HPE Community
Operating System - Tru64 Unix
1754021 Members
7374 Online
108811 Solutions
New Discussion юеВ

FTP Paranoia

 
SOLVED
Go to solution
BryanRM
Occasional Advisor

тАО12-10-2007 01:58 PM

тАО12-10-2007 01:58 PM

FTP Paranoia

Hi,
We are seeing a number of errors with DNS reverse name resolution due to TRU64 using a 'paranoia' mode where a connection fails even when made using an ip address rather than a hostname. Is it it possible to run ftpd on a TRU64 server so that connections using ip addresses are not affected by DNS issues. I am aware that the correct solution is to fix the DNS issues, but unfortunately that doesn't look likely to happen.
Thanks,
0 Kudos
7 REPLIES 7
Steven Schweda
Honored Contributor

тАО12-10-2007 03:04 PM

тАО12-10-2007 03:04 PM

Re: FTP Paranoia

> We are seeing a number of errors [...]

Any chance of letting us see them, too?

> [...] connection fails [...]

How, exactly?

From this description, it's hard for me to
tell what's happening. An FTP client with
no/bad reverse look-up has some kind of
problem connecting to the Tru64 FTP server?
0 Kudos
BryanRM
Occasional Advisor

тАО12-10-2007 03:16 PM

тАО12-10-2007 03:16 PM

Re: FTP Paranoia

Hi, I believe it's the other way round. The client connects to the ftp server, the server cannot resolve the client hostname from the ip address of the client and the connection eventually times out.
0 Kudos
Steven Schweda
Honored Contributor

тАО12-10-2007 08:47 PM

тАО12-10-2007 08:47 PM

Re: FTP Paranoia

> [..] the server cannot resolve the client
> hostname [...]

That's what I was trying to convey, but no
matter. I don't know of a good way to get
the ftpd not to care, nor a good way to make
the DNS resolver fail faster. Perhaps some
other FTP server is more easily/obviously
configurable in this neighborhood. If the
DNS problem were confined to a reasonably
small set of known clients, perhaps the easy
way out would be to add them to /etc/hosts:

add.re.ss.x lame_ftp_client_1
add.re.ss.y lame_ftp_client_2
[...]

(assuming that /etc/nsswitch.conf says
something like:
hosts: files dns nis
with "files" before "dns". (Also assuming
that your unspecified Tru64 version uses
nsswitch.conf.)

It's simple, crude, and potentially
effective. Who could ask for more?
Rob Leadbeater
Honored Contributor

тАО12-11-2007 05:38 AM

тАО12-11-2007 05:38 AM

Solution

Re: FTP Paranoia

Hi Bry,

If it's not already, try starting the ftpd in debug mode (-d) and see if that logs any useful errors in /var/adm/syslog.dated/current/daemon.log (I think).

Cheers,
Rob
BryanRM
Occasional Advisor

тАО12-11-2007 07:12 AM

тАО12-11-2007 07:12 AM

Re: FTP Paranoia

Unfortunately the logs only show that the login as failed, it doesn't give any further info.
Cheers,
0 Kudos
Rob Leadbeater
Honored Contributor

тАО12-13-2007 03:16 AM

тАО12-13-2007 03:16 AM

Re: FTP Paranoia

Hi,

Another thing to consider is whether you're running enhanced security...

Looking at the man page for matrix.conf:

http://h30097.www3.hp.com/docs/base_doc/DOCUMENTATION/V51A_HTML/MAN/MAN4/0106____.HTM

you can see that ftpd is affected by it. You may be able to tweek things in there to change how ftpd handles things...

Cheers,

Rob
0 Kudos
BryanRM
Occasional Advisor

тАО12-13-2007 03:39 AM

тАО12-13-2007 03:39 AM

Re: FTP Paranoia

What we've done is create a secondary DNS zone within our DNS servers and pointed those to the root DNS servers for reverse DNS only, so we are able to maintain local DNS info and not reliant upon some else's DNS servers for reverse lookups.

I'll check the C2 security stuff out though.
Bryan.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.