Secure OS Software for Linux
cancel
Showing results for 
Search instead for 
Did you mean: 

wu-ftpd installed, but it didn't reply response.

Hideyuki Hori
Occasional Visitor

wu-ftpd installed, but it didn't reply response.

I built and installed wu-ftpd from source code.
It is not well connectable, although it was set up and /etc/xinetd.d/ftp was edited.
If it is made to operate by standalone by the command, it will operate normally. Are there any problems?
Hori
14 REPLIES
Mark Fenton
Esteemed Contributor

Re: wu-ftpd installed, but it didn't reply response.

If the server runs in daemon mode, then it *SHOULD* run from xinetd...

Did you forget to stop and restart xinetd after you edited the ftp file? (I really can't think of any other reasons why xinetd would have a problem with your ftp service otherwise......)

hth
Ron Vladick
Advisor

Re: wu-ftpd installed, but it didn't reply response.

In your /etc/xinetd.d/ftp file, do you have the variable cname defined,

ex:

cname = system

where system is the compartment where ftp is running in?

Ron


Dan Am
Frequent Advisor

Re: wu-ftpd installed, but it didn't reply response.

Hideyuki,
If "not well connected" means " really slow", you also check nor a port 53 (NS) entry in your compartmant tlrules.
hth
regrds
dan
do what you can. don't if you can't.
Ron Kinner
Honored Contributor

Re: wu-ftpd installed, but it didn't reply response.

IF you are running tcpd (look in /etc/intd.conf) then the following applies:

The tcpd program is a wrapper program that can be set up to monitor incoming requests for telnet, finger, ftp and other Internet services. It works as follows: whenever a request for service arrives, the inetd daemon runs tcpd, which logs the request and does some checking. When all is well, tcpd runs the appropriate server program and goes away. For details, see the tcpd manual page. Access control for tcpd is configured using the /etc/hosts.allow and /etc/hosts.deny files. tcpd looks at hosts.allow then hosts.deny. It stops at the first match. Consequently, one can permit a few machines to have ftp or telnet access and then deny access to everybody else in hosts.deny. Here is a sample /etc/hosts.allow:

ALL: 10.100.10.0/255.255.255.0

The ALL refers to all wrapped inetd services. This does not include stand-alone services. The second field 10.100.10.0/255.255.255.0 means all machines on the 10.100.10.0 subnet have access to all the services. Now we want to disallow access for everybody else. Put the following line into /etc/hosts.deny:

ALL: ALL

Also check that you do not have ipchains or whatever the other firewall is running on your machine. If you do it's probably blocking you.

Ron
Hideyuki Hori
Occasional Visitor

Re: wu-ftpd installed, but it didn't reply response.

thanks all,
There were a shortage of an understanding of COMPARTMENT and a problem of DNS. I solved.
Hori
Mark Fenton
Esteemed Contributor

Re: wu-ftpd installed, but it didn't reply response.

so Ron and Dan's responses provided the clues you needed to solve this riddle....
Hal Rottenberg
Frequent Advisor

Re: wu-ftpd installed, but it didn't reply response.

Hideyuki,

It's customary to assign points to one or more responses if they are helpful. That's what makes this place work.

Regards,

Hal Rottenberg
HP Technical Support Engineer
If at first you don't succeed, then skydiving isn't for you.
Drew Gulino
Occasional Visitor

Re: wu-ftpd installed, but it didn't reply response.

Has anyone else get an FTP daemon working in a compartment?

I have configured an xinetd compartment that starts wu-ftp. The connection works when I start wu-ftpd in syshi by setting cname=syshi in my wu-ftpd file in /etc/xinetd.d. But when I try to get it running in another container 'test', it appears the control port get through, but not the data.

tlrules accepts
"COMPARTMENT test -> HOST * METHOD any NETDEV any" but this doesn't seem to effect anything. Only when I specify a port does it seem to work. Is there some tlrules syntax for all ports or, even better, ports over 1024?

I need to get PASV mode working, so I need the compartment to be able to initiate a connection on all ports >1024.

I've got the latest hp patches applied.

Any ideas?
Hal Rottenberg
Frequent Advisor

Re: wu-ftpd installed, but it didn't reply response.

Hi,

You also need a rule for xinetd to even see the ftp traffic:

HOST * -> COMPARTMENT xinetd PORT 21 METHOD tcp NETDEV any

-hal
If at first you don't succeed, then skydiving isn't for you.
Drew Gulino
Occasional Visitor

Re: wu-ftpd installed, but it didn't reply response.

I have the rule
'HOST * -> COMPARTMENT xinetd PORT 21 METHOD tcp NETDEV any'. This allows the initial connection. But unless I put the ftpd daemon in the syshi compartment, I get 'Socket connected waiting for login sequence.' when connecting from a client and then the client connection times-out before login is possible.
Hal Rottenberg
Frequent Advisor

Re: wu-ftpd installed, but it didn't reply response.

Drew,

I think you should open a support case with the Response Center so that the lab can research this behavior.

Regards,

Hal Rottenberg
If at first you don't succeed, then skydiving isn't for you.
Steven E. Protter
Exalted Contributor

Re: wu-ftpd installed, but it didn't reply response.

I have heard that wu-ftpd has a security hole that lets users run EXEC commands, potentially getting root access.

I never let root use ftp on Linux or HP-UX machines.

I have heard that Proftpd does not allow EXEC commands and is in general more secure. I'm going to test it on a Linux test box, but am increasingly interested in running it on HP-UX.

Any suggestions, experience in this area.
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Hal Rottenberg
Frequent Advisor

Re: wu-ftpd installed, but it didn't reply response.

"I have heard that wu-ftpd has a security hole that lets users run EXEC commands, potentially getting root access."

Stephen,

My research found this to be an old exploit from 1995. As far as I can tell it never applied to Redhat, upon which Secure Linux is based. The issue was not that the SITE EXEC command was enabled, but that the EXEC bin path was set to /bin, thus allowing shell access. This is a compile-time variable, and I don't think you will find this to be the default on any Linux distribution now.

That aside, I don't know anything about ProFTPD. At this point in time, we are aligning with software that is included in Redhat, so we are using wu-ftpd. In version 2 of our software wu-ftpd will be available as a pre-packaged integration complete with security rules in effect.

I encourage you to integrate ProFTPD if you want, and if you learn anything or encounter snags while doing so, please post to the group.

-hal
If at first you don't succeed, then skydiving isn't for you.
Steven E. Protter
Exalted Contributor

Re: wu-ftpd installed, but it didn't reply response.

Thanks Hal. I'm going to conduct the Proftpd experiment on a test Red Hat box I'm building in the next few weeks.

I will report results.

There was a reported Red Hat 6x hack of a system using wu-fptd on one of the newsgroups.

The information was sketchy, but I find most hacks are due to administrator ignorance and a poor understanding of how to configure the product.

On the other hand, my old ISP switched from wu-ftpd to Proftpd and claimed it was for security reasons. Its worth doing the Proftdd project simply for knowing how to do it.

Early next year, I'm going to have a hand me down D320 box my offices and it will be my first HP-UX box exposed to the public internet. I'm using it to learn and perhaps provide secondary services, such as taking over my web traffic when the Red Hat box is brought down for maintenace.

Hence the queries. I have found HP-UX 11.11 installs with far fewer security holes than 11.00. That's always nice. There is even a little firewall you can use like ipchains on Linux.

Have a good day.
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com