- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - OpenVMS
- >
- Re: ftp proxy on VMS 8.3 coming from Windows 2K3 S...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-29-2011 03:32 PM
тАО03-29-2011 03:32 PM
ftp proxy on VMS 8.3 coming from Windows 2K3 SERVER monitoring box
I am using an ftp proxy (in tcpip, add proxy)
This goes through the tcpip$rsh object (?)
The idea is to have a set of perl scripts on a given windows 2k3 server node ONLY that invokes a perl script which displays monitoring choices , such as
show acms waiting tasks, for example.
This worked very well for a few years, then VMS 8.3 broke it, and my sysadmin group decided the use of that VMS account was no longer supported by them.
I am going through an internal security team to get it approved, the username that is, but I want to get it clamped down as much as possible.
it seems to me that there is/was a lexical or two, or predefined symbols that would pass to a login.com what commands were passed to it.
From within a Perl script on Windows, I'm executing something very like the following.
rsh -l monadmin $servername \@a:check_links.com
I want to lock this down to only a group of preapproved com files. And allow NO DCL commands at all.
Do any of you know how to detect what command is being passed to the VMS system
thanks in advance for any help,
Pat
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-29-2011 04:05 PM
тАО03-29-2011 04:05 PM
Re: ftp proxy on VMS 8.3 coming from Windows 2K3 SERVER monitoring box
I'm mildly surprised that a security team is willing to allow ftp and rsh here; insecure protocols are usually eliminated from consideration.
Does this Windows Server box have security capabilities via ssh and related tools?
If this is a server monitoring and/or application and ACMS monitoring task, are you automating that mechanism here, or are you looking for interactive viewing into the server? (That goes to what sort of interface might be useful here.)
If OpenVMS has Apache (or can have Apache loaded) would a web interface address your requirements?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-29-2011 05:07 PM
тАО03-29-2011 05:07 PM
Re: ftp proxy on VMS 8.3 coming from Windows 2K3 SERVER monitoring box
I very much appreciate people's willingness to back up and try to see what problem I'm trying to solve.
But what I'd really appreciate is a simple here's how u do it, or there's no way to do it, and leave it at that.
I will NOT be allowed to put Apache on these VMS systems, that is NOT an option. Please, trust me.
Is there a way to use a lex function or something on the remote node.
And yes, even in this environment, there are gaping holes. You would NOT believe. Good thing we're trustworthy.
I would still be doing the rsh from my w2k3 windows monitoring box is VMS 8.3 hadn't broken something.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-29-2011 05:24 PM
тАО03-29-2011 05:24 PM
Re: ftp proxy on VMS 8.3 coming from Windows 2K3 SERVER monitoring box
Rather than try to parse arbitrary incoming RSH commands, turn the problem on its head. You can hijack the incoming RSH request, and instead of executing the incoming string as a command, execute your own procedure, using the string as a parameter.
Make a copy of SYS$SYSTEM:TCPIP$RSH_RUN.COM in the SYS$LOGIN of your monadmin user. Call it MY_RSH_RUN.COM
In your F$MODE().EQS."OTHER" branch of LOGIN.COM, detect the RSH process by process name:
$ rshproc="TCPIP$R_"
$ IF F$EXTRACT(0,F$LENGTH(rshproc),F$GETJPI("","PRCNAM")).EQS.rshproc THEN @MY_RSH_RUN/OUTPUT=MY_RSH_RUN.LOG
Modify MY_RSH_RUN.COM, replacing "EXIT 1" with LOGOUT.
You now have full control over all RSH commands sent to that username.
The command is in symbol 'RSHD$COMMAND' with which you can do what you like.
Simplest way to limit execution to a specific set of command procedures is to eliminate the "@" from your source RSH command. So your example becomes:
rsh -l monadmin #servername check_links
Now, in your MY_RSH_RUN command:
$ target=F$SEARCH(F$PARSE("PERMITTED_COMS:.COM;",RSHD$COMMAND))
$ IF target.NES."" THEN @'target'
where the logical name PERMITTED_COMS points to a directory containing your preapproved command procedures.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-29-2011 06:39 PM
тАО03-29-2011 06:39 PM
Re: ftp proxy on VMS 8.3 coming from Windows 2K3 SERVER monitoring box
Something your security team will like...
you can also log all requests, source IP address, commands whatever you like. If you wanted to you could send an alert message on an "illegal" request.
Answering your specific question:
>Do any of you know how to detect what
>command is being passed to the VMS system
The command string is part of logical name SYS$NET. It's the remainder of the string after the first dollar sign "$". The initial part of the string gives the socket names for SYS$INPUT, SYS$OUTPUT and SYS$ERROR.
For example:
"SYS$NET" = "_BG3305:_BG3305:$show time" (LNM$PROCESS_TABLE)
Be especially careful of attempting to parse and identify commands, especially if you intend to execute any resulting string. There are many pitfalls and tricky ways to get DCL to execute commands. I recommend you stick with procedure names as described in my previous response.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-29-2011 06:41 PM
тАО03-29-2011 06:41 PM