LISTSERV - HP3000-L Archives

HP3000-L Archives

December 2000, Week 2

HP3000-L@RAVEN.UTC.EDU

	LISTSERV Archives
	HP3000-L Home
	HP3000-L December 2000, Week 2

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	FTP/iX logging Investigation Report (long)
From:	"HOFMEISTER,JAMES (HP-USA,ex1)" <[log in to unmask]>
Reply To:	HOFMEISTER,JAMES (HP-USA,ex1)
Date:	Thu, 14 Dec 2000 10:01:23 -0800
Content-Type:	text/plain
Parts/Attachments:	text/plain (167 lines)

Hello Folks @ 3000-l,

Re: FTP/iX logging Investigation Report

I am investigating concerns reported with the logging (or lack of logging)
of FTP connections on MPE/iX 6.0/6.5.

I am looking for any additional feed back on FTP logging... I have reviewed
the Cases/Calls which have come into the RESPONSE CENTER, and SR's opened
and the 3000-L archives.

Please let me know if the below logging request address what YOU need for
the FTP/iX Server and please let me know if you have any additional needs,
comments or feedback.

----------------------------------------------------------------------


Some of the differences seen between MPE/iX 5.5 and MPE/iX 6.x are:

1) The FTP logon can not be seen in :showjob.

True, prior to MPE/iX 6.x a FTP logon created a MPE session which included
a JSMAIN, CI and a FTPSRVR.ARPA.SYS process.  On MPE/iX 6.0 and beyond, a
FTP logon only creates a FTPSRVR.ARPA.SYS process under the JINETD job.  A
AIFCHANGELOGON is performed to assure logon security is met and that data
is exchanged with the appropriate file system structures and security.

Note: The utility :showconn will display connections for the FTPSRVR.

----------

2) The FTP logon or logon failures are not seen on the system console or in
MPE logfiles.

True, as pointed out above an actual MPE logon with JSMAIN and CI is not
performed on MPE/iX 6.0 and beyond, thus no logon message is generated
to the console or MPE logfiles.

----------

3) The LISTF,8 or LISTF,9 function which display's REMote IP address does
not work on INETD or FTPSRVR.

True, not sure why "yet" this does not work.

Note: The utility :showconn will display IP address for the FTPSRVR.

----------

4) INETD logging "-l" is not overly useful.

 Received call for: ftp tcp
 ftp/tcp: Connection from ector.atl.hp.com (15.44.48.52) at Thu Dec 14
13:26:48 2000

Yes, I agree.  First of all don't use INETD "-l" logging if you do not have
a configured and working DNS.   A reverse name lookup is performed with the
IP address requesting the node name and if your DNS is not working, you will
see a 1 minute delay (seen in Telnet and FTP) waiting for this request to
time out.  Secondly the output is to the $stdlist of INETD and this reduces
the  usefulness of this data.  Finally their is no disconnection message.
----------


Some of the request I have seen for additional logging for FTP/iX on MPE/iX
6.x are:

1) Log to the console (and MPE Logfiles) successful and unsuccessful
connection attempts including USER.ACCOUNT and IP address.

Messages from FTP/iX pre 6.x:

  11:42/#S215/92/(PROGRAMMATIC) LOGON FOR: "MANAGER.SYS,PUB" ON LDEV #29.
  11:43/119/INVALID PASSWORD FOR "MANAGER.SYS," DURING LOGON ON LDEV #29.
(js 65)
  11:44/123/MISSING ACCOUNT NAME FOR "X.X," ON LDEV #29. (js 10)

A suggested solution for FTP/iX 6.x and beyond:
  11:42/92/ FTP (CONNECTION) FOR: "MANAGER.SYS,PUB" ON LDEV #29, IP
15.44.48.51
  11:43/119/FTP INVALID PASSWORD FOR: "MANAGER.SYS," ON LDEV #29, IP
15.44.48.51
  11:44/123/FTP MISSING ACCOUNT NAME FOR: "X.X," ON LDEV #29, IP 15.44.48.51
... similar messages for MISSING USER NAME & MISSING GROUP NAME.

----------

2) Log connection information:

   - Date & Time
   - Pin & Logon & IP & unique port number
   - Connection Established ~or~ Connection Closed

----------

3) Log "Verbose" protocol information:

   - Date & Time
   - Pin & Logon & IP & unique port number
   - Protocol Level 'command' executed (this would include files
transferred).

An example of this data is commands seen when "debug" is executed in a
FTP session:

---> USER manager/pass.sys/pass
---> PASS
---> SYST
---> SITE MPE/iX FTP Client [A0010A02]
---> TYPE I
---> RNFR /SYS/PUB/COMMAND
---> RNTO /SYS/PUB/COMMAND
---> SITE BUILDPARMS /SYS/PUB/COMMAND
---> PORT 15,44,48,51,209,182
---> SITE FILELABEL RETR /SYS/PUB/COMMAND
---> SITE USER_LABELS /SYS/PUB/COMMAND
---> PORT 15,44,48,51,209,183
---> RETR /SYS/PUB/COMMAND
---> QUIT

This would fill up a file fast and it WILL slow the FTP/iX server down. If
it is implemented, it should be a parameter in a configuration file.

----------

4) Log "file transfer" information:

   - Date & Time
   - Pin & Logon & IP & unique port number
   - Protocol Level file transfer 'command' executed .

in the case of a FTP GET:

---> RETR /SYS/PUB/COMMAND

in the case of a FTP PUT:

---> STOR /SYS/PUB/PURGEME;REC=128,1,F,BINARY;DISC=1023,8

also in the case of a FTP RENAME:

---> RNFR /SYS/PUB/PURGEME
---> RNTO /SYS/PUB/PURGENOW

and in the case of a FTP DELETE:

---> DELE /SYS/PUB/PURGENOW

Other FILE commands to be logged ???

This would fill up a logging file some what fast and it will slow
the FTP/iX server down. If it is implemented, it should be a
parameter in a configuration file.

----------

Thanks ahead of time for your ideas, comments and feedback.

Regards,

James Hofmeister
[log in to unmask]
Hewlett Packard
Worldwide Technology Network Expert Center
P.S. My Ideals are my own, not necessarily my employers.

ATOM RSS1 RSS2

RAVEN.UTC.EDU