HPE Community
Operating System - HP-UX
1834737 Members
3048 Online
110070 Solutions
New Discussion

Re: rogue ftp processes

 
RAKESH_12
Occasional Advisor

‎09-23-2002 04:53 AM

‎09-23-2002 04:53 AM

rogue ftp processes

Hi All,
I am trying to monitor for rogue and idle ftpd processes on a hpux box......can any one suggest how to script this so it can be run using cron....

Thanks in advance.

R..
0 Kudos
Reply
12 REPLIES 12
harry d brown jr
Honored Contributor

‎09-23-2002 05:35 AM

‎09-23-2002 05:35 AM

Re: rogue ftp processes


How is ftp defined in /etc/inetd.conf ??

And what do you mean when you say "rogue" ftpd processes?

live free or die
harry
Live Free or Die
0 Kudos
Reply
Steve Steel
Honored Contributor

‎09-23-2002 05:47 AM

‎09-23-2002 05:47 AM

Re: rogue ftp processes

Hi


Logically the ftpd is the standard inetd startup so just check the parameters


ftpd(1M) ftpd(1M)

NAME
ftpd - DARPA Internet File Transfer Protocol server

SYNOPSIS
/usr/lbin/ftpd [-l] [-p] [-v] [-t timeout] [-T maxtimeout] [-u umask]
[-B size]

DESCRIPTION
ftpd is the DARPA Internet File Transfer Protocol server. It expects
to be run by the Internet daemon (see inetd(1M) and inetd.conf(4)).
inetd runs ftpd when a service request is received at the port
indicated in the ftp service specification in /etc/services (see
services(4)). ftpd recognizes the following options and command-line
arguments.

-l Causes each FTP session to be logged in the syslog
file. For anonymous FTP sessions, other
information is also logged in the syslog file.
This information includes what files are stored
and retrieved and what directories are created.
Standard input


If -l -s added in /etc/inetd.conf you can
see all ftp processes on the machine logged in the syslog.log

Could not be easier.


Steve Steel
If you want truly to understand something, try to change it. (Kurt Lewin)
0 Kudos
Reply
RAKESH_12
Occasional Advisor

‎09-23-2002 05:49 AM

‎09-23-2002 05:49 AM

Re: rogue ftp processes

it is defined in the inetd.conf as:

ftp stream tcp nowait root /usr/lbin/ftpd ftpd -u 002 -l -a




I some times have phantom ftp processes which never close for some reason - I want to monitor for these using some type of script.........if you require any more info let me know - im stuck as where to progress from here.


Thanks.
R..
0 Kudos
Reply
Rory R Hammond
Trusted Contributor

‎09-24-2002 09:10 AM

‎09-24-2002 09:10 AM

Re: rogue ftp processes

All of our FTP stuff is recored in syslog.

The first entry is at login is:
Sep 23 08:13:27 hostname ftpd[328]: USER username

The last entry is:
Sep 23 08:13:40 lvmax ftpd[328]: FTP session closed

The following few lines will match begins and ends. leaving the open entries.

SYSLOG=/var/adm/syslog/syslog.log
(
grep ftpd ${SYSLOG}|grep -e USER| cut -c 22-|cut -f1 -d:
grep ftpd ${SYSLOG}|grep -e "session closed"| cut -c 22-|cut -f1 -d:
)|sort|uniq -u

You should be able to add logic to grep the open entries and check the times to see if they need to be looked at. Be aware that if you regularly trim syslog files. This script will catch ftps that have closed. because the start entry was trimmed. But that also should be a easily fixed.

Hope this helps get you going.
Ror
There are a 100 ways to do things and 97 of them are right
0 Kudos
Reply
Shannon Petry
Honored Contributor

‎09-24-2002 09:50 AM

‎09-24-2002 09:50 AM

Re: rogue ftp processes

Not an easy chore, as the idle process are caused by abnormal terminations (notorious in lots of windows based ftp clients).

While you can sort through syslog.log, this can be rough depending on the uptime of the server.

If I were in your shoes....
snapshot the system with ps -ef | grep ftp

pluck out the time. If it's older than what you think is to old kill it?
I.E.
touch /tmp/.ftpsessions.txt
ps -ef | grep ftp | grep -v grep >>/tmp/.ftpsessions.txt
#check to see if file is empty
if [ -s /tmp/.ftpsessions.txt ] ; then
#Not empty, so process stuff
for TIME in `cat /tmp/.ftpsessions.txt` ; do
typeset -i
TEST=`echo $TIME | awk '{print $8}' | awk -F: '{print $1}'`
PID=`echo $TIME|awk '{print $2}'`
if [ $TIME -ge 4 ] ; then
kill $PID
fi
done
fi

Hope it helps!
Shannon
Microsoft. When do you want a virus today?
0 Kudos
Reply
harry d brown jr
Honored Contributor

‎09-24-2002 10:38 AM

‎09-24-2002 10:38 AM

Re: rogue ftp processes

Shannon,

Would lsof help in these cases?

live free or die
harry
Live Free or Die
0 Kudos
Reply
Shannon Petry
Honored Contributor

‎09-24-2002 12:17 PM

‎09-24-2002 12:17 PM

Re: rogue ftp processes

Not that Im aware of ... I guess you could get into the obscure options on lsof to look for open sockets, but it would not be able to show useage.

The biggest problem I see in this case is that there is no real way of knowing if an FTP is live or not.. that is why time is a guestimate.

I have 5 ftp servers, 3 HP-UX and 2 solaris. All these systems would have hung processes. I switched from built in FTPD to wu_ftpd long before supported on HP-UX. Same problems.
I found in Solaris that proftpd does not hang, and use that now on solaris. I have not been able to get a good working compile on HP-UX though to see if it fixes the issue there.

Shannon
Microsoft. When do you want a virus today?
0 Kudos
Reply
Sridhar Bhaskarla
Honored Contributor

‎09-24-2002 12:24 PM

‎09-24-2002 12:24 PM

Re: rogue ftp processes

Rakesh,

Instead of writing a script and setting up a cron, you can enable the timeout value by setting -t parameter in /etc/inetd.conf. By default ftp will timeout in 15mins. The following will close all ftpd sessions after 5 mins of idle time.

ftp stream tcp nowait root /usr/lbin/ftpd ftpd -t 300



-Sri
You may be disappointed if you fail, but you are doomed if you don't try
0 Kudos
Reply
Shannon Petry
Honored Contributor

‎09-24-2002 12:39 PM

‎09-24-2002 12:39 PM

Re: rogue ftp processes

Sridhar ,

The problem is that the timeout does not work properly. If it did, then no need for the thread ;)

Shannon
Microsoft. When do you want a virus today?
0 Kudos
Reply
Sridhar Bhaskarla
Honored Contributor

‎09-24-2002 01:09 PM

‎09-24-2002 01:09 PM

Re: rogue ftp processes

Shannon,

I did read the mail. Unfortunately I never encountered problem with ftp sessions being frozen. We did have other problems with the windows clients though.

If ftpd is in "IDLE" state (as you see in ps -ef output), it will disconnect itself out.

If the windows client closed the connection abruptly, then you should atleast see it in netstat -an with CLOSE_WAIT state and that shouldn't last longer either.

If the ghose ftp sessions are found, I would interrogate more by doing a netstat -an and see what is happening.

-Sri

You may be disappointed if you fail, but you are doomed if you don't try
0 Kudos
Reply
harry d brown jr
Honored Contributor

‎09-24-2002 02:33 PM

‎09-24-2002 02:33 PM

Re: rogue ftp processes

Shannon,

This is the output (ATTACHED as a TEXT document) I got from ftp'ing from a windows pc (192.168.1.100) to an hpux server (11.00 A180 - called wildone):

From the attached text file, you'll see that socket size offsets actually change. A perl program could use the data to look for the changes.

live free or die
harry
Live Free or Die
0 Kudos
Reply
Shannon Petry
Honored Contributor

‎09-25-2002 06:37 AM

‎09-25-2002 06:37 AM

Re: rogue ftp processes

Harry, the attachment does not work ;(

That's okay, not being the perl guru I'll agree then that LSOF could look at the socket somehow and do the same thing. I'll let you write that example though! hehe

It has been a while since I did the testing, and I think the client left the server in a FIN_WAIT state which would not drop.

Like I said though, the problem was pretty common, in fact so common that I changed FTP servers 2 times.

I will say that in HP-UX 11 I have not had any problems like this though! Not sure what version of HP-UX nor what ftp daemon the poster is running.

Shannon
Microsoft. When do you want a virus today?
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.