Administering the NetWare FTP Server

This section discusses the administering the following:

Multiple Instances of the FTP Server

Intruder Detection

Access Restrictions

Anonymous User Access

FTP Log Files

Active Sessions Display

Multiple Instances of the FTP Server

Multiple instances of the FTP server can be initialized if the NetWare server has multiple network interface cards. Each FTP server should have a unique IP address and port number combination. Each FTP server instance can have its own configuration file and access restrictions file, and can listen on different IP addresses and port numbers.

The IP address of the host (HOST_IP_ADDR) and the port number (FTP_PORT) as defined in the configuration file are used to bind to and listen for FTP client connection requests. The configuration file can be specified while starting the FTP server. If these parameters are not defined in the configuration file, the default IP address and the standard FTP port number are used.

For more details, see Table 1, Multiple Instances Parameters.

Intruder Detection

A user is considered an intruder when the number of unsuccessful log in attempts is greater than those specified by the parameter INTRUDER_USER_ATTEMPTS in the configuration file. Similarly, a host/client machine is considered an intruder when the number of consecutive login failures for any user from that host is greater than the configured limit specified by the parameter INTRUDER_HOST_ATTEMPTS.

If a successful login is encountered before the attempts limit is reached, the login failures count is reset to zero.

When a user becomes an intruder, his account is locked out for an interval of time specified by the parameter USER_RESET_TIME in the configuration file.

When a host becomes an intruder, access to the FTP Server is denied for that host machine for an interval of time specified by the parameter HOST_RESET_TIME in the configuration file.

Access Restrictions

The FTP service enables you to specify access restrictions for a user, a client host, and the IP address of a client host. The access restrictions are specified in the restrictions file, which can be configured (RESTRICT_FILE). Access restrictions can be specified at various levels and multiple access rights are allowed.

Restriction Levels

The following table describes the supported levels of access restrictions.

Restriction Level	Description
Container	Restriction can be specified for any eDirectory container. This will control all the users in that container and its sub-OUs. Container level: Restriction can be specified for any eDirectory container. This will control all the users in that container and its sub-OUs. .container name The asterik () indicates the container level restriction. The container should be a fully distinguished name.
User	Restriction can be specified for a particular user. .user name The period (.) indicates user level restriction. The user name should be a fully distinguished name.
Domain	Restriction can be specified at the domain level. This will control all the hosts in that domain and its sub domains. The following is the RESTRICT file format: DOMAIN= domain name The DOMAIN= key word indicates the domain level restriction. The domain restrictions will not work if the host does not have a DNS entry.
Host	Restriction can be specified for a particular host machine. ADDRESS= host name/IP address The ADDRESS= key word indicates the host level restriction. The host name or IP address of the host can be specified. The DNS configuration should be proper for address and domain name restrictions.

Access Rights

The following table describes the permitted access rights.

Access Right	Description
DENY	Denies access to the FTP Server for that client.
READONLY	Gives read-only access to the client.
NOREMOTE	Restricts access to remote server navigation.
GUEST	Gives only Guest access to the user. guest users are those users who cannot navigate to remote servers. A guest user has access only within the guest user's home directory and subdirectories.
ALLOW	Gives normal FTP access without restriction.

Keywords

The following table describes the possible keywords.

Keyword	Description
ADDRESS=	Restricts a particular node. The IP address or machine name can be used.
DOMAIN=	Restricts a particular Domain. The asterisk (*) should be used for container level restrictions.
ACCESS=	Is mandatory for each line. It should be followed by access rights.

Keyword

Description

ADDRESS=

Restricts a particular node. The IP address or machine name can be used.

DOMAIN=

Restricts a particular Domain.

The asterisk (*) should be used for container level restrictions.

ACCESS=

Is mandatory for each line. It should be followed by access rights.

Restrict File

The format and organization of the restrict file is as follows:

Each line should have one entity name and corresponding access rights.

The rights of the entities will be assigned according to the order of the RESTRICT file. If different rights apply to the same entity, the latest entities that appear in the RESTRICT file will be taken.

All rights specified in the same line will be applied to that entity.

If the RESTRICT file does not exist or is empty, the access is given to all users without any restrictions.

Example 1

*.novell ACCESS=ALLOW

*.testou.novell ACCESS=DENY

.user1.testou.novell ACCESS=READONLY

User1 at testou will be allowed read-only rights. The other users at testou.novell will be denied the right. However, all other OUs at .novell will be allowed.

Example 2

*.testou.novell ACCESS=DENY

*.novell ACCESS=ALLOW

All OUs at .novell will be allowed because both rights apply to testou and the later would be taken.

Example 3

ADDRESS=Clientmachine1.blr.novell.com ACCESS=NOREMOTE

.user1.novell ACCESS=READONLY

The user1 logging from clientmachine1 will have read-only and no remote access.

For more details, see Table 4, Access Restrictions Parameters

Anonymous User Access

NetWare FTP Server software supports an anonymous user account. This account provides people with access to public files. Access to the Anonymous user account can be enabled or disabled by setting the ANONYMOUS_ACCESS parameter in the configuration file. By default, the parameter is set to No. The path of the Anonymous user's home directory can be specified in the configuration file, in the ANONYMOUS_HOME directory parameter.

An Anonymous user account can be created by loading the FTP server with the -a option. This creates the Anonymous user, creates the home directory (if it is not available), and assigns access rights to the Anonymous user. The administrator name and password are then taken from the screen and the Anonymous user is created in the eDirectory tree at the default context. Also, the configured anonymous home directory is displayed on the screen with an option to modify it.

If the administrator does not specify a home directory, then the default directory is taken. The Anonymous user will have only Read and File Scan rights to the default directory. If the administrator specifies the anonymous home directory, then the directory is created and the Anonymous user will have Read, File Scan, Create, Delete, and Modify rights to that directory.

For more details, see Table 3, Anonymous User Access Parameters.

FTP Log Files

The FTP server has four log files for recording different activity information. All the log files are created in the FTP_LOG_DIR directory specified in the configuration file. The amount and type of information logged is controlled by the LOG_LEVEL parameter defined in the configuration file.

The log levels indicate bits for which any combination can be give

1= ERROR

2= WARNING

4= INFO

If the LOG_LEVEL = 3, then error messages and warning messages will be logged. If LOG_LEVEL = 4, then error messages and warning messages will be logged.At default value of LOG_LEVEL = 7, all messages will be logged.

The parameter NUM_LOG_MSG is used to specify the maximum number of messages that can be logged into each of the log files. Once this limit is exceeded the log files are overwritten and the old messages are lost.

All these log files can be viewed from NetWare Web Manager.

Audit Log File

The Audit log contains details about the login and activities of the user. The default path is SYS:/ETC/FTPAUDIT.LOG. The file has entries for login, logout and other file system related operations like mkdir, rmdir, put, set, and delete.

The general Audit log format is

Log Level:Thread ID:Date Time:IPaddress:Username:message

Viewing Audit Log File from NetWare Web Manager

In the NetWare Web Manager Service Selector panel, click NetWare FTP Server.

In the Service Manager panel, click the Server Status icon.

In the Server Log panel, click View Auditor Trail Log to display the following panel.

Figure 9
Audit Trail Log Panel

Statistics Log File

The Statistics log file contains details of all active sessions in the log file. The default path is SYS:/ETC/FTPSTAT.LOG.

The Statistics log file maintains three record types, each of which is separated by a comma.

TRANSFER: Contains information related to the data transfer

USER: Contains information related to user s logged in/out

FAILURE: Contains information about the number of failures during data transfer

Viewing Statistics Log file from Web Manager

In the NetWare Web Manager Service Selector panel, click the NetWare FTP Server.

In the Service Manager panel, click the Server Status icon.

In the Server Log menu, click View Statistics Log link to display a panel similar to the following:

Figure 10
Statistics Log Panel

Intruder Log File

The Intruder log file contains information about unsuccessful login attempts. The default path is SYS:/ETC/FTPINTR.LOG. The following information is recorded in the file:

The address of the machine where the login originated

The time of the attempted access

The login name of the user

The general Intruder log format is:

ErrorLevel: Date Time : Client IPaddress : UserName : message

If the parameter INTRUDER_HOST_ATTEMPTS = 0 then intruder detection is disabled.

Viewing Intruder Detection from Web Manager

In the NetWare Web Manager Service Selector panel, click the NetWare FTP Server.

In the Service Manager panel, click the Server Status icon.

In the Server log panel, click View Intruder Log to display a panel similar to the following:

Figure 11
Intruder Log Panel

System Log File

The System log file contains all the internal system-related information encountered by the FTP Server.

The general System log file format is

Error: Thread ID: Date Time: Message

For more details, see Table 9, FTP Logs Parameters

Active Sessions Display

To load the Active Sessions Display utility, enter

ftpstat [-p port number]

Enter the port number that the HTTP browser should connect to in order to view the NetWare FTP Active Sessions:

http://servername:port/

The default port is 2500.

You can directly view the active sessions information using NetWare Web Manager.

In the NetWare Web Manager Service Selector panel, click the NetWare FTP Server.

In the Service Manager panel, click the Server Status icon.

In the Server Status menu, click View Server Status to display the View Server Status panel.

Click the View Server Status button in the panel to view the FTP Instance Panel.

Figure 12
FTP Instance Panel

The FTP Instance panel appears displaying active sessions of the FTP server. You can view details such as the total number of active session, IP address, port number, number of sessions, peak bandwidth, and configuration.