want.  My provider is 012 from israel. 

I used to have amule before that and it managed to connect and have the list of servers. I wanted to switch to mldonkey because amule was slow and it didn't have torrents and overnet in the same client. I read that mldonkey has many more features and less buggy than amule.

----------

## spiralvoice

Hi,

I am trying to answer your postings by providing a list of statements:

MLDonkey documentation can be found in the MLdonkey Wiki: http://mldonkey.sourceforge.net/

MLDonkey does not support SSH

it can be connected using Telnet on port 4000, HTML on port 4080 or with a GUI on port 4001

my favourite GUI is Sancho -> http://sancho-gui.sf.net

for MLDonkey setup I prefer using its HTML interface

Do not open any of the UI ports on your router, MLDonkey has no security code against

brute-force password attacks. But the default setting for MLDonkey is to accept UI connections

only from 127.0.0.1, the local machine MLDonkey works on. To change that, change option

allowed_ips. To access MLDonkey from outside your network use a SSH tunnel.

To start MLDonkey in Gentoo: /etc/init.d/mldonkey start

This will use /home/p2p as base directory for all ini files, downloads etc.

To start MLDonkey when the machine boots: rc-update add mldonkey default

After MLDonkey started, connect to it and use command "portinfo" to see which

ports MLDonkey uses and configure your firewall according to that list

Donkey ports are random, same as with eMule, so the ports GNUtoo wrote are not the same as yours

After configuring your firewall you can use MLDonkey command "porttest" to check EDK and BT ports

MLDonkey includes URLs to download an EDK serverlist automatically

In mlnet.log you will find more interesting messages from MLDonkey.

----------

## queen

Thank you very much. I installed sancho and it looks great. In donkey it connects just fine. At last.  I changed some of the options there like adding kad network but it doesn't appear in the tab bar at the bottom. I probably miss something.

Also, I couldn't find in the preferences in which the directory the downloaded files will appear. 

Right now it has only 4 servers. I tried to get a updated list but it doesn't do anything. Maybe the link is old. 

The list of the portinfo I get is 

```

BitTorrent|  6882|client_port TCP

BitTorrent|  6881|tracker_port TCP

Core      |  4080|http_port

Core      |  4000|telnet_port

Core      |  4001|gui_port

Donkey    |  8726|client_port TCP

Donkey    |  8730|client_port UDP

Donkey    | 13133|overnet_port TCP+UDP

Donkey    | 16687|kademlia_port UDP
```

[/code]

I don't have telnet and don't want to install.  Do I need to open port 4001 in the router?

I tried to dl a torrent just t check and sancho crashed. 

```

/opt/bin/sancho: line 8:  9699 Aborted                 ./sancho-bin ${*}
```

Any idea why it happened?

Thanks in advance,

Queen

 *spiralvoice wrote:*   

> Hi,
> 
> I am trying to answer your postings by providing a list of statements:
> 
> MLDonkey documentation can be found in the MLdonkey Wiki: http://mldonkey.sourceforge.net/
> ...

 

----------

## GNUtoo

 *spiralvoice wrote:*   

> 
> 
> MLDonkey does not support SSH

 

no it doesn't but ssh can do what we call port fowarding...it foward an open port of a machine to an other...and so you can connect safely your client(the GUI) to the server if the client and the server aren't located on the same computer

----------

## queen

 *GNUtoo wrote:*   

>  *spiralvoice wrote:*   
> 
> MLDonkey does not support SSH 
> 
> no it doesn't but ssh can do what we call port fowarding...it foward an open port of a machine to an other...and so you can connect safely your client(the GUI) to the server if the client and the server aren't located on the same computer

 

The client and the daemon run on the same computer in my case.

----------

## spiralvoice

 *queen wrote:*   

> I changed some of the options there like adding kad network but it doesn't appear in the tab bar at the bottom. I probably miss something.

 

Kademlia and Overnet are sub-modules of the donkey module.

You will not see them in Sancho as seperate networks, thats ok.

 *queen wrote:*   

> Also, I couldn't find in the preferences in which the directory the downloaded files will appear. 

 

Connect to http://localhost:4080 - click Options, Shares and read its helptext.

 *queen wrote:*   

> The list of the portinfo I get is
> 
> ...

 

Not really interesting for me, did you setup your router according to the displayed values?

In the HTML interface click Help+, Porttest, then after some seconds "Refresh results".

Repeat "Refresh results" until you see them.

 *queen wrote:*   

> I don't have telnet and don't want to install.

 

Ok, its not needed for MLDonkey, you can use a GUI or the HTML interface instead.

 *queen wrote:*   

>  Do I need to open port 4001 in the router?

 

No, thats the GUI port and its a bad idea to open it to the world.

 *queen wrote:*   

> I tried to dl a torrent just t check and sancho crashed. 
> 
> ```
> 
> /opt/bin/sancho: line 8:  9699 Aborted                 ./sancho-bin ${*}
> ...

 

No, but could you tell me the exact steps you did to make Sancho crash?

----------

## queen

 *Quote:*   

> 
> 
> Connect to http://localhost:4080 - click Options, Shares and read its helptext.

 

OK, found it. Thanks.  :Wink: 

 *Quote:*   

> 
> 
> Not really interesting for me, did you setup your router according to the displayed values?
> 
> In the HTML interface click Help+, Porttest, then after some seconds "Refresh results".
> ...

 

Yes, I opened. The porttest appears ok. 

```
FileTP   Porttest not available

BitTorrent   Porttest finished 1m 32s ago 

Port test OK!

Donkey   Porttest finished 1m 31s ago 

Testing IP: some.number

Starting TCP connection test...

TCP test successful.

Now testing UDP...

Sending UDP packet...

Waiting for result...

UDP test successful.

Connection test finished.
```

 *Quote:*   

> No, but could you tell me the exact steps you did to make Sancho crash?

 

I went to the web browser in sancho, clicked for the link of isohunt. Got the page. searched and when I tried to dl sancho crashed. I tried today too. and get the same crash error. 

Also, I am connected now to only 4 servers. How can i force it to connect to other servers? I imported a list and it has about 59 servers now (from the web interface). In the gui and the web interface I can see that it is connected only to 4 servers and the servers.met from the link http://ocbmaurice.dyndns.org/pl/slist.pl/server.met?download/server-best.met doesn't yield anything. 

Connect to more servers on the web interface doesn't help. It says only connecting.

Besides these small things, this client is really good. [/quote]

----------

## queen

 *Quote:*   

> 
> 
> Connect to http://localhost:4080 - click Options, Shares and read its helptext.

 

OK, found it. Thanks.  :Wink: 

 *Quote:*   

> 
> 
> Not really interesting for me, did you setup your router according to the displayed values?
> 
> In the HTML interface click Help+, Porttest, then after some seconds "Refresh results".
> ...

 

Yes, I opened. The porttest appears ok. 

```
FileTP   Porttest not available

BitTorrent   Porttest finished 1m 32s ago 

Port test OK!

Donkey   Porttest finished 1m 31s ago 

Testing IP: some.number

Starting TCP connection test...

TCP test successful.

Now testing UDP...

Sending UDP packet...

Waiting for result...

UDP test successful.

Connection test finished.
```

 *Quote:*   

> No, but could you tell me the exact steps you did to make Sancho crash?

 

I went to the web browser in sancho, clicked for the link of isohunt. Got the page. searched and when I tried to dl sancho crashed. I tried today too. and get the same crash error. 

Also, I am connected now to only 4 servers. How can i force it to connect to other servers? I imported a list and it has about 59 servers now (from the web interface). In the gui and the web interface I can see that it is connected only to 4 servers and the servers.met from the link http://ocbmaurice.dyndns.org/pl/slist.pl/server.met?download/server-best.met doesn't yield anything. 

Connect to more servers on the web interface doesn't help. It says only connecting.

Besides these small things, this client is really good.

----------

## spiralvoice

 *queen wrote:*   

> I went to the web browser in sancho, clicked for the link of isohunt. Got the page. searched and when I tried to dl sancho crashed. I tried today too. and get the same crash error. 

 

I will try to reproduce that.

 *queen wrote:*   

> Also, I am connected now to only 4 servers.

 

There is a hard-coded maximum of three servers plus one for server walking.

But honestly speaking, being connected to one big server is perfectly enough.

 *queen wrote:*   

> the servers.met from the link http://ocbmaurice.dyndns.org/pl/slist.pl/server.met?download/server-best.met doesn't yield anything. 

 

My favourite serverlist is this one: http://www.gruk.org/server.met.gz

Its known to be free of fake servers.

----------

## queen

 *spiralvoice wrote:*   

>  *queen wrote:*   I went to the web browser in sancho, clicked for the link of isohunt. Got the page. searched and when I tried to dl sancho crashed. I tried today too. and get the same crash error.  
> 
> I will try to reproduce that.
> 
>  *queen wrote:*   Also, I am connected now to only 4 servers. 
> ...

 

Got the servers list from this link and opened it. Seems scrambled. Converted from Mac format. 

I am not sure how sancho treats servers.ini and server.met. 

I see that now it connected to other servers. I assume it connects randomaly. I am used to amule option to connect to which server I prefer.

----------

## spiralvoice

 *queen wrote:*   

>  *spiralvoice wrote:*   My favourite serverlist is this one: http://www.gruk.org/server.met.gz
> 
> Its known to be free of fake servers. 
> 
> Got the servers list from this link and opened it. Seems scrambled. Converted from Mac format. 
> ...

 

server.met files are always in binary format, enter this link in MLDonkey:

ed2k://|serverlist|http://www.gruk.org/server.met|/

 *queen wrote:*   

> I see that now it connected to other servers. I assume it connects randomaly. I am used to amule option to connect to which server I prefer.

 

With MLDonkey you can also set a server to status preferred,

then enable option ED2K-connect_only_preferred_server

Personally my serverlist contains only six servers, the biggest ones available.

The rest is not needed, imho.

----------

## queen

 *Quote:*   

> 
> 
> With MLDonkey you can also set a server to status preferred,
> 
> then enable option ED2K-connect_only_preferred_server

 

Done that now.  :Wink: 

 *Quote:*   

> 
> 
> Personally my serverlist contains only six servers, the biggest ones available.
> 
> The rest is not needed, imho.

 

The donkey servers?

Did you managed to reproduce the error with the torrents? I tried other torrent link and it also crashed the program when i tried to download

----------

## spiralvoice

 *queen wrote:*   

> I went to the web browser in sancho

 

I did not test it yet, but I remember that this feature was always unstable.

Here I am using Firefox with the MLDonkey protocol handler without problems.

http://www.informatik.uni-oldenburg.de/~dyna/mldonkey/

----------

## queen

 *spiralvoice wrote:*   

>  *queen wrote:*   I went to the web browser in sancho 
> 
> I did not test it yet, but I remember that this feature was always unstable.
> 
> Here I am using Firefox with the MLDonkey protocol handler without problems.
> ...

 

Thanks. Installed it now. Will check it tomorrow, after I restart firefox. It also bothered me when I used isohunt those poping messages. I wanted to ask for a feature to disable these messages. 

I see it has also a feature for ftp. Have you tried it out? I usually use lftp.

----------

## spiralvoice

 *queen wrote:*   

> It also bothered me when I used isohunt those poping messages. I wanted to ask for a feature to disable these messages. 

 

http://adblockplus.org/en

 *queen wrote:*   

> I see it has also a feature for ftp. Have you tried it out? I usually use lftp.

 

Yes, I tried it and it works.

----------

## queen

 *spiralvoice wrote:*   

>  *queen wrote:*   It also bothered me when I used isohunt those poping messages. I wanted to ask for a feature to disable these messages.  
> 
> http://adblockplus.org/en
> 
>  *queen wrote:*   I see it has also a feature for ftp. Have you tried it out? I usually use lftp. 
> ...

 

Thanks a lot. you have been very helpful.

----------

