[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4658
  • Last Modified:

How can I access in AIX port 990 with telnet?

I have a vendor that needs to telnet into the system using port 990 from an AS400 system.

The IBM RS600 system we are using is running AIX 5.3

I tested access to port 990 with the command below:
# telnet localhost 990
Trying...
telnet: connect: A remote host refused an attempted connect operation.
#

I also tried going to another system in the network with the exact same result.


The entries in the /etc/services file for port 990 are
# grep 990 /etc/services
ftps                    990/tcp         # ftp protocol, control, over TLS/SSL
ftps                    990/udp         # ftp protocol, control, over TLS/SSL

The entries in /etc/inetd.conf for ftp and telnet are:
ftp     stream  tcp6    nowait  root    /usr/sbin/ftpd  ftpd
telnet  stream  tcp6    nowait  root    /usr/sbin/telnetd       telnetd -a

I can access the following ports with telnet but not port 990:
telnet localhost 21
telnet localhost 22
telnet localhost 23

The firewall people say that port 990 is accessible through the firewall.

Can someone please point me in the right direction on how to access port 990 with telnet on AIX 5.3?

Thanks,
Dan
0
scodhk
Asked:
scodhk
1 Solution
 
Lee_YCPCommented:
Ultimately because port 990 is a well known port for ftps, the AIX needs to be configured to monitor port 990 for telnet otherwise.

Can you connect to port 990 using a FTPS client like Filezila (not Internet Explorer)?

Other consideration:  Why does the vendor specifically need port 990 "on the destination"?  Telnet uses port 21 and SSH uses port 22.  It may be because port 22 is not open on your network firewall, but it may be if you checked.  If Port 22 is not already open and there is not alot of red tape, have the firewall guys setup a temporary port translation on the firewall from 990 to 21 or 22 and use whatever subnet the vendor is telnetting from in the ACL and rule for the port translation.


0
 
scodhkAuthor Commented:
Thank you Lee YCP for your reply.  I cannot connect to port 990 with Filezilla FTPS Client because I do not have remote access to this installation and I am not local to this installation.  I will have one of the IT personnel try this.

How would I configure AIX to monitor port 990 for telnet?

We have SSH installed and use sftp to/from other sites.

Thanks again,
Dan
0
 
TomuniqueCommented:
Looking at the information you've given, you're not cofigured properly.

to verify:  run netstat -an |grep LISTEN   # Look for port 990  may appear like *.990
tcp4       0      0  *.22                   *.*                    LISTEN    Here's an example of ssh on port 22

in /etc/services you show ftps
in your inetd.conf exameple, you don't

the first column of /etc/inetd.conf, must match an entry in /etc/services
This is how inetd figures out what port to listen on.

If you want telnet on port 990 (or do you really want ftps?  this is confusing in your question).

vi /etc/inetd.conf,
   * locate the "telnet" line (or whatever line you want to move/copy)
   * assuming you want it to continue to listen on the original port as well, DUPLICATE the line  (in vi that's "YYp")
   * change the first token of one of those lines to reflect the port name you want to use  (ftps)  or (telnet)
    * Save the file

Run ps -ef|grep inetd  to locate your inetd process
Ours looks like:       root  213096  159856   0 12:12:38      -  0:00 /usr/sbin/inetd

issue a kill -1 {inetd ProcID)   (on my system:  kill -1 213096 )
This tells inetd to re-read it's configuration file

Now issue a netstat -an|grep LISTEN  and see if something is listening on your new port.

Tom


0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
scodhkAuthor Commented:
Thank you Tomunique for your reply, it gave me exactly what I needed.
When I did the netstat -an | grep LISTEN there was no 990 in the list.

I changed the inetd.conf file as follows:
ftp     stream  tcp6    nowait  root    /usr/sbin/ftpd  ftpd
ftps    stream  tcp6    nowait  root    /usr/sbin/ftpd  ftpd
telnet  stream  tcp6    nowait  root    /usr/sbin/telnetd       telnetd -a
telnets stream  tcp6    nowait  root    /usr/sbin/telnetd       telnetd -a

The services file contains the following:
ftp                             21/tcp          # File Transfer [Control]
ftp                             21/udp          # File Transfer [Control]
telnet                  23/tcp          # Telnet
telnet                  23/udp          # Telnet
ftps                    990/tcp         # ftp protocol, control, over TLS/SSL
ftps                    990/udp         # ftp protocol, control, over TLS/SSL
telnets          992/tcp                # telnet protocol over TLS/SSL
telnets          992/udp                # telnet protocol over TLS/SSL

After killing inetd the netstat -an | grep LISTEN does show the following:
tcp        0      0  *.990                  *.*                    LISTEN
tcp        0      0  *.992                  *.*                    LISTEN

If the vendor insists on port 990 for telnet I will swap the ftps and telnets temporarily in the services file and re-read inetd.
Based on what you gave me and what I see in the services file, is it true that a port number can only have 2 entries in the services file one for tcp and one for udp?

This will resolve my problem.

Thanks again, this gave me a lot of valuable information.

Dan
0
 
TomuniqueCommented:
When you say "can only have", are you wanting more?
Those lines are different, 1 for udp, one for tcp.  
you're allowed to use anything listed in the /etc/protocols file..  
You could put a line
telnets   992/icmp      # Really?
but it wouldn't make any sense... (and may break inetd, i dunno)

those lines define what protocols that inetd will permit connections on for that port, before it spawns the app.
I'd be surprised if telnet would really even support UDP, but, like my icmp example, it can be listed, but would probably be ignored.

just having two lines doesn't limit the number of connections you can have.
if you only had the one
telnets   992/tcp
you could have 100s of connections .. this just tells inetd where to look, not any limits (other than what protocols are permitted).

make sense?
0
 
scodhkAuthor Commented:
Thanks for the reply Tomunique.

That does make sense.

What I was referring to is the example below:
ftps                    990/tcp         # ftp protocol, control, over TLS/SSL
ftps                    990/udp         # ftp protocol, control, over TLS/SSL
telnets               990/tcp                # telnet protocol over TLS/SSL
telnets               990/udp                # telnet protocol over TLS/SSL

Then the vendor could telnet and ftp over port 990.

Thanks again for the information you have been a big help.
Dan
0
 
TomuniqueCommented:
No, this would conflict in the inetd.conf definitions.

When the vendor connected to your server port 990
inetd sees the connection come in... which program would it spawn off?
They need to be separate port numbers.

(something like ssh knows how to break out the differences within it's own program, so you can have multiple types of things going across the pipe, but telnet/ftp are not that aware (and can't spawn each other off if it's the other's request).

Tom
0
 
scodhkAuthor Commented:
Thanks Tomunique,

I figured that would be the answer based on seeing some duplicates that were remarked off in the services file.

I really appreciate all your help.

Dan
0
 
woolmilkporcCommented:
Please be aware that the AIX FTP server does not support FTP over TLS/SSL (FTPS).
Just making it listen on port 990 will not change anything in that aspect!

You'll need a dedicated FTPS server like JSCAPE: http://www.jscape.com/products/file-transfer-servers/jscape-mft-server/



0
 
TomuniqueCommented:
I'm not 100% sure, but I believe that's been added in aix 6.1 and above.

http://www.ibm.com/developerworks/aix/library/au-aix_secure_filetransfer/index.html?ca=dgr-lnxw06Secure-FTP&S_TACT=105AGX59&S_CMP=grsitelnxw06

https://www-304.ibm.com/support/docview.wss?uid=isg3T1011849

We don't use it, we use sftp, so it could be that it's client only, but I believe it's server as well.

Tom

0
 
TomuniqueCommented:
WMC:

Per IBM redbook SG24-7430  AIX 6.1 Security features:  Section 6.8

AIX V6 introduces a secure flavor of ftp (and ftpd), based on OpenSSL, using
Transport Layer Security (TLS) (This extension to FTP is defined in RFC 4217.)
to encrypt both the command and the data channel. TLS is a cryptographic
protocol that provides secure communication between clients and servers.This
enables any user on the system to exchange files in a secure manner if their
counterpart offers this extension as well.

Tom.
0
 
scodhkAuthor Commented:
Thanks woolmilkporc and Tomunique.

We are running AIX 5.3, I will keep that in mind when talking to the vendor.

Dan
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now