Secure FTP on MPE/iX Page 1 of 28 Securing FTP on MPE/iX Author : Murali P N http://jazz.external.hp.com/papers/Securing-FTP-Whitepaper.
Secure FTP on MPE/iX 1 Page 2 of 28 Table of Contents 1 2 3 4 5 6 Table of Contents Revision History Executive Summary Introduction FTP/iX Security Overview FTP/iX Security Details 6.1 FTPUSERS.ARPA.SYS 6.1.1 Configuring FTPUSERS file 6.1.2 FTPUSERS configuration rules 6.1.3 Examples 6.2 FTPACCES.ARPA.SYS 6.2.1 Configuring the FTPACCES “NORETRIEVE” option 6.2.2 Specific configuration rules for NORETRIEVE option 6.2.3 Examples for noretrieve option 6.2.4 Configuring the FTPACCES CHROOT option 6.2.
Secure FTP on MPE/iX 2 Page 3 of 28 Revision History VERSION 0.1 0.2 DATE 2006-07-05 2006-07-28 DESCRIPTION OF REVISION Initial draft 0.3 2007-03-02 2nd revision (Murali P N) 0.4 2007-03-28 3rd revision (Murali P N ) 0.5 2007-04-27 4th revision (Murali P N ) 0.6 2007-05-14 5th revision (Murali P N) 1st revision (Jeff V) http://jazz.external.hp.com/papers/Securing-FTP-Whitepaper.
Secure FTP on MPE/iX 3 Page 4 of 28 Executive Summary This paper explores methods to increase FTP/iX security based on several recent FTP/iX enhancements. These recent enhancements reflect one of HP’s responses to the growing number of security related audits facing IT professionals tasked with implementing modern, robust security.
Secure FTP on MPE/iX 4 Page 5 of 28 Introduction FTP [File Transfer Protocol] is one of the oldest and most popular internet services, serving as an easy and effective method by which to transfer files over a network. The information transferred through FTP can be anything from a simple file transfer to data necessary for authorizing clients to server login (via user and password commands).
Secure FTP on MPE/iX Page 6 of 28 FTP/iX is based on RFC 959, which does not address encryption or user authentication. If these two security areas are essential for FTP file transfers we offer some solutions in the Alternatives section. Please note that modern user authentication is beyond the scope of this paper. However, FTP/iX now offers better security than prescribed by RFC 959 in several key areas, which are described below and, in detail in Section 6.
Secure FTP on MPE/iX Page 7 of 28 Prevent display of passwords in DEBUG mode: The debug command at the FTP client places FTP into a diagnostic mode, whereby the client’s and servers internal commands are displayed on the $stdlist of the client. If debug mode is turned on prior to an open, then the user ID and password are visible in plain text. In order to make FTP/iX compliant with SAR-OX, a new option, DEBUG_PASS, has been introduced and is set in the SETPARMS.ARPA.SYS file.
Secure FTP on MPE/iX 6 Page 8 of 28 FTP/iX Security Details This section explains how to properly configure and use the new FTP/iX security features, and is divided into three sub-sections. Each sub-section describes how to build the different configuration files: FTPUSERS, SETPARMS, and FTPACCES. 6.1 FTPUSERS.ARPA.SYS This file contains one or more user names that will be denied logon to the FTP/iX server, unless the user has SM capability.
Secure FTP on MPE/iX Page 9 of 28 • {accountname}: All the users from the specified account will not be allowed to logon to the FTP/iX sever. ü Comments begin with”#". Embedded comments are not recognized Users with SM capability (such as MANAGER.SYS) are not restricted by the FTPUSERS configuration. ü Specification of the account name or user.account can include leading or trailing whitespace characters, and is not case sensitive. Upper, lower, and mixed case names are treated the same.
Secure FTP on MPE/iX Page 10 of 28 This file implements two different FTP restrictions. The first is supported by the NORETRIEVE option, which prevents the FTP user from retrieving any of the listed files. The second restriction is the CHROOT option, which quarantines a user to a specified location in the FTP server’s directory structure. The FTPACCES file is not created automatically, thus the FTP/iX default is to not impose extra restrictions on any file for any user.
Secure FTP on MPE/iX Page 11 of 28 ü The entry "noretrieve {filelist}" is a space-separated list of file names specified in three formats as mentioned above. This is a list of files that can not be retrieved, either by get or mget. If the list of files that need to be made non-retrievable exceeds the record width, multiple lines starting with "noretrieve" can be used. ü All files or file sets specified in the filelist must follow the POSIX HFS notation (not the traditional MPE FILE.GROUP.
Secure FTP on MPE/iX Page 12 of 28 The syntax of the chroot option is: chroot {user}|{@}.{account}|{@} {empty}|{/ACCT/GROUP}|{/{directory} Sample configuration file FTPACCES.ARPA.SYS for CHROOT: # # # # # # # Purpose: support of the CHROOT FTP/iX option. CHROOT confines the user to the specified “root” directory. Syntax: CHROOT user.account [rooted-directory] One entry per file record. User.Account can contain the “@” wildcard character. Note: The following precedence is followed: user.acct > @.
Secure FTP on MPE/iX Page 13 of 28 FTPSRVR starts. ü Root directory specifications cannot be relative to any directory (e.g. ./dir1, ../dir2 etc), cannot include special characters like ‘+’,’-‘ etc. and do not support wild cards. ü Anonymous FTP behavior remains unchanged with the implementation of chroot. The root directory of an anonymous logon cannot be changed by specifying a chroot entry in FTPACCES. An anonymous FTP user will login into the directory /FTPGUEST/PUB, as before.
Secure FTP on MPE/iX Page 14 of 28 257-"/tmp" is the current directory. 257 "MGRTEST.TELESUP" is the current session. ftp> cd ftp> ftp> cd /TELESUP/PUB 550 A component of the pathname "/../TELESUP/WORK/TELESUP/PUB" does not exist. (CIERR 93) Could not change directory to "/TELESUP/PUB". (FTPERR 48) 3. The users of the SYS account are limited to their home group and any directories under home group. Here, the home group of basicusr.sys is review.sys Name(testmgr): basicusr.
Secure FTP on MPE/iX Page 15 of 28 All of the options below CONSOLE _LOGGING in the list above are new. 6.3.1 Configuring SETPARMS for file permission denial Here is a sample listing of the SETPARMS configuration file: # Purpose: support of file PERMISSION DENIAL, LOG COMMANDS and TRANSFER, and DEBUG_PASS FTP/iX options.
Secure FTP on MPE/iX Page 16 of 28 ftp> 6.3.3.2 Permission Delete: ü If a user lacks the SM capability and PERMISSION_DELETE is turned OFF, the user should not be able to delete a file: ftp> delete strsyss ---> DELE strsyss 550 Command access denied, permission restricted. Delete command "DELE strsyss" failed.
Secure FTP on MPE/iX # # # # Page 17 of 28 Commands are logged in FTPLOG##.ARPA.SYS where, ## ranges from 00-99. Syntax: Log_commands = {ON/OFF} Log_transfers = {ON/OFF} Log_commands = On Log_transfers = ON 6.3.5 Specific configuration rules for Log Commands and Log Transfers ü The default setting for each of these options is "OFF", thus logging of commands and file transfers is disabled. Note: ü The FTPLOG##.ARPA.SYS file is automatically built by the FTP/iX Client or server.
Secure FTP on MPE/iX l l Page 18 of 28 seconds = Time in seconds for entire file transfer. Kbytes/sec = Kilobytes transferred per second. Note: The transfer statistics are the approximately the same as those displayed in the FTP session following a get/mget. 6.3.6 Example The following are some sample FTP/iX commands and transfers logged in FTPLOG## of a FTPSRVR: 2007/02/20:17.12.52:#J4:MINUSSM.SYS:aaa.bbb.ccc.ddd:S:PORT 15,70,193,18,254,253: 2007/02/20:17.12.52:#J4:MINUSSM.SYS: aaa.bbb.ccc.
Secure FTP on MPE/iX Page 19 of 28 220 HP ARPA FTP Server [A0012003] (C) Hewlett-Packard Co. 2000 [PASV SUPPORT] Connected to Mymachine (aaa.bbb.ccc.ddd). (FTPINFO 40) Name(manager): manager.sys ---> USER manager.sys 331 Password required for MANAGER.SYS. Syntax: userpass Password: ---> PASS secret 230 User logged on ---> SYST 215 MPE/iX LF system type. Remote system type is MPE/iX ---> SITE MPE/iX FTP Client [A0012003] 200 MPE/iX command ok. ---> TYPE I 200 Type set to I.
Secure FTP on MPE/iX Page 20 of 28 permission for the NETRC file. ü Only one "default" entry is allowed per file. ü Each of the tokens "machine", "login", "password" and "default" must match exactly, and must be in lower-case. ü Each token must be separated by any number of SPACE or TAB characters. Each {string} identifier can be a double quoted string. This feature would be useful when a space is embedded as part of a password, for example.
Secure FTP on MPE/iX Page 21 of 28 FOR TEMPMGR.SYS: EXECUTE Read access is denied to this file: :print netrc ^ SECURITY VIOLATION (FSERR 93) The PRINT command failed. (CIERR 9080) :ftp HPSYS File Transfer Protocol [A0012H14] (C) Hewlett-Packard Co. 2002 [PASSIVE SUPPORT] 220 HP ARPA FTP Server [A0012H14] (C) Hewlett-Packard Co. 2000 [PASV SUPPORT] Connected to HPSYS (AAA.BBB.CCC.DDD). (FTPINFO 40) 331 Password required for TEMPMGR.SYS.
Secure FTP on MPE/iX ü ü Page 22 of 28 A welcome message based on the configuration settings in FTPHELLO will be displayed on successful logon, after The file supports substitution tokens, which help in displaying the date, working directory, remote host name and the loca %T %C %R %L The server time The current working directory, i.e. the login directory The remote host name The local host name. ü ü If FTPHELLO.ARPA.
Secure FTP on MPE/iX Page 23 of 28 HP has designed a script which will allow FTP/iX users to transfer files securely from MPE/iX to remote systems running HP-UX, Linux, MPE/iX etc. The script provides an option to encrypt files prior to the transfer. Depending on this “encrypt” option and a few other considerations, the file will be encrypted using the POSIX CRYPT utility, before it is transferred via FTP/iX.
Secure FTP on MPE/iX Page 24 of 28 user's home directory/group. Ø 'encrypt' - (optional) TRUE (default) means to encrypt text files. FALSE means no encryption. However, even if 'encrypt' is TRUE, only non-empty ASCII files will be encrypted. Ø 'remoteSysT' - (optional) "MPE/iX", default, means the remote system is known to be an MPE system. "Unix" means the remote system is known to be a Unix system. '*' means the remote system type will be determined by this script, which is extra overhead.
Secure FTP on MPE/iX Page 25 of 28 (MPE password syntax is 'user[,acct]') ** encrypting file : /TestAcct/FTPTEST/T2 ** transferring file: /TestAcct//FTPTEST/T2 ** encrypting file : /TestAcct//FTPTEST/T3 ** transferring file: /TestAcct//FTPTEST/T3 ... ** transferring file: /TestAcct//FTPTEST/TNMOBJ ** transferring file: /TestAcct//FTPTEST/TNMPRG ** transferring file: /TestAcct//FTPTEST/TPENV ===================================================== 13 files transferred successfully. 4 files were encrypted. 3.
Secure FTP on MPE/iX Page 26 of 28 Sample NETRC file: :print netrc.pub machine "remsys.hp.com" login "mgrtest.testacct" password "uPass,aPass" default login "mgr.sys" password "u1,a1" :sftpput catalog.pub.sys, remsys.cup.hp.com <-- note no username --- SFTPPUT --- version A.06 ++ Note: _SFTP_DEBUG=TRUE so all temporary files and variables used by the script are preserved, and more verbose messages are displayed. To see the script variables enter :showvar _ftp_@. To see the temp files enter :listfile .
Secure FTP on MPE/iX Page 27 of 28 ===================================================== 1 file transferred successfully. 1 file was encrypted. 7.2 Using Linux/HP-UX intermediaries HP-UX/Linux machines support SFTP (more information can be found on SFTP at www.openssh.org or http://en. wikipedia.org/wiki/). These machines can serve as intermediaries between the source and destination MPE/iX machines and transfer data across the internet using SFTP.
Secure FTP on MPE/iX Page 28 of 28 network interface of either the source or destination system. Especially, if the source or destination system is a UNIX, Linux or Microsoft system where sniffing tools are prevalent. More information on HP procurve network is found at http://www.procurve.com 7.5.3 Encrypting router Routers with embedded encryption facility offer a point to point, secure way of data transfer. This technology requires an encrypting router at the both the sending and receiving ends.