HPE Community
Operating System - HP-UX
1758160 Members
2893 Online
108868 Solutions
New Discussion

ftp version not to be disclosed

 
SOLVED
Go to solution
chindi
Respected Contributor

‎08-07-2013 01:24 AM

‎08-07-2013 01:24 AM

ftp version not to be disclosed

Hi ,

We had an audit where we were asked to change ftp server information which was geting displayed when we connected through ftp session.

 

For ex: ftp 10.xx.xx.xx

Connected to xx.xx.xx.
220 ra FTP server (Revision 1.1 Version wuftpd-2.6.1(PHNE_34698) Fri Nov 10 1
0:21:03 GMT 2006) ready.
User (10.xx.xx.xx:(none)):

 

We removed all of tis informaiton by adding ftpaccess in our DR setup.

Jst wanted to ask whether the same can be done at DC site also ?

What are any problems arising out of addition of ftpaccess directory to existing ftp setup ?

all clients can still access as they were used to earlier right ????

0 Kudos
Reply
6 REPLIES 6
Matti_Kurkela
Honored Contributor

‎08-07-2013 08:06 AM

‎08-07-2013 08:06 AM

Re: ftp version not to be disclosed

As far as I know, a FTP client should not depend on parsing the text portion of the FTP server responses for any information that is critical to the session. Only the response code ("220" in your example) is intended to be machine-readable: the rest is information for humans only and can be modified freely.

 

The ftpaccess file can do many things: with the "greeting" keyword you can change the FTP server information displayed to the client, but with other keywords you can change many other things. Changing the server information should be safe, but changing some of the other things may restrict or completely block some or all your clients.

 

Your question cannot be answered with certainty without knowing exactly what keywords you've put in your ftpaccess file.

 

See the man page of the ftpaccess file, on your system or here:

http://wu-ftpd.therockgarden.ca/man/ftpaccess.html

MK
Reply
chindi
Respected Contributor

‎08-07-2013 10:20 PM

‎08-07-2013 10:20 PM

Re: ftp version not to be disclosed

Hi Matti ,

 

root #/home/te >cat /etc/ftpd/ftpaccess


class all real,guest,anonymous *

limit all 10 Any /etc/msgs/msg.dead

#readme README* login
#readme README* cwd=*

#message /welcome.msg login
#message .message cwd=*

compress yes all
tar yes all

#log commands real
log transfers anonymous,real inbound,outbound

shutdown /etc/shutmsg

email user@hostname
greeting terse

0 Kudos
Reply
Matti_Kurkela
Honored Contributor

‎08-08-2013 10:04 AM

‎08-08-2013 10:04 AM

Re: ftp version not to be disclosed

Your "limit" keyword defines a maximum of 10 simultaneous FTP connections for all types of logins at all times.

Without the ftpaccess file, the FTP server would accept an unlimited number of simultaneous logins.

 

So if your DC site is currently handling more than 10 simultaneous FTP connections at times of highest load, the limit of 10 simultaneous connections might be too low and could cause some clients to be rejected.

 

Otherwise, I don't see any problems that might be caused by adding that ftpaccess file to your production setup.

MK
Reply
chindi
Respected Contributor

‎08-11-2013 10:29 PM

‎08-11-2013 10:29 PM

Re: ftp version not to be disclosed

Hi Matti ,

 

Am not sure about number of simultaneous ftp connections.

Can i just hash this parameter ?

0 Kudos
Reply
Matti_Kurkela
Honored Contributor

‎08-12-2013 12:22 AM

‎08-12-2013 12:22 AM

Solution

Re: ftp version not to be disclosed

Yes you can.

 

If your production setup has run successfully without the ftpaccess file, it should be obvious that all the settings in the file are optional: you don't have to specify any of them if you don't want to change the defaults. The man page even describes what happens if no limit is set (= it will be unlimited), so there is no requirement like "if you define a class, you must also define a limit for it".

 

If you are uncertain about adding a short configuration file like the ftpaccess file to your production system, you should check the description of every keyword in the file from the documentation (= the man page, accessible either from the link in my previous post, or with "man ftpaccess" on your system). If you don't understand some configuration line, don't add it; add only what is needed to satisfy your requirements, and nothing more.

MK
Reply
chindi
Respected Contributor

‎08-12-2013 01:08 AM

‎08-12-2013 01:08 AM

Re: ftp version not to be disclosed

Thanks Matti  again :)

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.