?
Solved

How can I access in AIX port 990 with telnet?

Posted on 2011-03-18
12
Medium Priority
?
4,604 Views
Last Modified: 2012-05-11
I have a vendor that needs to telnet into the system using port 990 from an AS400 system.

The IBM RS600 system we are using is running AIX 5.3

I tested access to port 990 with the command below:
# telnet localhost 990
Trying...
telnet: connect: A remote host refused an attempted connect operation.
#

I also tried going to another system in the network with the exact same result.


The entries in the /etc/services file for port 990 are
# grep 990 /etc/services
ftps                    990/tcp         # ftp protocol, control, over TLS/SSL
ftps                    990/udp         # ftp protocol, control, over TLS/SSL

The entries in /etc/inetd.conf for ftp and telnet are:
ftp     stream  tcp6    nowait  root    /usr/sbin/ftpd  ftpd
telnet  stream  tcp6    nowait  root    /usr/sbin/telnetd       telnetd -a

I can access the following ports with telnet but not port 990:
telnet localhost 21
telnet localhost 22
telnet localhost 23

The firewall people say that port 990 is accessible through the firewall.

Can someone please point me in the right direction on how to access port 990 with telnet on AIX 5.3?

Thanks,
Dan
0
Comment
Question by:scodhk
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
12 Comments
 
LVL 6

Expert Comment

by:Lee_YCP
ID: 35169394
Ultimately because port 990 is a well known port for ftps, the AIX needs to be configured to monitor port 990 for telnet otherwise.

Can you connect to port 990 using a FTPS client like Filezila (not Internet Explorer)?

Other consideration:  Why does the vendor specifically need port 990 "on the destination"?  Telnet uses port 21 and SSH uses port 22.  It may be because port 22 is not open on your network firewall, but it may be if you checked.  If Port 22 is not already open and there is not alot of red tape, have the firewall guys setup a temporary port translation on the firewall from 990 to 21 or 22 and use whatever subnet the vendor is telnetting from in the ACL and rule for the port translation.


0
 

Author Comment

by:scodhk
ID: 35169792
Thank you Lee YCP for your reply.  I cannot connect to port 990 with Filezilla FTPS Client because I do not have remote access to this installation and I am not local to this installation.  I will have one of the IT personnel try this.

How would I configure AIX to monitor port 990 for telnet?

We have SSH installed and use sftp to/from other sites.

Thanks again,
Dan
0
 
LVL 6

Accepted Solution

by:
Tomunique earned 2000 total points
ID: 35171658
Looking at the information you've given, you're not cofigured properly.

to verify:  run netstat -an |grep LISTEN   # Look for port 990  may appear like *.990
tcp4       0      0  *.22                   *.*                    LISTEN    Here's an example of ssh on port 22

in /etc/services you show ftps
in your inetd.conf exameple, you don't

the first column of /etc/inetd.conf, must match an entry in /etc/services
This is how inetd figures out what port to listen on.

If you want telnet on port 990 (or do you really want ftps?  this is confusing in your question).

vi /etc/inetd.conf,
   * locate the "telnet" line (or whatever line you want to move/copy)
   * assuming you want it to continue to listen on the original port as well, DUPLICATE the line  (in vi that's "YYp")
   * change the first token of one of those lines to reflect the port name you want to use  (ftps)  or (telnet)
    * Save the file

Run ps -ef|grep inetd  to locate your inetd process
Ours looks like:       root  213096  159856   0 12:12:38      -  0:00 /usr/sbin/inetd

issue a kill -1 {inetd ProcID)   (on my system:  kill -1 213096 )
This tells inetd to re-read it's configuration file

Now issue a netstat -an|grep LISTEN  and see if something is listening on your new port.

Tom


0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:scodhk
ID: 35172328
Thank you Tomunique for your reply, it gave me exactly what I needed.
When I did the netstat -an | grep LISTEN there was no 990 in the list.

I changed the inetd.conf file as follows:
ftp     stream  tcp6    nowait  root    /usr/sbin/ftpd  ftpd
ftps    stream  tcp6    nowait  root    /usr/sbin/ftpd  ftpd
telnet  stream  tcp6    nowait  root    /usr/sbin/telnetd       telnetd -a
telnets stream  tcp6    nowait  root    /usr/sbin/telnetd       telnetd -a

The services file contains the following:
ftp                             21/tcp          # File Transfer [Control]
ftp                             21/udp          # File Transfer [Control]
telnet                  23/tcp          # Telnet
telnet                  23/udp          # Telnet
ftps                    990/tcp         # ftp protocol, control, over TLS/SSL
ftps                    990/udp         # ftp protocol, control, over TLS/SSL
telnets          992/tcp                # telnet protocol over TLS/SSL
telnets          992/udp                # telnet protocol over TLS/SSL

After killing inetd the netstat -an | grep LISTEN does show the following:
tcp        0      0  *.990                  *.*                    LISTEN
tcp        0      0  *.992                  *.*                    LISTEN

If the vendor insists on port 990 for telnet I will swap the ftps and telnets temporarily in the services file and re-read inetd.
Based on what you gave me and what I see in the services file, is it true that a port number can only have 2 entries in the services file one for tcp and one for udp?

This will resolve my problem.

Thanks again, this gave me a lot of valuable information.

Dan
0
 
LVL 6

Expert Comment

by:Tomunique
ID: 35175325
When you say "can only have", are you wanting more?
Those lines are different, 1 for udp, one for tcp.  
you're allowed to use anything listed in the /etc/protocols file..  
You could put a line
telnets   992/icmp      # Really?
but it wouldn't make any sense... (and may break inetd, i dunno)

those lines define what protocols that inetd will permit connections on for that port, before it spawns the app.
I'd be surprised if telnet would really even support UDP, but, like my icmp example, it can be listed, but would probably be ignored.

just having two lines doesn't limit the number of connections you can have.
if you only had the one
telnets   992/tcp
you could have 100s of connections .. this just tells inetd where to look, not any limits (other than what protocols are permitted).

make sense?
0
 

Author Comment

by:scodhk
ID: 35176270
Thanks for the reply Tomunique.

That does make sense.

What I was referring to is the example below:
ftps                    990/tcp         # ftp protocol, control, over TLS/SSL
ftps                    990/udp         # ftp protocol, control, over TLS/SSL
telnets               990/tcp                # telnet protocol over TLS/SSL
telnets               990/udp                # telnet protocol over TLS/SSL

Then the vendor could telnet and ftp over port 990.

Thanks again for the information you have been a big help.
Dan
0
 
LVL 6

Expert Comment

by:Tomunique
ID: 35176303
No, this would conflict in the inetd.conf definitions.

When the vendor connected to your server port 990
inetd sees the connection come in... which program would it spawn off?
They need to be separate port numbers.

(something like ssh knows how to break out the differences within it's own program, so you can have multiple types of things going across the pipe, but telnet/ftp are not that aware (and can't spawn each other off if it's the other's request).

Tom
0
 

Author Comment

by:scodhk
ID: 35176825
Thanks Tomunique,

I figured that would be the answer based on seeing some duplicates that were remarked off in the services file.

I really appreciate all your help.

Dan
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 35179026
Please be aware that the AIX FTP server does not support FTP over TLS/SSL (FTPS).
Just making it listen on port 990 will not change anything in that aspect!

You'll need a dedicated FTPS server like JSCAPE: http://www.jscape.com/products/file-transfer-servers/jscape-mft-server/



0
 
LVL 6

Expert Comment

by:Tomunique
ID: 35179818
I'm not 100% sure, but I believe that's been added in aix 6.1 and above.

http://www.ibm.com/developerworks/aix/library/au-aix_secure_filetransfer/index.html?ca=dgr-lnxw06Secure-FTP&S_TACT=105AGX59&S_CMP=grsitelnxw06

https://www-304.ibm.com/support/docview.wss?uid=isg3T1011849

We don't use it, we use sftp, so it could be that it's client only, but I believe it's server as well.

Tom

0
 
LVL 6

Expert Comment

by:Tomunique
ID: 35180181
WMC:

Per IBM redbook SG24-7430  AIX 6.1 Security features:  Section 6.8

AIX V6 introduces a secure flavor of ftp (and ftpd), based on OpenSSL, using
Transport Layer Security (TLS) (This extension to FTP is defined in RFC 4217.)
to encrypt both the command and the data channel. TLS is a cryptographic
protocol that provides secure communication between clients and servers.This
enables any user on the system to exchange files in a secure manner if their
counterpart offers this extension as well.

Tom.
0
 

Author Comment

by:scodhk
ID: 35180529
Thanks woolmilkporc and Tomunique.

We are running AIX 5.3, I will keep that in mind when talking to the vendor.

Dan
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Java performance on Solaris - Managing CPUs There are various resource controls in operating system which directly/indirectly influence the performance of application. one of the most important resource controls is "CPU".   In a multithreaded…
We all know how boring and exhausting it is to transfer huge web projects developed locally to a webserver simply via FTP. The File Transfer Protocol is a really nice solution if you need to transfer small amounts of files, but if you're plannin…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question