29 posts / 0 new
Last post
civey
civey's picture
Joined: 2007/12/12
Points: 0

I have TFTP working on the Thirdlane but as everyone knows Polycoms and TFTP do not play nice.
Last night we tried to get FTP working and to test we logged in with a laptop but the system would just kick us out.

Is there something we need to do special to make FTP work on the server?

eeman
eeman's picture
Joined: 2007/11/06
Points: 290

is this an older install? or did you roll your own?

Erik Smith
dCAP
Thirdlane/Asterisk Support available
esmith.bgnv@gmail.com

civey
civey's picture
Joined: 2007/12/12
Points: 0

ISO installed around October 2010 and then upgraded to 6.1.1.7.
I was wondering what it takes to get the FTP working because it does not look to be running by default.

Thanks

eeman
eeman's picture
Joined: 2007/11/06
Points: 290

do you have a /home/PlcmSpIp directory?

Erik Smith
dCAP
Thirdlane/Asterisk Support available
esmith.bgnv@gmail.com

civey
civey's picture
Joined: 2007/12/12
Points: 0

Yes I have that directory and I was under the impression that FTP/TFTP/HTTP all point to that directory.
The only one that will pul files are TFTP. Are we supposed to pick a FTP client to install and configure?
If so how do we go about doing this?
I looked at ProFTPD in Webmin and it says

The ProFTPD server /usr/sbin/proftpd could not be found on your system. Maybe it is not installed, or your module configuration is incorrect.

The ProFTPd package can be automatically installed by Webmin. Click here to have it downloaded and installed using YUM.

So does this mean I need to figure out how to configure it?

Thanks

eeman
eeman's picture
Joined: 2007/11/06
Points: 290

you should have vsftpd running, you should have a user in your /etc/passwd file named PlcmSpIp. If you installed from ISO then all this is already running. when you connected via FTP did you use the user/pass of PlcmSpIp for both user and pass?

Erik Smith
dCAP
Thirdlane/Asterisk Support available
esmith.bgnv@gmail.com

civey
civey's picture
Joined: 2007/12/12
Points: 0

vsftpd is running and it looks like the username and password are PlcmSpIp but when I try and log in it will just kick me out and tell me I don't have rights?

It says an error occured when trying to open that folder....

Ideas?

eeman
eeman's picture
Joined: 2007/11/06
Points: 290

[root@eeman ~]# ls -ld /home/PlcmSpIp
drwx--x--x 8 root root 4096 Jan 28 12:56 /home/PlcmSpIp

Erik Smith
dCAP
Thirdlane/Asterisk Support available
esmith.bgnv@gmail.com

civey
civey's picture
Joined: 2007/12/12
Points: 0

PlcmSpIp is the user and does exist in the /etc/passwd file:

PlcmSpIp:x:500:500::/home/PlcmSpIp:/sbin/nologin

Even adjusted to

PlcmSpIp:x:503:503::/home/PlcmSpIp:/bin/bash

I still cant list the directory? But I can now login via SSH:

[PlcmSpIp@mylogin ~]$ dir
dir: .: Permission denied
[PlcmSpIp@mylogin ~]$

Even if its changed to a

We have been using PlcmSpIp as the password

No matter what we change it will not connect completely….it ends in a data socket connection error

Iptables is temporarily turned off right now, we are using vsftpd

civey
civey's picture
Joined: 2007/12/12
Points: 0

[root@mylogin vsftpd]# ls -ld /home/PlcmSpIp
drwxr-x--x 8 root root 12288 Feb 8 00:08 /home/PlcmSpIp
[root@mylogin vsftpd]#

I even just adjusted vsftp.conf with

pasv_address=ipofthePBX

and nothing after vsftpd restart

eeman
eeman's picture
Joined: 2007/11/06
Points: 290

you aren't supposed to be able to list the directory, thats part of the security.

what you should be able to do,

be able to login via FTP
be able to issue a GET command for a specific file name.

Erik Smith
dCAP
Thirdlane/Asterisk Support available
esmith.bgnv@gmail.com

eeman
eeman's picture
Joined: 2007/11/06
Points: 290

your permissions for the directory are good.

Erik Smith
dCAP
Thirdlane/Asterisk Support available
esmith.bgnv@gmail.com

eeman
eeman's picture
Joined: 2007/11/06
Points: 290

make sure you change your shell back to /sbin/nologin .. otherwise there will be attempts to hack your server via ssh.

Erik Smith
dCAP
Thirdlane/Asterisk Support available
esmith.bgnv@gmail.com

civey
civey's picture
Joined: 2007/12/12
Points: 0

Get Works...
Trying to use it like normal FTP..
Testing now with a Polycom.

Thanks EEMAN for the help.

civey
civey's picture
Joined: 2007/12/12
Points: 0

It looks to be working now but it keeps failing saying application not present.

eeman
eeman's picture
Joined: 2007/11/06
Points: 290

By removing the read permission from the directory prevents someone from using an FTP client to login, search the directory, finding those mac-registration.cfg files, downloading and acquiring your login credentials. This was also a vulnerability of previous HTTP installations where directory indexing was enabled. The behavior now mimics TFTP in where the filename must be known. This makes remote tampering much more difficult because the hacker would have to have the ability to use a packet capture utility to sniff not only user/pass but the get requests to FTP.

Erik Smith
dCAP
Thirdlane/Asterisk Support available
esmith.bgnv@gmail.com

eeman
eeman's picture
Joined: 2007/11/06
Points: 290

application not present means you have not installed hte bootrom and sip software..

go fetch both the bootrom and sip software, stay away from the 3.3.x release use the 3.2.x release.

put them somewhere, like in my example usr/src/polycom

cd /home/PlcmSpIp
unzip /usr/src/polycom/spip_ssip_vvx_BootROM_4_2_0_release_sig.zip
unzip /usr/src/polycom/spip_ssip_vvx_3_2_1_release_sig_split.zip

Erik Smith
dCAP
Thirdlane/Asterisk Support available
esmith.bgnv@gmail.com

civey
civey's picture
Joined: 2007/12/12
Points: 0

Thanks EEMAN - sip.ld is not there

downloading now.

civey
civey's picture
Joined: 2007/12/12
Points: 0

I have unzipped in the home/PlcmSpIp folder.
I can run a tcpdump -n -i eth0 -vvv port ftp from the cli and see the phone hitting the box but after this runs for about 2 to 3 min it will say on the phone could not contact boot server and then it will tell me application is not present.

Any Ideas?

civey
civey's picture
Joined: 2007/12/12
Points: 0

I changed it back to TFTP and it downloaded the application but it will not download in FTP mode?

I watch it and it does hit the FTP server but it just bombs.

I think it is weird that it will download the files in TFTP because the folder is the same.

eeman
eeman's picture
Joined: 2007/11/06
Points: 290

what does your /var/log/xferlog say? its possible you changed something in vsftpd.conf ?

Erik Smith
dCAP
Thirdlane/Asterisk Support available
esmith.bgnv@gmail.com

civey
civey's picture
Joined: 2007/12/12
Points: 0

Tue Feb 8 15:40:16 2011 1 127.0.0.1 1822 /0004f22b0df0.cfg b _ o r PlcmSpIp ftp 0 * c
Tue Feb 8 21:38:51 2011 3 208.210.197.234 634324 /2345-12360-001.bootrom.ld a _ o r PlcmSpIp ftp 0 * c

civey
civey's picture
Joined: 2007/12/12
Points: 0

EEMAN do you have any ideas where I should look the phone will work no problem TFTP?

Very Strange

civey
civey's picture
Joined: 2007/12/12
Points: 0

Opened the Cisco router in front of the Thirdlane box and it works.
We are looking at the ports and it looks like it need random ports opened in order to complete the connection.

How do we leave the router in place but open the ports for FTP to work?

eeman
eeman's picture
Joined: 2007/11/06
Points: 290

If by router you mean pix firewall this is an unnecessary addition because centos already has a good firewall running in the MTE distribution. If you want to continue to use the pix firewall you will need to find out from that vendor how to enable a FTP server using PASSIVE mode FTP from behind the firewall. Passive mode dynamically picks a port from 1025-16550 for transfer. Linux firewalls use a 'helper module' that tracks FTP port 21 connections and if there is a connection considered ESTABLISHED, then the ESTABLISHED,RELATED firewall rule will allow additional traffic (ie the passive data port) to occur.

Erik Smith
dCAP
Thirdlane/Asterisk Support available
esmith.bgnv@gmail.com

civey
civey's picture
Joined: 2007/12/12
Points: 0

EEMAN

Thanks for the insight on this.

We were able to program the passive ports on the router and all is good now.

acheck
acheck's picture
Joined: 2008/05/14
Points: 0

In order to prevent possible attacks via ssh you should block PlcmSpIp at /etc/ssh/sshd_config

#block PlcmSpIp
DenyUsers PlcmSpIp

After that PlcmSpIp login will be blocked at sshd forever.

eeman
eeman's picture
Joined: 2007/11/06
Points: 290

Yes this is a flaw in SSH that has been discussed in the redhat/centos community. actually what you should do is close off SSH to only a few trusted subnet's and not have to worry about this exploit or the 10000000000 other exploits people will try via SSH. This wont be the first or the last SSH based attack. The first thing someone should do when they roll their service into production is edit their /etc/sysconfig/iptables script and for the port 22 allow rule modify it to use a -s 123.123.123.123/24 syntax to restrict it to a source subnet. Multiple rules can be inserted to allow a handful of restricted source addresses. The iptables script needs a cleaning anyway.. for what ever reason I have found a ridiculous rule inserted, on several machines now, where every single port from 1024 upward is allowed for TCP access. I think the intent was related to ftp and tftp but whoever made that rule simply had no clue how the CONNTRACK system works.. you can simply add ip_conntrack_ftp and ip_conntrack_tftp to the loaded module list so that the -m state --state ESTABLISHED,RELATED -j ACCEPT rule works. leaving 65k tcp ports open to attack means that this pbx is 1) vulnerable to a lots of attacks where the service port is > 1024 and 2) Any entity that is a government organization or does business with a government org cannot use it as-is because it does not comply with about half a dozen broad security requirements. Basically they don't let people have an "allow-everything and only block a few" rule set.

Erik Smith
dCAP
Thirdlane/Asterisk Support available
esmith.bgnv@gmail.com

thirdlane
thirdlane's picture
Joined: 2007/02/07
Points: 550

6.1.1.10 is VERY old.

You should consider moving to version 7.X - for which we provide tools to facilitate migration from 6.X.

Alex Epshteyn
Third Lane Technologies
Multi Tenant Asterisk PBX