540 UNIX System Administration: A Beginner’s Guide didymus. With FTP, to transfer a file from the remote end to the local end, you would use the get FTP command. Thus, to transfer the file yellow from the bedrock server to the local system, use the following command while in the FTP shell: ftp> get yellow The client session will show the following: 227 Entering Passive Mode (216,155,202,100,128,206) 150 ASCII data connection for yellow (216.155.202.163,1047) (916 bytes). 226 ASCII Transfer complete. 938 bytes received in 0.000418 secs (2.2e+03 Kbytes/sec) ftp> As you can see, the output includes the name of the file, the size of the file, and the amount of time it took to transfer the contents of the file. Also, the relative network performance was shown. To verify that the file was actually transferred, inspect the local system by using the !ls –l yellow command. The ! (bang) character is supported on many UNIX FTP client programs, which permits the execution of a local command (in this case, the ls –l command, which lists files and/or directories). Thus, when this command is run within the FTP client shell, and when no errors were generated during the file transfer, the following should be displayed: -rw-r r 1 root root 916 Apr 25 02:03 yellow NoteNote The byte counts for the file yellow match the number of bytes transferred with the FTP program. Sending a File To send a local file to the remote host, use the put FTP command. Thus, to place a new file called steve.dat onto the bedrock system, use the following command: ftp> put steve.dat TEAMFLY Team-Fly ® 18 When the command is executed, the following is displayed by the client program: local: steve.dat remote: steve.dat 227 Entering Passive Mode (216,155,202,100,128,208) 150 ASCII data connection for steve.dat (216.155.202.163,1050). 226 Transfer complete. 18396 bytes sent in 0.0124 secs (1.5e+03 Kbytes/sec) ftp> Again, much of the same information is shown as in the previous transfer example. To verify the file was sent (which, in most cases, is not necessary), use the dir command with the filename: ftp> dir steve.dat 227 Entering Passive Mode (216,155,202,100,128,210) 150 ASCII data connection for /bin/ls (216.155.202.163,1052) (0 bytes). -rw-r r 1 root 1 17884 Apr 24 15:23 steve.dat 226 ASCII Transfer complete. ftp> As you can see, the file is listed on the remote end, confirming the transfer. Monitoring File Transfers When transferring very large files, it is hard to determine if the transfer is progressing or has stopped for some reason. As a result, most FTP clients support the hash command. When enabled, the hash command tells the FTP client to echo a “#“ character every time a block of information was successfully retrieved. For example, the command ftp> hash shows the following: Hash mark printing on (1024 bytes/hash mark). Thus, when each chunk of the file is transferred, a new pound sign is displayed. Here is what will be shown when a file called records.dat is transferred: ftp> put record.dat local: record.dat remote: record.dat Module 18: File Transfer Protocol 541 18 542 UNIX System Administration: A Beginner’s Guide 227 Entering Passive Mode (216,155,202,100,128,213) 150 ASCII data connection for record.dat (216.155.202.163,1055). ############################################################################ ############################################################################ ############################################################################ ###### 226 Transfer complete. 240902 bytes sent in 0.257 secs (9.1e+02 Kbytes/sec Due to the size of the file, a number of hash characters were displayed—thus providing a visual way to see the FTP activity. Use the byte command to close the FTP session. This logs you off the server and exits the FTP client program. 18.2 Discover FTP Commands The FTP facility supports a large number of commands. However, the most important and popular ones are listed and described in Table 18-1. Note, too, that some of the listed commands may or may not be supported on either the FTP client or server end. Typing the “?“ (or help) command will provide a list FTP Command Description ascii Enable ASCII transfer mode; this mode is used to copy regular text files. binary Enable binary transfer mode; this is used to copy programs and other data files—for example, tar or gzip archive files. bye Log off the FTP server. cd Change working directory. chmod Change the mode of a file or directory. close Close the FTP session. delete Delete a file or directory. debug Enable debug mode, which will display more information about each transaction. dir Display the current directory listing or individual file. exit Same as bye. get Transfer a file from the remote server to the local client. glob Enable specific character matching for files and directories. Table 18-1 Command FTP Commands 18 of supported commands for the client side, but these may not all be available on the server side. 18.3 Controlling FTP Access On the FTP server, the /etc/ftpusers file can be used to control access to the FTP server. NoteNote On Linux, this file is replaced by the /etc/ftpaccess configuration file. On Solaris, by default, the file contains the following entries: ● daemon ● bin Module 18: File Transfer Protocol 543 18 FTP Command Description hash Enable hash mode; displays a # character for each 8K block of data that has been transferred. help Display a list of FTP commands. image Same as binary command. lcd Change working directory on local client system. ls Like dir command. mdelete Delete multiple files and directories. mget Transfer multiple files from the remote server to the local client. mput Transfer multiple files from the client to the server. open Open a new FTP session. prompt Toggle the prompting of confirmation before transfer begins. When enabled, it will prompt for each file before transfer begins. pwd Print the working directory. quit Same as bye. rmdir Remove a directory on the server side. send Same as put. status Show the FTP session status. verbose Display additional information for each transaction (like debug, but not as much information). Table 18-1 Command FTP Commands (continued) ● sys ● adm ● lp ● uucp ● nuucp ● listen ● nobody ● noaccess ● nobody4 Each of the login names defined within this file is blocked from using the FTP facility. Note that each name is on a separate line by itself and there is no special ordering—the file is simply processed from beginning to end whenever a user accesses the FTP server. If a user that is listed within this file attempts to access the FTP server, they get a login incorrect message. When a change is made to the /etc/ftpuser file, it takes effect immediately and no additional steps are necessary to restrict users. When the wu-ftpd server is deployed, the /etc/ftpaccess file can be used to replace the function of the /etc/ftpusers file. Also, the /etc/ ftpaccess provides additional configuration options as well. The wu-ftpd server comes standard with Linux. The /etc/ftpaccess configuration file can be used to control the following: ● Access to the FTP server ● Which command a user may execute ● The logging of FTP access ● General FTP configuration The default entries for this file are shown here: # This file controls the behavior of the wu-ftpd # ftp server. 544 UNIX System Administration: A Beginner’s Guide Module 18: File Transfer Protocol 545 18 # # If you're looking for a graphical frontend to # editing it, try kwuftpd from the kdeadmin # package. # Don't allow system accounts to log in over ftp #deny-uid %-99 %65534- #deny-gid %-99 %65534- allow-uid ftp allow-gid ftp # The ftpchroot group doesn't exist by default, this # entry is just supplied as an example. # To chroot a user, modify the line below or create # the ftpchroot group and add the user to it. # # You will need to setup the required applications # and libraries in the root directory (set using # guest-root). # # Look at the anonftp package for the files you'll need. guestgroup ftpchroot # User classes class all real,guest,anonymous * # Set this to your email address email root@localhost # Allow 5 mistyped passwords loginfails 5 # Notify the users of README files at login and when # changing to a different directory readme README* login readme README* cwd=* # Messages displayed to the user message /welcome.msg login message .message cwd=* # Allow on-the-fly compression and tarring compress yes all tar yes all 546 UNIX System Administration: A Beginner’s Guide # Prevent anonymous users (and partially guest users) # from executing dangerous commands chmod no guest,anonymous delete no anonymous overwrite no anonymous rename no anonymous # Turn on logging to /var/log/xferlog log transfers anonymous,guest,real inbound,outbound # If /etc/shutmsg exists, don't allow logins # see ftpshut man page shutdown /etc/shutmsg # Ask users to use their email address as anonymous # password passwd-check rfc822 warn 18.4 Configure Anonymous FTP On the Internet, many sites offer free FTP access to the public; this is known as anonymous FTP. Basically, anyone can log in an FTP service using a generic login and password. This type of access can be dangerous, since you really don’t know the true identity of the user accessing the server. Here is an anonymous login session using the "ftp.cisco.com" server: # ftp ftp.cisco.com Connected to ftp.cisco.com. 220- 220- Cisco Connection Online | | Cisco Systems, Inc. 220- Email: cco-team@cisco.com ||| ||| 170 West Tasman Drive 220- Phone: +1.800.553.2447 .:|||||: :|||||:. San Jose, CA 95134 220- 220- You may login with: 220- + Your CCO username and password, or 220- + A special access code followed by your e-mail address, or 220- + "anonymous" followed by your e-mail address for guest access. 220- 220- 220 ftp-poc-2 FTP server (CIOESD #422 Wed May 1 14:15:23 PDT 2002) ready. Module 18: File Transfer Protocol 547 18 At this point, the anonymous username is entered and the FTP server responds with the standard password which is typical of the e-mail address of the user: User (ftp.cisco.com:(none)): anonymous 331 Guest login ok, send your complete e-mail address as password. Password: If the login name and password are accepted, the FTP server grants access to the system, and displays a welcome message. NoteNote Not all FTP servers display these types of informative messages. 230- <======[+]> FTP.CISCO.COM <[+]=======> 230- 230-Welcome to the Cisco Systems CCO FTP server. 230- 230-Local time is currently Wed May 8 23:03:09 2002. 230- 230-There are currently 20 users out of 120 maximum logged in. 230- 230-This server has a number of restrictions. If you are not familiar 230-with these, please first get and read the /README or /README.TXT file. 230- 230-If you have any odd problems, try logging in with a minus sign (-) as 230-the first character of your password. This will turn off a feature that 230-may be confusing your ftp client program. 230- 230-Please send any questions, comments, or problem reports about this 230-server to cco-team@cisco.com. 230- 230-You are logged in with guest (anonymous) level access. 230- 230- 230-Please read the file README 230- it was last modified on Mon Jul 5 21:31:32 1999 - 1037 days ago 230 Guest login ok, access restrictions apply. Once logged into the system, you can retrieve or place files according to the corresponding site permissions and/or directory structure. Setting Up Anonymous Access Configuring anonymous FTP access on a server is a fairly straightforward process. However, having said that, care must be taken to ensure that every step is executed correctly and that no configuration-related problems result. NoteNote Providing anonymous FTP on the Internet or even locally can be a potential security risk. The risk is even compounded when the configuration is not complete or has not been done correctly. One good way to minimize problems is to have other knowledgeable people help test the final configuration before going live. Also, continuously consult the relevant security web sites (such as www.cert.org) about FTP security issues and problems. Using these approaches, you may help to reduce the number of problems that would-be hackers might exploit. The basic process for anonymous account setup includes the following: 1. Create the FTP login in the /etc/passwd and /etc/shadow files. 2. Make sure the FTP account name does not appear in the /etc/ ftpusers file. 3. Set up the required FTP environment. 4. Test the account. Some of the above procedure need not be executed manually. For example, the setup of the FTP environment can be done with an automated script. On Solaris, the ftpd manual (that is, man ftpd) gives a listing of a script to handle all the required steps. Just copy this output and save it to a file for execution. Other operating systems such as Linux provide a list of steps via the ftpd man page and provide an RPM (anonftp-4.0.9.i386.sp) to handle the details of setting up the correct configuration. Once the anonymous account and configuration has been set up, test the account to ensure that basic FTP services are functional and work as expected (such as retrieving files). Next, make sure that the anonymous user can’t do things such as remove system files or execute unauthorized commands. Finally, monitor the FTP log file for any suspicious activities, such as a larger number of requests for login within a short period of time. This could indicate that someone 548 UNIX System Administration: A Beginner’s Guide Module 18: File Transfer Protocol 549 18 is attempting to log in to the server using a program or script, which may indicate an attempted denial service attack being done against your server. 18.5 Log FTP Activity One important aspect of system administration is keeping track of activity on your systems. That is why, for example, critical services like FTP should be monitored on a continued basis. As a result, FTP activity should be logged to a special file so that later inspection and monitoring can be done in the most efficient manner. Most of the available FTP servers support robust logging facilities. In particular, the ability to monitor each FTP session is important. Also, some FTP servers (for example, the Linux wu-ftpd server) provide a way to view each FTP command executed by a FTP user. With this capability, it becomes much easier to identify possible nonfriendly behavior toward your FTP services. To activate FTP logging, the following will need to be done: 1. Enable FTP server logging. 2. Enable logging via the syslog facility. 3. Test that logging is functional. Enable FTP logging To activate FTP logging, the proper command-line argument(s) must be supplied to the FTP server process when it is invoked by the system. For example, on Solaris, the in.ftpd FTP server supports the –l option, which tells the server to record every active session when a user logs into the FTP server. Typically, the FTP server will send this monitoring information to the general-purpose system logging process via the syslogd process. See below for additional details about syslog logging facility. To enable logging on Solaris and HP-UX, edit the /etc/inetd.conf network services configuration file and modify the in.ftpd entry. For example, the default FTP entry on Solaris contains the following: ftp stream tcp6 nowait root /usr/sbin/in.ftpd in.ftpd [...]... increase the amount of swap space Also, it is not uncommon to increase swap space even if the currently used space is quite a bit smaller than that available—perhaps because the system administrator wants additional performance gains, one or more additional drives are configured to support swapping In this way, the swap activities are spread across additional physical disk drive, thereby increasing system. .. the Solaris swap command will show the following when used with the –s option: Total kbytes swap space currently used total: 394 88k bytes allocated + 12520k reserved = 52008k used, 1062656k available Total kbytes space configured as swap space Function Linux Solaris HP-UX Add swap space Create swap area using a regular file List swap usage Delete swap area swapon -a mkswap swap mkfile swapon -a swapon... swapon -s swapoff swap -l swap -d swapinfo -ta Table 19- 1 UNIX Swap Commands Module 19: 5 59 Important System Administration Tasks/Information This shows the total amount of swap space currently used on the system in this case, 52,008K (or 52008000 bytes) The total amount of configured swap on the system is 1,062,656K When the used space approaches the total amount of available space on the system, it... the administrator of some important event Additional types include alert for situations that should be 18 552 UNIX System Administration: A Beginner’s Guide Category Meaning auth Messages related to system authorization from such programs as login, su, and getty (getty is used on Solaris and HP-UX, and agetty is used on Linux.) Messages related to cron or at services from such programs crontab, at, and... swap space and other important temporary storage functions for UNIX In many instances, the swap area was defined when the system was first installed and configured It is quite common for the system administrator to increase the amount of swap space for a system after it has been set up In fact, sometimes the sizing of critical resources like swap space are much more accurate only after the system has been... not attached) asy, instance #1 (driver not attached) fdc, instance #0 fd, instance #0 fd, instance #1 (driver not attached) i8042, instance #0 System Info (system architecture and memory) 19 562 UNIX System Administration: A Beginner’s Guide keyboard, instance #0 mouse, instance #0 bios (driver not attached) bios (driver not attached) pci, instance #0 pci8086,7 190 (driver not attached) pci8086,7 191 ,... Configuration Wizard Starting the Solaris DHCP Configuration Manager To invoke the DHCP configuration manager, issue the following command: /usr/sadm/admin/bin/dhcpmgr Since this program supports X-Windows, it can be run either from a system that contains an attached display or from a system that doesn’t have a display device, and the display is redirected (using the DISPLAY variable) to another system that... to? Module 19 Important System Administration Tasks/Information Critical Skills 19. 1 Communicate with Users on the System 19. 2 Increase System Swap Space 19. 3 Control Root Access 19. 4 Display System Configuration Information Copyright 2002 by The McGraw-Hill Companies, Inc Click Here for Terms of Use 556 UNIX System Administration: A Beginner’s Guide U nlike many of the other modules contained within... attached) memory (driver not attached) aliases (driver not attached) chosen (driver not attached) i86pc-memory (driver not attached) i86pc-mmu (driver not attached) openprom (driver not attached) options, instance #0 packages (driver not attached) delayed-writes (driver not attached) itu-props (driver not attached) isa, instance #0 motherboard (driver not attached) asy, instance #0 (driver not attached)... Table 19- 1 shows the relevant swap management commands for each operating system List Swap Space It is important to know how much swap space is actually being used Use either the swapon command for Linux or the swap command for Solaris For HP-UX, use the swapinfo command Each of these commands will show information about how much space has been defined on the system and any associated use For example, . mkfile List swap usage swapon -s swap -l swapinfo -ta Delete swap area swapoff swap -d Table 19- 1 UNIX Swap Commands Total kbytes swap space currently used Total kbytes space configured as swap space This. option: total: 394 88k bytes allocated + 12520k reserved = 52008k used, 1062656k available Function Linux Solaris HP-UX Add swap space swapon -a swap swapon -a Create swap area using a regular file mkswap. Description hash Enable hash mode; displays a # character for each 8K block of data that has been transferred. help Display a list of FTP commands. image Same as binary command. lcd Change working