Solved

How can I access in AIX port 990 with telnet?

Posted on 2011-03-18
12
4,120 Views
Last Modified: 2012-05-11
I have a vendor that needs to telnet into the system using port 990 from an AS400 system.

The IBM RS600 system we are using is running AIX 5.3

I tested access to port 990 with the command below:
# telnet localhost 990
Trying...
telnet: connect: A remote host refused an attempted connect operation.
#

I also tried going to another system in the network with the exact same result.


The entries in the /etc/services file for port 990 are
# grep 990 /etc/services
ftps                    990/tcp         # ftp protocol, control, over TLS/SSL
ftps                    990/udp         # ftp protocol, control, over TLS/SSL

The entries in /etc/inetd.conf for ftp and telnet are:
ftp     stream  tcp6    nowait  root    /usr/sbin/ftpd  ftpd
telnet  stream  tcp6    nowait  root    /usr/sbin/telnetd       telnetd -a

I can access the following ports with telnet but not port 990:
telnet localhost 21
telnet localhost 22
telnet localhost 23

The firewall people say that port 990 is accessible through the firewall.

Can someone please point me in the right direction on how to access port 990 with telnet on AIX 5.3?

Thanks,
Dan
0
Comment
Question by:scodhk
12 Comments
 
LVL 6

Expert Comment

by:Lee_YCP
ID: 35169394
Ultimately because port 990 is a well known port for ftps, the AIX needs to be configured to monitor port 990 for telnet otherwise.

Can you connect to port 990 using a FTPS client like Filezila (not Internet Explorer)?

Other consideration:  Why does the vendor specifically need port 990 "on the destination"?  Telnet uses port 21 and SSH uses port 22.  It may be because port 22 is not open on your network firewall, but it may be if you checked.  If Port 22 is not already open and there is not alot of red tape, have the firewall guys setup a temporary port translation on the firewall from 990 to 21 or 22 and use whatever subnet the vendor is telnetting from in the ACL and rule for the port translation.


0
 

Author Comment

by:scodhk
ID: 35169792
Thank you Lee YCP for your reply.  I cannot connect to port 990 with Filezilla FTPS Client because I do not have remote access to this installation and I am not local to this installation.  I will have one of the IT personnel try this.

How would I configure AIX to monitor port 990 for telnet?

We have SSH installed and use sftp to/from other sites.

Thanks again,
Dan
0
 
LVL 6

Accepted Solution

by:
Tomunique earned 500 total points
ID: 35171658
Looking at the information you've given, you're not cofigured properly.

to verify:  run netstat -an |grep LISTEN   # Look for port 990  may appear like *.990
tcp4       0      0  *.22                   *.*                    LISTEN    Here's an example of ssh on port 22

in /etc/services you show ftps
in your inetd.conf exameple, you don't

the first column of /etc/inetd.conf, must match an entry in /etc/services
This is how inetd figures out what port to listen on.

If you want telnet on port 990 (or do you really want ftps?  this is confusing in your question).

vi /etc/inetd.conf,
   * locate the "telnet" line (or whatever line you want to move/copy)
   * assuming you want it to continue to listen on the original port as well, DUPLICATE the line  (in vi that's "YYp")
   * change the first token of one of those lines to reflect the port name you want to use  (ftps)  or (telnet)
    * Save the file

Run ps -ef|grep inetd  to locate your inetd process
Ours looks like:       root  213096  159856   0 12:12:38      -  0:00 /usr/sbin/inetd

issue a kill -1 {inetd ProcID)   (on my system:  kill -1 213096 )
This tells inetd to re-read it's configuration file

Now issue a netstat -an|grep LISTEN  and see if something is listening on your new port.

Tom


0
 

Author Comment

by:scodhk
ID: 35172328
Thank you Tomunique for your reply, it gave me exactly what I needed.
When I did the netstat -an | grep LISTEN there was no 990 in the list.

I changed the inetd.conf file as follows:
ftp     stream  tcp6    nowait  root    /usr/sbin/ftpd  ftpd
ftps    stream  tcp6    nowait  root    /usr/sbin/ftpd  ftpd
telnet  stream  tcp6    nowait  root    /usr/sbin/telnetd       telnetd -a
telnets stream  tcp6    nowait  root    /usr/sbin/telnetd       telnetd -a

The services file contains the following:
ftp                             21/tcp          # File Transfer [Control]
ftp                             21/udp          # File Transfer [Control]
telnet                  23/tcp          # Telnet
telnet                  23/udp          # Telnet
ftps                    990/tcp         # ftp protocol, control, over TLS/SSL
ftps                    990/udp         # ftp protocol, control, over TLS/SSL
telnets          992/tcp                # telnet protocol over TLS/SSL
telnets          992/udp                # telnet protocol over TLS/SSL

After killing inetd the netstat -an | grep LISTEN does show the following:
tcp        0      0  *.990                  *.*                    LISTEN
tcp        0      0  *.992                  *.*                    LISTEN

If the vendor insists on port 990 for telnet I will swap the ftps and telnets temporarily in the services file and re-read inetd.
Based on what you gave me and what I see in the services file, is it true that a port number can only have 2 entries in the services file one for tcp and one for udp?

This will resolve my problem.

Thanks again, this gave me a lot of valuable information.

Dan
0
 
LVL 6

Expert Comment

by:Tomunique
ID: 35175325
When you say "can only have", are you wanting more?
Those lines are different, 1 for udp, one for tcp.  
you're allowed to use anything listed in the /etc/protocols file..  
You could put a line
telnets   992/icmp      # Really?
but it wouldn't make any sense... (and may break inetd, i dunno)

those lines define what protocols that inetd will permit connections on for that port, before it spawns the app.
I'd be surprised if telnet would really even support UDP, but, like my icmp example, it can be listed, but would probably be ignored.

just having two lines doesn't limit the number of connections you can have.
if you only had the one
telnets   992/tcp
you could have 100s of connections .. this just tells inetd where to look, not any limits (other than what protocols are permitted).

make sense?
0
 

Author Comment

by:scodhk
ID: 35176270
Thanks for the reply Tomunique.

That does make sense.

What I was referring to is the example below:
ftps                    990/tcp         # ftp protocol, control, over TLS/SSL
ftps                    990/udp         # ftp protocol, control, over TLS/SSL
telnets               990/tcp                # telnet protocol over TLS/SSL
telnets               990/udp                # telnet protocol over TLS/SSL

Then the vendor could telnet and ftp over port 990.

Thanks again for the information you have been a big help.
Dan
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 6

Expert Comment

by:Tomunique
ID: 35176303
No, this would conflict in the inetd.conf definitions.

When the vendor connected to your server port 990
inetd sees the connection come in... which program would it spawn off?
They need to be separate port numbers.

(something like ssh knows how to break out the differences within it's own program, so you can have multiple types of things going across the pipe, but telnet/ftp are not that aware (and can't spawn each other off if it's the other's request).

Tom
0
 

Author Comment

by:scodhk
ID: 35176825
Thanks Tomunique,

I figured that would be the answer based on seeing some duplicates that were remarked off in the services file.

I really appreciate all your help.

Dan
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 35179026
Please be aware that the AIX FTP server does not support FTP over TLS/SSL (FTPS).
Just making it listen on port 990 will not change anything in that aspect!

You'll need a dedicated FTPS server like JSCAPE: http://www.jscape.com/products/file-transfer-servers/jscape-mft-server/



0
 
LVL 6

Expert Comment

by:Tomunique
ID: 35179818
I'm not 100% sure, but I believe that's been added in aix 6.1 and above.

http://www.ibm.com/developerworks/aix/library/au-aix_secure_filetransfer/index.html?ca=dgr-lnxw06Secure-FTP&S_TACT=105AGX59&S_CMP=grsitelnxw06

https://www-304.ibm.com/support/docview.wss?uid=isg3T1011849

We don't use it, we use sftp, so it could be that it's client only, but I believe it's server as well.

Tom

0
 
LVL 6

Expert Comment

by:Tomunique
ID: 35180181
WMC:

Per IBM redbook SG24-7430  AIX 6.1 Security features:  Section 6.8

AIX V6 introduces a secure flavor of ftp (and ftpd), based on OpenSSL, using
Transport Layer Security (TLS) (This extension to FTP is defined in RFC 4217.)
to encrypt both the command and the data channel. TLS is a cryptographic
protocol that provides secure communication between clients and servers.This
enables any user on the system to exchange files in a secure manner if their
counterpart offers this extension as well.

Tom.
0
 

Author Comment

by:scodhk
ID: 35180529
Thanks woolmilkporc and Tomunique.

We are running AIX 5.3, I will keep that in mind when talking to the vendor.

Dan
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Suggested Solutions

Installing FreeBSD… FreeBSD is a darling of an operating system. The stability and usability make it a clear choice for servers and desktops (for the cunning). Savvy?  The Ports collection makes available every popular FOSS application and packag…
Secure Shell (SSH) is a network protocol for secure data communication, mainly used to administer remote Unix / Linux servers via command line. But it also allows the user to open a secure tunnel between a client and a server where he can send any k…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

26 Experts available now in Live!

Get 1:1 Help Now