NETWORK - TELNET, FTP

TELNET:

telnet            starts telnet session
open <host>       connects to the specified hosts
bye               quit from telnet

telnet 10.200.20.10  139   we can check 1 port (telnet is using TCP)
------------------------

$ telnet aix31
Trying 10.200.30.84...
telnet: Unable to connect to remote host: Connection refused <--edit /etc/inetd.conf then refresh -s inetd

if only: Trying...
- firewall ->port opening
- check routing (source, destination)

----------------------------------------------------
----------------------------------------------------


FTP:

ftp                starts an FTP session
open <hostname>    connects to the specified host
close              closes the connection (but not the FTP session!)
quit               terminates the FTP session

dir                gives a full directory listing on the remote machine
dir test*          displays only files and directories whose name begins with "test..."
ls                 same as dir, but provides a simplified listing of filenames
!ls                lists on the server where we are logged from

pwd                prints the name of the current remote directory
cd <remote-directory>    changes working directory on remote host
cd ..              moves up one level in the directory structure on the remote host
lcd <directory>    changes the default directory on local host

type               shows what type (ascii, binary) is used to transfer files.
                   (The default type is ascii; the binary type can be more efficient than ascii.)
binary             set binary mode before transferring binary files (for graphics (jpg, gif, bmp), for office files (doc, xls))
ascii              set ASCII mode before transferring text files (plain text documents, html files)

get test                copies file "test" from remote to local host (from current remote directory to current local directory)
mget test.* data.dbf    copies files beginning with "test" and the file named data.dbf from remote to local host
put test                copies file "test" from local to remote host. You musth have write access to the remote host for this to work.
mput test.* data.dbf    copies files beginning with "test" and the file named data.dbf from local to remote host
quit                    closes connection and terminates FTP session
bye                     quit ftp


If a file name contains spaces (e.g. on your Windows system) you should type the file name in quotation marks " ", but it is strongly recommended to rename such files before FTPing them.

get test "| more"   displays file "test"

To make sure you want a document, you can display it with the more command and see the file screen by screen (using the space bar) BEFORE you get a file. To exit out of more , type q.

prompt                  turns off prompting for individual files when using the mget or mput commands.
user                    re-logins, if mistyped your username or password
? at the ftp> prompt    list of all FTP commands type
help <command>          brief explanation of a command

------------------------

IF FTP is not working:
pl.: ftp: connect: Connection refused

1. check the /etc/inetd.conf if the ftp line has been commented:
#ftp     stream  tcp6    nowait  root    /usr/sbin/ftpd         ftpd
2. edit with vi
3. refresh -s inetd
0513-095 The request for subsystem refresh was completed successfully.
-----
4. /etc/services --> (grep ftp /etc/services)
5. netstat -a | grep ftp (netstat -an | grep ftp) --> check port 21
6. lssrc -t ftp

------------------------

FTP daemon logging:

1. /etc/syslog.conf add the following entry:
daemon.info FileName  <---the file must be exists otherwise no logging
2. refresh -s syslogd
3. check /etc/inetd.conf to include the -l option to have it log by default.
Something like:
ftp  stream tcp6 nowaitroot /local/bin/tcpd6       ftpd -l
4. refresh -s inetd

------------------------

When trying to ftp 2 files will be checked:
1. /etc/ftpusers (on the server)
2. $HOME/.netrc (on the client)


1. /etc/ftpusers (on the server)
The ftpd daemon on the server does not allow access to the users names listed in this file. Users who are listed here must also appear in the server's /etc/passwd file. If a user exist in this file, you will get this error when you try to ftp to that server: 530 User <username> access denied

2. $HOME/.netrc (on the client)
There is a file called .netrc, which should be in the users home dir, owned by the user and with permissions 600.
Here we can define automatic logins, and macros.

$ cat .netrc
machine aix41 login root passwordqwe123
macdef test
 type binary
 cd /home
            <-- a blink line must be at the end of the macro

(macro can be invoked in the ftp session, by $<macroname>, here: $test)

(.netrc file is used by rexec command as well for automatc logins. macdef entry will be ignored only machine ... line will be checked.)

------------------------------------------

How can I create an account that only allows FTP access and not telnet?

0. if does not exist yet:
   add /bin/ftponly to the list of shells

   vi /etc/security/login.cfg        <--all valid login shells are listed in this file, in the usw stanza

   ...
   usw:
        shells = /bin/sh,/bin/bsh,/bin/csh,/bin/ksh,/bin/tsh,/usr/bin/sh,/usr/bin/bsh,/usr/bin/csh,/usr/bin/ksh,/usr/bin/tsh,/usr/sbin/sliplogin,/usr/sbin/uucp/uucico,/share/bin/bash,/usr/sbin/snappd,/bin/ftponly
...


1. Create the file ftponly:
   echo 'echo "This account only allows FTP access."' > /bin/ftponly
   and allow it to be executable: chmod a+x /bin/ftponly

2. To make this "shell" a valid one, append the following line in /etc/shells:
   /bin/ftponly

   If this is the only line in the file, you should go ahead and add the other valid shells

   From the shells man page:
   The shells file contains a list of the shells on the system.
   Applications use this file to determine whether a shell is valid.
   See getusershell(3C). For each shell a single line should be
   present, consisting of the shell's path, relative to root.

3. Create the account as you normally would: smitty user
   Then, for the shell, type something like: /bin/ftponly

4. Now when users try to login with telnet, they will see the following message:
   "This account only allows FTP access."

------------------------------------------

How to lock an ftp user to a directory:

1. create ftp user
2. check /etc/ftpaccess.ctl file:
   -if exists:
   update with the user and dir wher we want to lock

   -if does not exist:
   vi /etc/ftpaccess.ctl
   puseronly:ftpcore                     <--user name:ftpcore
   readwrite:/inout/input/bb_core        <--dir where it he/she locked: /inout/input/bb_core

That's all, after that ftp user can't change directory, pwd will show always '/'

------------------------------------------

PROFTP install and config:

1. stop normal ftp
(comment out in etc/inetd.conf, refresh -s inetd)

2. install proftpd
from Linux Toolbox: rpm -Uvh proftpd-1.2.8-1.aix5.1.ppc.rpm
(coreutils may needed as well for error: "dependency:fileutils"

3.config it in /etc/proftpd.conf:
(instead of nobody, nogroup, I changed it to root, system)
# Set the user and group under which the server will run.
User                       nobody->     root
Group                      nogroup->    system

(if a group name is written after the ~ symbol, then the users of the group will be locked their home dirs)
(we can write more groups there:
DefaultRoot ~ download,!upload     <--this means users in group "download", but not belonging to group "upload" will be locked

# To cause every FTP user to be "jailed" (chrooted) into their home
# directory, uncomment this line.
DefaultRoot ~ proftp               <--I created proftp group

4.start proftp with /usr/sbin/proftpd

!!!Important:
Those users who are in /etc/ftpusers cannot login via ftp to the server.
If there is a request for read right only, then on the home dir we should set the read right.