LISTSERV - HP3000-L Archives

HP3000-L Archives

December 2000, Week 3

HP3000-L@RAVEN.UTC.EDU

	LISTSERV Archives
	HP3000-L Home
	HP3000-L December 2000, Week 3

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives
Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]
Subject:	Re: FTP/iX logging Investigation Report (long)
From:	"Simonsen, Larry" <[log in to unmask]>
Reply To:	Simonsen, Larry
Date:	Fri, 15 Dec 2000 06:16:43 -0700
Content-Type:	text/plain
Parts/Attachments:	text/plain (242 lines)
What about logging errors.

-------------------------------------------------
Larry Simonsen                Phone: 801-489-2450
Flowserve Corporation     Fax: 801-491-1750
PO Box 2200                    http://www.Flowserve.com
Springville, UT 84663      e-mail: [log in to unmask]
-------------------------------------------------
All opinions expressed herein are my own and reflect, in no way, those of my
employer.

 -----Original Message-----
From:   Christian Lheureux [mailto:[log in to unmask]] 
Sent:   Friday, December 15, 2000 1:15 AM
To:     [log in to unmask]
Subject:        Re: FTP/iX logging Investigation Report (long)

Hi James, all these suggestions damn well address what I need when I do
systems audit, especially the following :

> ----------
>
> 2) Log connection information:
>
>   - Date & Time
>   - Pin & Logon & IP & unique port number
>   - Connection Established ~or~ Connection Closed
>
> ------
>
> 3) Log "Verbose" protocol information:
>
>    - Date & Time
>    - Pin & Logon & IP & unique port number
>    - Protocol Level 'command' executed (this would include files
> transferred).

Christian Lheureux
Responsable du Département Systèmes et Réseaux
Head of Systems and Networks Department
APPIC R.H.
HPConnect Systems Integrator / HP3000 Expert / HP e-Partner
Tel : +33-1-69-80-97-22   /   Fax : +33-1-69-80-97-14 / e-mail
[log in to unmask]
"Le Groupe APPIC recrute, contactez nous !"

James Hofmeister wrote :

> Objet : [HP3000-L] FTP/iX logging Investigation Report (long)
>
>
> Hello Folks @ 3000-l,
>
> Re: FTP/iX logging Investigation Report
>
> I am investigating concerns reported with the logging (or
> lack of logging)
> of FTP connections on MPE/iX 6.0/6.5.
>
> I am looking for any additional feed back on FTP logging... I
> have reviewed
> the Cases/Calls which have come into the RESPONSE CENTER, and
> SR's opened
> and the 3000-L archives.
>
> Please let me know if the below logging request address what
> YOU need for
> the FTP/iX Server and please let me know if you have any
> additional needs,
> comments or feedback.
>
> ----------------------------------------------------------------------
>
>
> Some of the differences seen between MPE/iX 5.5 and MPE/iX 6.x are:
>
> 1) The FTP logon can not be seen in :showjob.
>
> True, prior to MPE/iX 6.x a FTP logon created a MPE session
> which included
> a JSMAIN, CI and a FTPSRVR.ARPA.SYS process.  On MPE/iX 6.0
> and beyond, a
> FTP logon only creates a FTPSRVR.ARPA.SYS process under the
> JINETD job.  A
> AIFCHANGELOGON is performed to assure logon security is met
> and that data
> is exchanged with the appropriate file system structures and security.
>
> Note: The utility :showconn will display connections for the FTPSRVR.
>
> ----------
>
> 2) The FTP logon or logon failures are not seen on the system
> console or in
> MPE logfiles.
>
> True, as pointed out above an actual MPE logon with JSMAIN
> and CI is not
> performed on MPE/iX 6.0 and beyond, thus no logon message is generated
> to the console or MPE logfiles.
>
> ----------
>
> 3) The LISTF,8 or LISTF,9 function which display's REMote IP
> address does
> not work on INETD or FTPSRVR.
>
> True, not sure why "yet" this does not work.
>
> Note: The utility :showconn will display IP address for the FTPSRVR.
>
> ----------
>
> 4) INETD logging "-l" is not overly useful.
>
>  Received call for: ftp tcp
>  ftp/tcp: Connection from ector.atl.hp.com (15.44.48.52) at Thu Dec 14
> 13:26:48 2000
>
> Yes, I agree.  First of all don't use INETD "-l" logging if
> you do not have
> a configured and working DNS.   A reverse name lookup is
> performed with the
> IP address requesting the node name and if your DNS is not
> working, you will
> see a 1 minute delay (seen in Telnet and FTP) waiting for
> this request to
> time out.  Secondly the output is to the $stdlist of INETD
> and this reduces
> the  usefulness of this data.  Finally their is no
> disconnection message.
> ----------
>
>
> Some of the request I have seen for additional logging for
> FTP/iX on MPE/iX
> 6.x are:
>
> 1) Log to the console (and MPE Logfiles) successful and unsuccessful
> connection attempts including USER.ACCOUNT and IP address.
>
> Messages from FTP/iX pre 6.x:
>
>   11:42/#S215/92/(PROGRAMMATIC) LOGON FOR: "MANAGER.SYS,PUB"
> ON LDEV #29.
>   11:43/119/INVALID PASSWORD FOR "MANAGER.SYS," DURING LOGON
> ON LDEV #29.
> (js 65)
>   11:44/123/MISSING ACCOUNT NAME FOR "X.X," ON LDEV #29. (js 10)
>
> A suggested solution for FTP/iX 6.x and beyond:
>   11:42/92/ FTP (CONNECTION) FOR: "MANAGER.SYS,PUB" ON LDEV #29, IP
> 15.44.48.51
>   11:43/119/FTP INVALID PASSWORD FOR: "MANAGER.SYS," ON LDEV #29, IP
> 15.44.48.51
>   11:44/123/FTP MISSING ACCOUNT NAME FOR: "X.X," ON LDEV #29,
> IP 15.44.48.51
> ... similar messages for MISSING USER NAME & MISSING GROUP NAME.
>
> ----------
>
> 2) Log connection information:
>
>    - Date & Time
>    - Pin & Logon & IP & unique port number
>    - Connection Established ~or~ Connection Closed
>
> ----------
>
> 3) Log "Verbose" protocol information:
>
>    - Date & Time
>    - Pin & Logon & IP & unique port number
>    - Protocol Level 'command' executed (this would include files
> transferred).
>
> An example of this data is commands seen when "debug" is executed in a
> FTP session:
>
> ---> USER manager/pass.sys/pass
> ---> PASS
> ---> SYST
> ---> SITE MPE/iX FTP Client [A0010A02]
> ---> TYPE I
> ---> RNFR /SYS/PUB/COMMAND
> ---> RNTO /SYS/PUB/COMMAND
> ---> SITE BUILDPARMS /SYS/PUB/COMMAND
> ---> PORT 15,44,48,51,209,182
> ---> SITE FILELABEL RETR /SYS/PUB/COMMAND
> ---> SITE USER_LABELS /SYS/PUB/COMMAND
> ---> PORT 15,44,48,51,209,183
> ---> RETR /SYS/PUB/COMMAND
> ---> QUIT
>
> This would fill up a file fast and it WILL slow the FTP/iX
> server down. If
> it is implemented, it should be a parameter in a configuration file.
>
> ----------
>
> 4) Log "file transfer" information:
>
>    - Date & Time
>    - Pin & Logon & IP & unique port number
>    - Protocol Level file transfer 'command' executed .
>
> in the case of a FTP GET:
>
> ---> RETR /SYS/PUB/COMMAND
>
> in the case of a FTP PUT:
>
> ---> STOR /SYS/PUB/PURGEME;REC=128,1,F,BINARY;DISC=1023,8
>
> also in the case of a FTP RENAME:
>
> ---> RNFR /SYS/PUB/PURGEME
> ---> RNTO /SYS/PUB/PURGENOW
>
> and in the case of a FTP DELETE:
>
> ---> DELE /SYS/PUB/PURGENOW
>
> Other FILE commands to be logged ???
>
> This would fill up a logging file some what fast and it will slow
> the FTP/iX server down. If it is implemented, it should be a
> parameter in a configuration file.
>
> ----------
>
> Thanks ahead of time for your ideas, comments and feedback.
>
> Regards,
>
> James Hofmeister
> [log in to unmask]
> Hewlett Packard
> Worldwide Technology Network Expert Center
> P.S. My Ideals are my own, not necessarily my employers.
>
ATOM RSS1 RSS2
RAVEN.UTC.EDU