Originally Published: Tuesday, 7 November 2000 Author: Chris Campbell
Published to: enhance_articles_sysadmin/Sysadmin Page: 1/1 - [Printable]

Linux and Windows NT 4.0: Basic Administration - Part VI

It's time for Part VI of Chris Campbell's 'Basic Administration' series, showing you the way to Linux migration on the server level. This time, Chris is all over http, ftp and telnet. Enjoy!

   Page 1 of 1  

Several basic servers are common throughout the Internet. Here we will briefly cover three of the more common: http, ftp and telnet. Generally, e-mail servers such as IMAP, SMTP, etc. would be considered rather common as well, but they will be addressed in a later part of this series with the overage of Microsoft's Back Office platform.

Telnet

Going along with what seems to be Microsoft's philosophy of keeping the user away from the working of the OS, Windows NT stresses remote control via graphical interfaces. Linux comes with the ability of a remote command line, called telnet. There is also a more secure cousin to telnet called secured shell (ssh).

Windows does come with a telnet client, but no telnet server. The add-on package, "Unix Tools for Windows NT", (covered in part IV) does include a telnet server. It's installed automatically with the package and uses the local administrator login and password. (Even if the machine is a domain member, unless it is a domain controller, it will use the local administrators and *not* the domain administrators.)

Spending $195 to purchase the Unix services may be beyond your budget. Of all of Windows' packages, I would consider this to be money well spent if you must use Windows NT. However, there are some ways to create a telnet-like remote command line in Windows NT: (Note the lack of real security here.)

Remote -S {password}

This activates a waiting remote session. Clients must be NT machines on the local LAN.* The client connects simply by typing:

Remote -C [servername} {password}

The command prompt runs on the server and terminates upon the 'exit' command in the remote window. To this end, a simple loop may be written in a batch file, as here in the batch file entitled 'tserve.bat':

@echo off
remote -S password
remote -S password
remote -S password
remote -S password
remote -S password
call tserve.bat

This batch file can then be added to the Windows NT services to run at start up. This will also enable it to run invisibly. This ability is covered in Windows NT 4.0 Resource Kit, but briefly:

INSTSRV {servicename} c:\ntreskit\srvany.exe

Next, run:

REGEDT32.EXE HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{servicename}

Create a 'Parameters' key

Under the 'Parameters' key, create an 'Application' value with type REG_SZ. Specify the full path of the executable (including the extension). In our example, the file would be tserve.bat

Application: REG_SZ: D:\TOOLS\tserve.bat

Next, check in:

START -> SETTINGS -> CONTROL PANEL -> SERVICES

And check for {servicename} and check that startup is set to automatic.

This will work more or less like a telnet server, but the security is more or less nonexistent.

Telnet in linux, is generally installed with the OS. If for some reason, telnet is not working, the service can be checked on in /etc/inetd.conf to include:

telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd

and in /etc/services:

telnet 23/tcp

Provided that these files contain the above lines and they are not commented out (#), then a non-functional telnet is more of a troubleshooting issue. The cause could be anything from IP restrictions (hosts.allow/hosts.deny), to incorrect pathing with usr/sbin/tcpd to even file corruption. Point is, typically, Telnet should be there.

FTP

File Transfer Protocol, or FTP, is one of the oldest functions used on the Internet, and today remains an extremely popular method for moving files.

In Windows NT, FTP is setup with IIS, which includes Windows NT's out of the box Web server. This could be installed when the OS was put on, or can be added later.

START -> SETTINGS -> CONTROL PANEL -> NETWORK

Click the "SERVICES" tab. Click "Add". Select "Microsoft Internet Information Server" from the generated list. The installation will begin and options will be presented. More or less everything should be installed. Notably, Gopher Service is on the list, and is even on the more modern updates although it is no longer supported by Microsoft. Uncheck it and continue. Chose the publishing directories, and the installation will copy files and complete.

  • Note: Depending on your installation and changes made since, this option may not be on the list; it is possible to prompt the installation server by going to \i386\inetsrv and running "inetstp.exe".

To administrate the server, both for FTP and for HTTP, go to:

START -> PROGRAMS -> MICROSOFT INTERNET SERVER

IIS can also be updated or installed from the Windows NT 4.0 Option Pack CD. which will change the location to under

START -> PROGRAMS -> WINDOWS NT 4.0 OPTION PACK -> MICROSOFT INTERNET INFORMATION SERVER

It can also be initiated from commandline by running:

\winnt\system32\inetsrv\inetmgr.exe

In the Internet Service Manager, double-click the FTP service. Here the server presents options as to Anonymous connections, messages, logging, access and directories to make available.

Important Note on IIS FTP Security:

Directory security here must be controlled via ACLs on the filesystem level, and cannot be controlled here. It is also important to note that the ACLS must be set from the shared path down. For instance, if 3 directories were created in the root share, and ACL's set on each directory for a different client to restrict said client to their directory, then the clients would be restricted to their own directory. If a subdirectory exists below one of those directories and the ACLS have not been forced down, then some one could easily 'cd' to that directory and get in.

So for example, if the permissions are:

Directory: Permission:

c:\inetpub\ftproot\client1 Client1-Change; Administrators-Full
c:\inetpub\ftproot\client2 Client2-Change; Administrators-Full
c:\inetpub\ftproot\client2\project Everyone-Full;
c:\inetpub\ftproot\client3 Client3-Change; Administrators-Full

So, logged in as Client3, for instance:

C:\>cd c:\inetpub\ftproot\client2

Access Denied.

C:\>cd c:\inetpub\ftproot\client2\project

C:\inetpub\ftproot\client2\project>

This is not secure at all, and happens surprisingly often due to Windows NT's default to "Everybody-Full Control" for new folders. It's very important to watch out for this, especially on corporate networks with issues of customer confidentiality.

As with Telnet, FTP in Linux is generally installed with the OS. If for some reason, FTP is not working, the service can be checked on in /etc/inetd.conf to include:

ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -a

and in /etc/services:

ftp-data 20/tcp
ftp 21/tcp

And again, provided that these files contain the above lines and they are not commented out (#), then a non-functional ftp server is more of a troubleshooting issue. In some distributions, the files /etc/trusers and /etc/netrc are used by ftpd to verify users and their passwords and may have damage or may not be available. Others utilize /etc/ftpusers - as always, this is distribution dependent.

As always, there are commercial products for FTP in Windows NT and in Linux if these servers are not acceptable for one reason or another.

HTTP - Web Servers

Microsoft's Internet Information Server 4.0 is easy to install, as seen above, and it is convenient for a quick Web server for proof of concept or what not. It's commonly known to be a rather insecure system though, coming in on Bugtraq's(*) list as the 14th most vulnerable product of 2000. (19 vulnerabilities) It is one of two Web servers represented on the list; the other is the Windows 2000 version of IIS 5.0.

But, don't throw the program away just yet! Windows NT 4.0 is number one on the list with 61 vulnerabilities, so comparatively speaking, IIS doesn't look that bad. Generally speaking, if there is a reason that a Web site *must* be run on Microsoft, then the Microsoft Site Server product from the Back Office Suite is much more effective, adding functionality such as LDAP authentication and alike (although as ADS is based on LDAP, IIS 5.0 would provide such authentication also).

Installation and administration of IIS are the same as FTP, explained above. Even the ACL warning rings true. Do not allow directory browsing, and a very easy way to secure a section of a Web site is to set the ACLS on the files themselves (or better yet, put the pages to be restricted in a sub-directory and set the secured ACL's on that.) If the Web site is intended for internal corporate usage, these restrictions can provide ample security.

Apache

The Apache web server is, by far, the most commonly used web server on the internet. It is available under the Apache FSF license for both Windows NT:

http://httpd.apache.org/dist/binaries/win32/

and Linux:

http://httpd.apache.org/dist/apache_1.3.12.tar.gz

Installation in Windows NT:

Download the apache.exe. Execute and follow the installation. Then go to

START -> PROGRAMS -> APACHE WEB SERVER -> INSTALL APACHE AS A SERVICE

and then:

START -> PROGRAMS -> APACHE WEB SERVER -> START APACHE

A small DOS window will open and indicate that the server is now running.

The HTML documents are located in:

c:\Program Files\Apache Group\Apache\htdocs

Installation in Linux:

Installation in Linux is the same as every other binary installation:

  1. Download the file
  2. Unpack it with TAR:
    tar -zxf {filename}
  3. Go to the directory and type:
    ./configure
  4. This will go on configuring for a little bit. When complete:
    make
    make install

Administration:

Apache can be administrated from command line, of course, but one of the most interesting things about the entire situation is that there is a GUI for the server, called Comanche. The interface is the same in both Windows NT and in Linux, so to learn one is to know both.

Download the Comanche GUI for Apache from:

http://www.covalent.net/projects/comanche/downloads

Installation is more or less the same as Apache for Windows NT and Linux, as stated above. (The compressed file for Windows NT will actually just have all of the files necessary in it. No installation is required beyond unzipping the file.)

In Comanche, the interface, at least for the Web stuff, is somewhat similar in concept to the Windows NT Internet Service Manager. The setting for the Web site are found in Comanache under "Network Services", OS and then "Default Web Server". Note that there is an option here in Comanche for configuring Samba settings as well.

Apache also has the ability to act as a proxy server. Proxies will be covered in a later part, but it is an interesting feature. As always, make a point to read through the documentation for both Apache and Comanche. One of the best things about Linux is the fact that the Linux documentation project has provided excellent "How-To's" for just about anything you'd like to do. In many distributions, this is linked to right on the desktop (Mandrake does this, for instance.) If not, the documentation is typically located in:

/usr/docs/howto

or

/usr/docs/html

It should be an apparent trend that networking services in Linux are dependent upon /etc/inetd.conf and /etc/services. Put simply, the reasoning behind this is that unlike in Windows NT where the FTP server and the HTTP server are constantly running and waiting for requests, the Inet daemon runs and listens for any incoming requests. When a request comes in, the daemon checks /etc/services to determine the service requested, and then checks inted.conf to get the location of the server and its running parameters. If properly configured in both locations, the inet daemon will then start the service to handle the request and then close it again upon completion. As you can probably imagine, this lessens the overall burden on the machine when the process is not in use.

The down side to this is that if it is a service that gets used a lot (such as a busy Web server) then this can cause slower response time because the service has to start up for each request, and if this happens a lot it puts extra burden on the system. Services can be run without inetd.conf, but we will not cover that in this series.

  • Buqtraq is one of the world's largest public vulnerability databases. It would profit an individual that has duties as an admin to subscribe to the mailing list. ( http://www.securityfocus.com/ )

Other vulnerability alerts come from such sources as:
  • @stake
  • A.L.E.R.T.
  • AusCERT
  • AVERT
  • b0f
  • Bindview
  • BWLCerberus
  • CERT
  • CIAC
  • CIS
  • CORE
  • eEye
  • ENIGMA
  • F5
  • FedCirc
  • Foundstone
  • Guardent
  • Immunix
  • ISBASE
  • ISS
  • KKI
  • KSR[T]
  • NHC
  • NMRC
  • ntsecurity
  • RFP
  • RUS-Cert
  • SecReality
  • Securax
  • SECURITEAM
  • VIGILANTe
  • w00
These can be easily enough found by searching on the name, or sometimes they are also linked to by other security pages such as http://www.ntbugtraq.com





   Page 1 of 1