dropdown menu

TELNET:

telnet            starts telnet session
open <host>       connects to the specified hosts
bye               quit from telnet

telnet 10.200.20.10  139
   we can check 1 port (telnet is using TCP)
------------------------

$ telnet aix31
Trying 10.200.30.84...
telnet: Unable to connect to remote host: Connection refused <--edit /etc/inetd.conf then refresh -s inetd

if only: Trying...
- firewall ->port opening
- check routing (source, destination)

----------------------------------------------------
----------------------------------------------------


FTP:

ftp                starts an FTP session
open <hostname>    connects to the specified host
close              closes the connection (but not the FTP session!)
quit               terminates the FTP session

dir                gives a full directory listing on the remote machine
dir test*          displays only files and directories whose name begins with "test..."
ls                 same as dir, but provides a simplified listing of filenames
!ls                lists on the server where we are logged from

pwd                prints the name of the current remote directory
cd <remote-directory>    changes working directory on remote host
cd ..              moves up one level in the directory structure on the remote host
lcd <directory>    changes the default directory on local host

type               shows what type (ascii, binary) is used to transfer files.
                   (The default type is ascii; the binary type can be more efficient than ascii.)
binary             set binary mode before transferring binary files (for graphics (jpg, gif, bmp), for office files (doc, xls))
ascii              set ASCII mode before transferring text files (plain text documents, html files)

get test                copies file "test" from remote to local host (from current remote directory to current local directory)
mget test.* data.dbf    copies files beginning with "test" and the file named data.dbf from remote to local host
put test                copies file "test" from local to remote host. You musth have write access to the remote host for this to work.
mput test.* data.dbf    copies files beginning with "test" and the file named data.dbf from local to remote host
quit                    closes connection and terminates FTP session
bye                     quit ftp


If a file name contains spaces (e.g. on your Windows system) you should type the file name in quotation marks " ", but it is strongly recommended to rename such files before FTPing them.

get test "| more"   displays file "test"

To make sure you want a document, you can display it with the more command and see the file screen by screen (using the space bar) BEFORE you get a file. To exit out of more , type q.

prompt                  turns off prompting for individual files when using the mget or mput commands.
user                    re-logins, if mistyped your username or password
? at the ftp> promp   list of all FTP commands type
help <command>          brief explanation of a command

------------------------

IF FTP is not working:
pl.: ftp: connect: Connection refused

1. check the /etc/inetd.conf if the ftp line has been commented:
#ftp     stream  tcp6    nowait  root    /usr/sbin/ftpd         ftpd
2. edit with vi
3. refresh -s inetd
0513-095 The request for subsystem refresh was completed successfully.
-----
4. /etc/services --> (grep ftp /etc/services)
5. netstat -a | grep ftp (netstat -an | grep ftp) --> check port 21
6. lssrc -t ftp

------------------------

FTP daemon logging:

1. /etc/syslog.conf add the following entry:
daemon.info FileName  <---the file must be exists otherwise no logging
2. refresh -s syslogd
3. check /etc/inetd.conf to include the -l option to have it log by default.
Something like:
ftp  stream tcp6 nowaitroot /local/bin/tcpd6       ftpd -l
4. refresh -s inetd

------------------------

When trying to ftp 2 files will be checked:
1. /etc/ftpusers (on the server)
2. $HOME/.netrc (on the client)



1. /etc/ftpusers (on the server)
The ftpd daemon on the server does not allow access to the users names listed in this file. Users who are listed here must also appear in the server's /etc/passwd file. If a user exist in this file, you will get this error when you try to ftp to that server: 530 User <username> access denied

2. $HOME/.netrc (on the client)
There is a file called .netrc, which should be in the users home dir, owned by the user and with permissions 600.
Here we can define automatic logins, and macros.

$ cat .netrc
machine aix41 login root passwordqwe123
macdef test
 type binary
 cd /home
            <-- a blink line must be at the end of the macro

(macro can be invoked in the ftp session, by $<macroname>, here: $test)

(.netrc file is used by rexec command as well for automatc logins. macdef entry will be ignored only machine ... line will be checked.)

------------------------------------------

How can I create an account that only allows FTP access and not telnet?

0. if does not exist yet:
   add /bin/ftponly to the list of shells

   vi /etc/security/login.cfg        <--all valid login shells are listed in this file, in the usw stanza

   ...
   usw:
        shells = /bin/sh,/bin/bsh,/bin/csh,/bin/ksh,/bin/tsh,/usr/bin/sh,/usr/bin/bsh,/usr/bin/csh,/usr/bin/ksh,/usr/bin/tsh,/usr/sbin/sliplogin,/usr/sbin/uucp/uucico,/share/bin/bash,/usr/sbin/snappd,/bin/ftponly
...


1. Create the file ftponly:
   echo 'echo "This account only allows FTP access."' > /bin/ftponly
   and allow it to be executable: chmod a+x /bin/ftponly

2. To make this "shell" a valid one, append the following line in /etc/shells:
   /bin/ftponly

   If this is the only line in the file, you should go ahead and add the other valid shells

   From the shells man page:
   The shells file contains a list of the shells on the system.
   Applications use this file to determine whether a shell is valid.
   See getusershell(3C). For each shell a single line should be
   present, consisting of the shell's path, relative to root.

3. Create the account as you normally would: smitty user
   Then, for the shell, type something like: /bin/ftponly

4. Now when users try to login with telnet, they will see the following message:
   "This account only allows FTP access."

------------------------------------------

How to lock an ftp user to a directory:

1. create ftp user
2. check /etc/ftpaccess.ctl file:
   -if exists:
   update with the user and dir wher we want to lock

   -if does not exist:
   vi /etc/ftpaccess.ctl
   puseronly:ftpcore                     <--user name:ftpcore
   readwrite:/inout/input/bb_core        <--dir where it he/she locked: /inout/input/bb_core

That's all, after that ftp user can't change directory, pwd will show always '/'

------------------------------------------

PROFTP install and config:

1. stop normal ftp
(comment out in etc/inetd.conf, refresh -s inetd)

2. install proftpd
from Linux Toolbox: rpm -Uvh proftpd-1.2.8-1.aix5.1.ppc.rpm
(coreutils may needed as well for error: "dependency:fileutils"

3.config it in /etc/proftpd.conf:
(instead of nobody, nogroup, I changed it to root, system)
# Set the user and group under which the server will run.
User                       nobody->     root
Group                      nogroup->    system

(if a group name is written after the ~ symbol, then the users of the group will be locked their home dirs)
(we can write more groups there:
DefaultRoot ~ download,!upload     <--this means users in group "download", but not belonging to group "upload" will be locked

# To cause every FTP user to be "jailed" (chrooted) into their home
# directory, uncomment this line.
DefaultRoot ~ proftp               <--I created proftp group

4.start proftp with /usr/sbin/proftpd

!!!Important:
Those users who are in /etc/ftpusers cannot login via ftp to the server.
If there is a request for read right only, then on the home dir we should set the read right.

10 comments:

  1. How to practice this. what are the software as needed this

    ReplyDelete
    Replies
    1. Which software are you missing exactly?

      Delete
  2. what is difference between telnet and ssh

    ReplyDelete
    Replies
    1. Security. SSH transfers data with encryption telnet does not.

      Delete
  3. Hello, I have a question in AIX,

    we have sftp-server running in an LPAR which behaves the same way a service runs via inetd i.e. runs only when called up but its actually not under inetd in enabled state infact not present at all,

    root@semoclu015a:/etc/ssh: cat /etc/inetd.conf | grep -i ftp
    #ftp stream tcp6 nowait root /usr/sbin/ftpd ftpd
    #tftp dgram udp6 SRC nobody /usr/sbin/tftpd tftpd -n

    when an sftp is being made by some user it runs as below,

    root@semoclu015a:/etc/ssh: ps -ef | grep -i sftp
    xp009221 13828198 14680102 0 07:59:07 - 0:00 /usr/sbin/sftp-server -m /etc/ssh/sshd_config

    once the sftp is over there wont be any sftp process again.

    So why does the process is behaving like an inetd process although it is not in reality ?

    ReplyDelete
    Replies
    1. Hi, sftp belongs to sshd. If sshd is not running you cannot sftp to that server. So, I think when you start an sftp session a process will be started to handle your request, and when you are done, there will be no more process.

      Delete
  4. hi..i have one doubt..both server are pinginging perfectly but unable to transfer the file,what are the reasons?
    please help me.

    ReplyDelete
  5. try for anyother severs happening ftp or not and troubleshot on it

    ReplyDelete
  6. hi.. i have server were I'm not able to login through telnet.The issue is the server is prompting for user name and passwd.If I provide correct username and correct passwd the session hangs and it's not giving the prompt.And if I gave correct username and wrong passwd.. It saying incorrect username or passwd.And also ssh is not working in the server.The server is listing on the indent port.When I tried to login in to the server from the same server console (within the host) ssh is working fine.But I'm not able to connect from other server to this server. network team confirms that there is no firewall blocking.. Any help?

    ReplyDelete
  7. Hi ,

    how to change the umask value for the particular ftp user . if i change the umask in inet file for ftp ..it will change for the whole ftp users right ..any idea ?

    ReplyDelete