Hello Folks @ 3000-l,
Re: FTP/iX logging Investigation Report
I am investigating concerns reported with the logging (or lack of logging)
of FTP connections on MPE/iX 6.0/6.5.
I am looking for any additional feed back on FTP logging... I have reviewed
the Cases/Calls which have come into the RESPONSE CENTER, and SR's opened
and the 3000-L archives.
Please let me know if the below logging request address what YOU need for
the FTP/iX Server and please let me know if you have any additional needs,
comments or feedback.
----------------------------------------------------------------------
Some of the differences seen between MPE/iX 5.5 and MPE/iX 6.x are:
1) The FTP logon can not be seen in :showjob.
True, prior to MPE/iX 6.x a FTP logon created a MPE session which included
a JSMAIN, CI and a FTPSRVR.ARPA.SYS process. On MPE/iX 6.0 and beyond, a
FTP logon only creates a FTPSRVR.ARPA.SYS process under the JINETD job. A
AIFCHANGELOGON is performed to assure logon security is met and that data
is exchanged with the appropriate file system structures and security.
Note: The utility :showconn will display connections for the FTPSRVR.
----------
2) The FTP logon or logon failures are not seen on the system console or in
MPE logfiles.
True, as pointed out above an actual MPE logon with JSMAIN and CI is not
performed on MPE/iX 6.0 and beyond, thus no logon message is generated
to the console or MPE logfiles.
----------
3) The LISTF,8 or LISTF,9 function which display's REMote IP address does
not work on INETD or FTPSRVR.
True, not sure why "yet" this does not work.
Note: The utility :showconn will display IP address for the FTPSRVR.
----------
4) INETD logging "-l" is not overly useful.
Received call for: ftp tcp
ftp/tcp: Connection from ector.atl.hp.com (15.44.48.52) at Thu Dec 14
13:26:48 2000
Yes, I agree. First of all don't use INETD "-l" logging if you do not have
a configured and working DNS. A reverse name lookup is performed with the
IP address requesting the node name and if your DNS is not working, you will
see a 1 minute delay (seen in Telnet and FTP) waiting for this request to
time out. Secondly the output is to the $stdlist of INETD and this reduces
the usefulness of this data. Finally their is no disconnection message.
----------
Some of the request I have seen for additional logging for FTP/iX on MPE/iX
6.x are:
1) Log to the console (and MPE Logfiles) successful and unsuccessful
connection attempts including USER.ACCOUNT and IP address.
Messages from FTP/iX pre 6.x:
11:42/#S215/92/(PROGRAMMATIC) LOGON FOR: "MANAGER.SYS,PUB" ON LDEV #29.
11:43/119/INVALID PASSWORD FOR "MANAGER.SYS," DURING LOGON ON LDEV #29.
(js 65)
11:44/123/MISSING ACCOUNT NAME FOR "X.X," ON LDEV #29. (js 10)
A suggested solution for FTP/iX 6.x and beyond:
11:42/92/ FTP (CONNECTION) FOR: "MANAGER.SYS,PUB" ON LDEV #29, IP
15.44.48.51
11:43/119/FTP INVALID PASSWORD FOR: "MANAGER.SYS," ON LDEV #29, IP
15.44.48.51
11:44/123/FTP MISSING ACCOUNT NAME FOR: "X.X," ON LDEV #29, IP 15.44.48.51
... similar messages for MISSING USER NAME & MISSING GROUP NAME.
----------
2) Log connection information:
- Date & Time
- Pin & Logon & IP & unique port number
- Connection Established ~or~ Connection Closed
----------
3) Log "Verbose" protocol information:
- Date & Time
- Pin & Logon & IP & unique port number
- Protocol Level 'command' executed (this would include files
transferred).
An example of this data is commands seen when "debug" is executed in a
FTP session:
---> USER manager/pass.sys/pass
---> PASS
---> SYST
---> SITE MPE/iX FTP Client [A0010A02]
---> TYPE I
---> RNFR /SYS/PUB/COMMAND
---> RNTO /SYS/PUB/COMMAND
---> SITE BUILDPARMS /SYS/PUB/COMMAND
---> PORT 15,44,48,51,209,182
---> SITE FILELABEL RETR /SYS/PUB/COMMAND
---> SITE USER_LABELS /SYS/PUB/COMMAND
---> PORT 15,44,48,51,209,183
---> RETR /SYS/PUB/COMMAND
---> QUIT
This would fill up a file fast and it WILL slow the FTP/iX server down. If
it is implemented, it should be a parameter in a configuration file.
----------
4) Log "file transfer" information:
- Date & Time
- Pin & Logon & IP & unique port number
- Protocol Level file transfer 'command' executed .
in the case of a FTP GET:
---> RETR /SYS/PUB/COMMAND
in the case of a FTP PUT:
---> STOR /SYS/PUB/PURGEME;REC=128,1,F,BINARY;DISC=1023,8
also in the case of a FTP RENAME:
---> RNFR /SYS/PUB/PURGEME
---> RNTO /SYS/PUB/PURGENOW
and in the case of a FTP DELETE:
---> DELE /SYS/PUB/PURGENOW
Other FILE commands to be logged ???
This would fill up a logging file some what fast and it will slow
the FTP/iX server down. If it is implemented, it should be a
parameter in a configuration file.
----------
Thanks ahead of time for your ideas, comments and feedback.
Regards,
James Hofmeister
[log in to unmask]
Hewlett Packard
Worldwide Technology Network Expert Center
P.S. My Ideals are my own, not necessarily my employers.
|