Solved

Telnet & FTP in Linux Advanced Server 2.1

Posted on 2006-06-20
29
759 Views
Last Modified: 2012-06-27
Hello,

I have just setup Linux Advanced Server 2.1 on IBM Server ( 8G RAM , 2 x 3.6 CPU ). The OS run OK but when I telnet or ftp to this server, i must wait for long time ( about 20 seconds ) then OS display login name & password screen.

I mean Telnet & FTP run OK but verry, verry slow to login to.

Is there any one give me a solution ?

Thanks


0
Comment
Question by:freshrain
  • 9
  • 7
  • 7
  • +2
29 Comments
 
LVL 22

Expert Comment

by:pjedmond
ID: 16947918
First - get rid of telnet, and replace it with sshd! telnet sends clear passwords and instructions over the network ,and there is no excuse for not using a secure alternative.

Next 20 seconds is a long time, so I agree that something is wrong. Try the following tests:

ping www.xxx.yyy.zzz

Where www.xxx.yyy.zzz is the ip of the server - is this connection speed OK.

Are you connecting by specifying the name rather than the ip address?

In which case, it may be that the DNS for converting the name to an ip is poorly configured. Make sure that the new server is added and recognised by your DNS server.

A quick fix is for a linux PC, add the name/ip to the /etc/hosts file, and for windows, the file that it would need to be added to is C:\windows\system32\drivers\etc\hosts file.

HTH:)
0
 
LVL 57

Expert Comment

by:giltjr
ID: 16947937
Generally I have problems like this because the server is trying to do a reverse lookup on the client and can't.  So make sure that you have prt records setup for your clients and that the server can reslove them.

I agree 2000% with pjedmond, dump telnet.  Use sshd.  Most current Linux distributions will NOT even install telnet by default any more.  There is nothing that telnet can do that ssh can't.
0
 

Author Comment

by:freshrain
ID: 16947954
Hello pjedmond,

ping speed is normal , i telnet to this mechine by IP not by name.

I use telnet rather than ssh because i only manage this server on Local network and my client like to use Telnet than ssh.

Could you give me another solution.
Thks
0
 
LVL 22

Expert Comment

by:pjedmond
ID: 16947984
90% of security breaches occur internally within the company (or from moles placed within the company, or malwhere that is accidentally downloaded into the company. You as a SA need to kindly inform your client that he has no option but to switch. I would refuse to provide support to a customer that refused to follow that advice.

As the ping is OK, I still suspect that you need to look at the network configuration on the server. How is the authentication occurring. Does it involve negotiating with another server elsewhere? In which case you may need to troubleshoot the negotiation element of the network.

HTH:)
0
 
LVL 22

Expert Comment

by:pjedmond
ID: 16947994
Can you try connecting a client PC to the same hub as the server - Does that solve the problem? If so, then the issue relates to routing or network hardware somewhere.
0
 
LVL 22

Expert Comment

by:pjedmond
ID: 16948007
Which server is responsible for DNS? This new one? or another. Is the client registered?

If you add the clients name and IP to the/etc/hosts file on the server, does the problem disappear? In which case, you need to sort out the DNS config.
0
 
LVL 22

Expert Comment

by:pjedmond
ID: 16948021
The alternative to telnet is sshd

You client uses either ssh (if on a linux system), or putty:

http://www.chiark.greenend.org.uk/~sgtatham/putty/

if on a windows system. It's as near as dammit identical in usage, but has all connections encrypted, and offers some 'bonis' features that you can use for traversing firewalls, and forwarding connections when you get to understand it's capabilities.

Incidentally, you can use scp rather than ftp to transfer files on the command line.

HTH:)
0
 
LVL 57

Expert Comment

by:giltjr
ID: 16948114
Opps, should have been PTR record.  Do you have reverse lookup zone setup?  Does /var/log/messages show anything?

You can't tell the difference between ssh and telnet and it is secure (ssh is).
0
 
LVL 2

Expert Comment

by:jcs5003
ID: 16948152
usually when I have problems with long service responce times, it is something in iptables or ipchains. Is either of these services running?
0
 
LVL 27

Expert Comment

by:Nopius
ID: 16948770
freshrain: it's probably a DNS problem, but on server side. Try the following (on Linux server):

cp /etc/nsswitch.conf /etc/nsswitch.conf.orig
sed -e '/^hosts/s/dns//' /etc/nsswitch.conf.orig > /etc/nsswitch.conf

then try to telnet (ftp) again.

If the connection becomes quicker, it's a DNS OR routing problem on your server.
0
 

Author Comment

by:freshrain
ID: 16948969
Hello All,

I only telnet to this machine by IP address, not by name. So, i don't think DNS give this problems.

Before installing Linux AS 2.1 , I install Linux AS 3.1 on this machine anh Telnet is work ok ( this prove that network doesn't  give this problem ). I guess the problem is itself Linux AS 2.1 but i don't know how to fix this.

Thnks
0
 
LVL 22

Expert Comment

by:pjedmond
ID: 16949639
freshrain - Please give the results of the tests requested. If you don't provide us with a response, it is very difficult to assist you. I think that we all seem to believe that the issue is related to the DNSresolution, or the networkin configuration on the server side.

If you are having difficulties in trying to perform the tests, then explain further so that a better description can be given.

HTH:)
0
 
LVL 57

Expert Comment

by:giltjr
ID: 16951242
DNS could still be a problem.  Again, some telnet and ftp (and even sshd) dameons do a reverse lookup when a client connect to them.  This is DNS.  If you do not have proper PTR records setup, you will see a delay in getting a prompt back when connecting to them.
0
 
LVL 2

Expert Comment

by:jcs5003
ID: 16951297
It is not a DNS problem guys, I setup the same server os and looked through the default telnet,sshd and ftp config files and they do not do a rdns lookup.

giltjr, what kernel are you running? uname -r    

do you want to keep telnet or are you going to switchd to sshd ?

you can try upgrading the telnet and ftp pakages to a later version.
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 22

Expert Comment

by:pjedmond
ID: 16951300
Another thought - Ensure that the server itself has a FQDN, and ensure that this exists in the /etc/hosts file.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 16952456
Has nothing to do with the kernel.  It is what the server supports and is configured for.

For example, when using ssh in the sshd_config file you can specify UseDNS yes.  This will tell sshd to make sure that the host name and ip address that are trying to connect to it match up.  In order to do this, it must do a reverse lookup on the IP address that is attempting to connect to it and then do a forward lookup on the results returned.

Which ftp server are you using?

Which telnet server are you using?
0
 
LVL 2

Expert Comment

by:jcs5003
ID: 16952553
He is running 8GB of ram, if the kernel is not compiled for that services will run slower. By default UserDNS is set to no. It wouldn't matter if it was on or not since he is not connecting via DNS name.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 16953705
Yes is DOES matter.  You NEVER connect to anything using a name.  You ALWAYS connect using an IP address.

If you have sshd setup with UseDNS yes and you do not have proper PTR records setup or the server that ssh is running on is not pointing to dsn server that can do reverse lookup you will see the following in messages.

Jun 21 12:02:37 aaaaa  sshd[####]: reverse mapping checking getaddrinfo for hostname.domain.name failed - POSSIBLE BREAKIN ATTEMPT!

I know because we have a server setup just like this.  The default for UseDNS is Yes according to everything I have read.  Now Not Linux Advanced Server 2.1 may change this and specify UseDNS no, but if you do not specify UseDNS no, the default is yes.

Of course all of this assume that the telnet server and ftp server he is using is attempting to do reverse lookup to verify address to hostname mapping.  

Unless the server has so much stuff running on it that it is eating up 4GB of RAM then what the kernel is compiled for should not matter.  Now, if it is using a LOT of RAM, then it would be slow, just as if it only had 4GB of RAM.

I have also seen slowness when the server is setup for IPV6, but there is no IPV6 infrastructure setup yet.

Something else I just thought of.  Normally ftp and telnet are handled by xinetd.  If you have xinetd setup with no_access or only_from then xinetd will do a reverse lookup in some instances.
0
 

Author Comment

by:freshrain
ID: 16956433
perhaps i must install Linux AS 3.0 again.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 16956528
Umm, AS 3.0 again?  Not that it matters that much you said you had AS 2.1.

I am not sure that would help.  If the problem is due to reverse lookup if you don't change your DNS enviroment it won't help.  Do you have a DNS server setup with valid PTR records?
0
 

Author Comment

by:freshrain
ID: 16956660
Hello giltjr ,

I don't understand DNS affect in this case.I only telnet / ftp directly to this server by IP address. What do you mean the DNS server ?I don't use any DNS server.

Thk
0
 
LVL 57

Expert Comment

by:giltjr
ID: 16956838
O.K.  I will try this one more time and then I really give up attemping to explain this.  Yes, I know that you are issusing the command telnet 1.1.1.1 or the command ftp 1.1.1.1, so the CLIENT (your comptuer) is NOT using DNS.  However the SERVER MAY be using DNS to verify that the CLIENT (your PC) is who it claims to be.

However Linux (and Unix) can be configured so that the SERVER (which is the box at address 1.1.1.1) does a reverse lookup on YOUR IP address (the client) and then does a forward lookup on the host name that the PTR record point to  see if the IP address the client is using matches what IP address that host name is.

Say your IP address is 1.1.1.2 and the server is 1.1.1.1.  Here are some of the things that COULD go on.

Situation #1:

     1.1.1.2 telnets TO 1.1.1.1.

     1.1.1.1 says "DNS server what is the host name of 1.1.1.2"

     DNS Server tells 1.1.1.1, the host name of 1.1.1.2 is bob.nowhere.com

     1.1.1.1 says "DNS server, what is the IP address of bob.nowhere.com"

     DNS server tells 1.1.1.1, the IP address of bob.nowhere.com is 1.1.1.2

     1.1.1.1 send login propmt to 1.1.1.2


Situation #2:

     1.1.1.2 telnets TO 1.1.1.1.

     1.1.1.1 says "DNS server what is the host name of 1.1.1.2"

     DNS Server tells 1.1.1.1, the host name of 1.1.1.2 is bob.nowhere.com

     1.1.1.1 says "DNS server, what is the IP address of bob.nowhere.com"

     DNS server tells 1.1.1.1, the IP address of bob.nowhere.com is 2.2.2.2

    1.1.1.1 writes to /var/log/messages "POSSIBLE BREAK IN from 1.1.1.2 maps to bob.nowhere.com which maps to 2.2.2.2"

    1.1.1.1 can either then tell 1.1.1.2 login denied or can actually give 1.1.1.2 the login prompt.  


Situation #3:

     1.1.1.2 telnets TO 1.1.1.1.

     1.1.1.1 says "DNS server what is the host name of 1.1.1.2"

     DNS Server tells 1.1.1.1, the host name of 1.1.1.2 is bob.nowhere.com

     1.1.1.1 says "DNS server, what is the IP address of bob.nowhere.com"

     DNS server EITHER tells 1.1.1.1, there is no record for 1.1.1.2 or never responds.

    1.1.1.1 writes to /var/log/messages "POSSIBLE BREAK IN from 1.1.1.2 no reverse map to a host name.

    1.1.1.1 can either then tell 1.1.1.2 login denied or can actually give 1.1.1.2 the login prompt.  

Do you understand this?  If so, you need to either configure something on the Linux: xinetd, or your ftp server and your telnet server, so that it does not do the verification or you need to make sure that you have DNS properly setup so that reverse and forward looks work correctly.

I would check your /etc/xinetd.d directory and check the config files for you ftp server and your telnet server and see if they have no_access or only_from coded.  These are supposed to cause xinetd to do DNS checking before it launches the applications.
0
 

Author Comment

by:freshrain
ID: 16957542
Hello giltjr ,

These are ftp and telnet config file

service ftp
{
        disable = no
        socket_type             = stream
        wait                    = no
        user                    = root
        server                  = /usr/sbin/in.ftpd
        server_args             = -l -a
        log_on_success          += DURATION USERID
        log_on_failure          += USERID
        nice                    = 10
}

service telnet
{
        disable = no
        flags           = REUSE
        socket_type     = stream
        wait            = no
        user            = root
        server          = /usr/sbin/in.telnetd
        log_on_failure  += USERID
}

These are files in /etc/xinetd.d folder:

chargen      daytime-udp  finger  rlogin  sgi_fam  time
chargen-udp  echo         ntalk   rsh     talk     time-udp
daytime      echo-udp     rexec   rsync   telnet   wu-ftpd

You see help me

Thnks

0
 
LVL 57

Expert Comment

by:giltjr
ID: 16960059
I'll have to look at this some more.  I am assuming that you are not seeing anything in syslog.  You may want to try runing a packet capture utility on the server, ethereal or wireshark, and see if you see anything in that.  The delay you are getting is about the normal delay for DNS failures on reverse lookups, that is why I am attempting to focus on that.

I applogize if I sounded a bit harsh, I was getting frustrated at another situtation I am working on and it overflowed a bit here.
0
 
LVL 27

Accepted Solution

by:
Nopius earned 500 total points
ID: 16981233
freshrain, you may not understand why DNS can be the problem, but please try the simple test to check if it is or not.
It's takes only a minute. Just find 'hosts' entry in /etc/nsswitch.conf and remove 'dns' from that line. Also you may move /etc/reslov.conf to /etc/resolv.conf.bak for test purpose.
Immediatelly after that, try to connect to the server. If there is no slowness, DNS is a problem. If it's still there, this delay may come from PAM library (i.e. from LDAP or something). After the test return everything back.

Testing takes only 1 minutes, why discussion of 'why' and 'it cannot be true' may take very long time, until you try it once :-)
0
 

Author Comment

by:freshrain
ID: 16981437
Hi Nopius

It is very good.Now it work ok.

But i don't understand how it work? You can explain more detail or you can give me a link discuss this problem

Again, thanks you verry much
0
 
LVL 27

Expert Comment

by:Nopius
ID: 16981616
This problem is very common.
Your server tries to _resolve_ IP address of connecting client, you cannot turn off this behaveour, but you can avoid DNS lookups (that is done now).
When DNS (or routing) is broken, resolve query may take very long time (until time out is elapsed).

When you fix network settings (either default gateway, DNS server IP in /etc/resolv.conf or DNS server itself) your telnetting/ftpiing will work also quickly.

Why does your servers need to do reverse lookup? They don't.
But xinetd service, which start them uses libwrap library, which does reverse lookups for each service (to be shure, run):
ldd /usr/sbin/xinetd
and find 'libwrap' there, if not found, try:
ldd /usr/sbin/in.ftpd
ldd /usr/sbin/in.telnetd

Libwrap always do reverse lookups to resolve connecting client IP address. For more info about libwrap, read man hosts_access

Instead of disabling DNS for entire server, you may return all files back and try to disable client IP lookups on a per-service basis (by  adding NOLIBWRAP flag), like here:

service ftp
{
        disable = no
        flags = NOLIBWRAP
        socket_type             = stream
        wait                    = no
        user                    = root
        server                  = /usr/sbin/in.ftpd
        server_args             = -l -a
        log_on_success          += DURATION USERID
        log_on_failure          += USERID
        nice                    = 10
}

service telnet
{
        disable = no
        flags           = REUSE NOLIBWRAP
        socket_type     = stream
        wait            = no
        user            = root
        server          = /usr/sbin/in.telnetd
        log_on_failure  += USERID
}

For more info about xinetd and disabling libwrap, man xinetd.conf

If service itself is compiled with libwrap support (which is not true in my Linux distribution), I don't know easy method of disabling reverse lookup on a per-service basis.


0
 
LVL 57

Expert Comment

by:giltjr
ID: 16983651
I am glad to see that you have the problem reslove.  Hopefully Nopius' explanation of why DNS was the problem, as I have been stating since day 1, is clearer than the one I gave.
0
 

Author Comment

by:freshrain
ID: 16989065
giltjr,
I also thanks you very much.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

If you use Debian 6 Squeeze and you are tired of looking at the childish graphical GDM login screen that is used by default, here's an easy way to change it. If you've already tried to change it you've probably discovered that none of the old met…
I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension (http://www.experts-exchange.com/discussions/210281/Attachments-with-no-extension.html). This reminded me of questions tha…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now