topic Re: rogue ftp processes in Operating System - HP-UX

rogue ftp processes

RAKESH_12 — Mon, 23 Sep 2002 11:53:00 GMT

Hi All,
I am trying to monitor for rogue and idle ftpd processes on a hpux box......can any one suggest how to script this so it can be run using cron....

Thanks in advance.

R..

Re: rogue ftp processes

harry d brown jr — Mon, 23 Sep 2002 12:35:27 GMT

How is ftp defined in /etc/inetd.conf ??

And what do you mean when you say "rogue" ftpd processes?

live free or die
harry

Re: rogue ftp processes

Steve Steel — Mon, 23 Sep 2002 12:47:20 GMT

Hi

Logically the ftpd is the standard inetd startup so just check the parameters

ftpd(1M) ftpd(1M)

NAME
ftpd - DARPA Internet File Transfer Protocol server

SYNOPSIS
/usr/lbin/ftpd [-l] [-p] [-v] [-t timeout] [-T maxtimeout] [-u umask]
[-B size]

DESCRIPTION
ftpd is the DARPA Internet File Transfer Protocol server. It expects
to be run by the Internet daemon (see inetd(1M) and inetd.conf(4)).
inetd runs ftpd when a service request is received at the port
indicated in the ftp service specification in /etc/services (see
services(4)). ftpd recognizes the following options and command-line
arguments.

-l Causes each FTP session to be logged in the syslog
file. For anonymous FTP sessions, other
information is also logged in the syslog file.
This information includes what files are stored
and retrieved and what directories are created.
Standard input

If -l -s added in /etc/inetd.conf you can
see all ftp processes on the machine logged in the syslog.log

Could not be easier.

Steve Steel

Re: rogue ftp processes

RAKESH_12 — Mon, 23 Sep 2002 12:49:15 GMT

it is defined in the inetd.conf as:

ftp stream tcp nowait root /usr/lbin/ftpd ftpd -u 002 -l -a

I some times have phantom ftp processes which never close for some reason - I want to monitor for these using some type of script.........if you require any more info let me know - im stuck as where to progress from here.

Thanks.
R..

Re: rogue ftp processes

Rory R Hammond — Tue, 24 Sep 2002 16:10:36 GMT

All of our FTP stuff is recored in syslog.

The first entry is at login is:
Sep 23 08:13:27 hostname ftpd[328]: USER username

The last entry is:
Sep 23 08:13:40 lvmax ftpd[328]: FTP session closed

The following few lines will match begins and ends. leaving the open entries.

SYSLOG=/var/adm/syslog/syslog.log
(
grep ftpd ${SYSLOG}|grep -e USER| cut -c 22-|cut -f1 -d:
grep ftpd ${SYSLOG}|grep -e "session closed"| cut -c 22-|cut -f1 -d:
)|sort|uniq -u

You should be able to add logic to grep the open entries and check the times to see if they need to be looked at. Be aware that if you regularly trim syslog files. This script will catch ftps that have closed. because the start entry was trimmed. But that also should be a easily fixed.

Hope this helps get you going.
Ror

Re: rogue ftp processes

Shannon Petry — Tue, 24 Sep 2002 16:50:28 GMT

Not an easy chore, as the idle process are caused by abnormal terminations (notorious in lots of windows based ftp clients).

While you can sort through syslog.log, this can be rough depending on the uptime of the server.

If I were in your shoes....
snapshot the system with ps -ef | grep ftp

pluck out the time. If it's older than what you think is to old kill it?
I.E.
touch /tmp/.ftpsessions.txt
ps -ef | grep ftp | grep -v grep >>/tmp/.ftpsessions.txt
#check to see if file is empty
if [ -s /tmp/.ftpsessions.txt ] ; then
#Not empty, so process stuff
for TIME in `cat /tmp/.ftpsessions.txt` ; do
typeset -i
TEST=`echo $TIME | awk '{print $8}' | awk -F: '{print $1}'`
PID=`echo $TIME|awk '{print $2}'`
if [ $TIME -ge 4 ] ; then
kill $PID
fi
done
fi

Hope it helps!
Shannon

Re: rogue ftp processes

harry d brown jr — Tue, 24 Sep 2002 17:38:38 GMT

Shannon,

Would lsof help in these cases?

live free or die
harry

Re: rogue ftp processes

Shannon Petry — Tue, 24 Sep 2002 19:17:06 GMT

Not that Im aware of ... I guess you could get into the obscure options on lsof to look for open sockets, but it would not be able to show useage.

The biggest problem I see in this case is that there is no real way of knowing if an FTP is live or not.. that is why time is a guestimate.

I have 5 ftp servers, 3 HP-UX and 2 solaris. All these systems would have hung processes. I switched from built in FTPD to wu_ftpd long before supported on HP-UX. Same problems.
I found in Solaris that proftpd does not hang, and use that now on solaris. I have not been able to get a good working compile on HP-UX though to see if it fixes the issue there.

Shannon

Re: rogue ftp processes

Sridhar Bhaskarla — Tue, 24 Sep 2002 19:24:10 GMT

Rakesh,

Instead of writing a script and setting up a cron, you can enable the timeout value by setting -t parameter in /etc/inetd.conf. By default ftp will timeout in 15mins. The following will close all ftpd sessions after 5 mins of idle time.

ftp stream tcp nowait root /usr/lbin/ftpd ftpd -t 300

-Sri

Re: rogue ftp processes

Shannon Petry — Tue, 24 Sep 2002 19:39:54 GMT

Sridhar ,

The problem is that the timeout does not work properly. If it did, then no need for the thread ;)

Shannon

Re: rogue ftp processes

Sridhar Bhaskarla — Tue, 24 Sep 2002 20:09:59 GMT

Shannon,

I did read the mail. Unfortunately I never encountered problem with ftp sessions being frozen. We did have other problems with the windows clients though.

If ftpd is in "IDLE" state (as you see in ps -ef output), it will disconnect itself out.

If the windows client closed the connection abruptly, then you should atleast see it in netstat -an with CLOSE_WAIT state and that shouldn't last longer either.

If the ghose ftp sessions are found, I would interrogate more by doing a netstat -an and see what is happening.

-Sri

Re: rogue ftp processes

harry d brown jr — Tue, 24 Sep 2002 21:33:34 GMT

Shannon,

This is the output (ATTACHED as a TEXT document) I got from ftp'ing from a windows pc (192.168.1.100) to an hpux server (11.00 A180 - called wildone):

From the attached text file, you'll see that socket size offsets actually change. A perl program could use the data to look for the changes.

live free or die
harry

Re: rogue ftp processes

Shannon Petry — Wed, 25 Sep 2002 13:37:10 GMT

Harry, the attachment does not work ;(

That's okay, not being the perl guru I'll agree then that LSOF could look at the socket somehow and do the same thing. I'll let you write that example though! hehe

It has been a while since I did the testing, and I think the client left the server in a FIN_WAIT state which would not drop.

Like I said though, the problem was pretty common, in fact so common that I changed FTP servers 2 times.

I will say that in HP-UX 11 I have not had any problems like this though! Not sure what version of HP-UX nor what ftp daemon the poster is running.

Shannon