system and network administration
TRANSCRIPT
-
8/7/2019 System and Network Administration
1/46
VIRTUAL LANWhat is a LAN?
Okay, most of you already know what a LAN is but lets give it a definition to make sure. We have to do
this because, if you dont know what a LAN is, you cant understand what a VLAN is.
A LAN is a local area network and is defined as all devices in the same broadcast domain. If you
remember, routers stop broadcasts, switches just forward them.
What is a VLAN?
As I said, a VLAN is a virtual LAN. In technical terms, a VLAN is a broadcast domain created by switches.
Normally, it is a router creating that broadcast domain. With VLANs, a switch can create the broadcast
domain.
This works by, you, the administrator, putting some switch ports in a VLAN other than 1, the default
VLAN. All ports in a single VLAN are in a single broadcast domain.
Because switches can talk to each other, some ports on switch A can be in VLAN 10 and other ports on
switch B can be in VLAN 10. Broadcasts between these devices will not be seen on any other port in any
other VLAN, other than 10. However, these devices can all communicate because they are on the same
VLAN. Without additional configuration, they would not be able to communicate with any other devices,
not in their VLAN.
Are VLANs required?
It is important to point out that you dont have to configure a VLAN until your network gets so large and
has so much traffic that you need one. Many times, people are simply using VLANs because the
network they are working on was already using them.
Another important fact is that, on a Cisco switch, VLANs are enabled by default and ALL devices are
already in a VLAN. The VLAN that all devices are already in is VLAN 1. So, by default, you can just use all
the ports on a switch and all devices will be able to talk to one another.
When do I need a VLAN?
You need to consider using VLANs in any of the following situations:
You have more than 200 devices on your LAN You have a lot of broadcast traffic on your LAN
Groups of users need more security or are being slowed down by too many broadcasts?
-
8/7/2019 System and Network Administration
2/46
Groups of users need to be on the same broadcast domain because they are running the same
applications. An example would be a company that has VoIP phones. The users using the phone could be
on a different VLAN, not with the regular users.
Or, just to make a single switch into multiple virtual switches.
Why not just subnet my network?
A common question is why not just subnet the network instead of using VLANs? Each VLAN should be in
its own subnet. The benefit that a VLAN provides over a subnetted network is that devices in different
physical locations, not going back to the same router, can be on the same network. The limitation of
subnetting a network with a router is that all devices on that subnet must be connected to the same
switch and that switch must be connected to a port on the router.
With a VLAN, one device can be connected to one switch, another device can be connected to another
switch, and those devices can still be on the same VLAN (broadcast domain).
How can devices on different VLANs communicate?
Devices on different VLANs can communicate with a router or a Layer 3 switch. As each VLAN is its own
subnet, a router or Layer 3 switch must be used to route between the subnets.
What is a trunk port?
When there is a link between two switches or a router and a switch that carries the traffic of more than
one VLAN, that port is a trunk port.
A trunk port must run a special trunking protocol. The protocol used would be Ciscos proprietary Inter-
switch link (ISL) or the IEEE standard 802.1q.
What do VLANs offer?
VLANs offer higher performance for medium and large LANs because they limit broadcasts. As the
amount of traffic and the number of devices grow, so does the number of broadcast packets. By using
VLANs you are containing broadcasts.
VLANs also provide security because you are essentially putting one group of devices, in one VLAN, on
their own network.
Here is what we have learned:
A VLAN is a broadcast domain formed by switches Administrators must create the VLANs then assign what port goes in what VLAN, manually.
-
8/7/2019 System and Network Administration
3/46
VLANs provide better performance for medium and large LANs. A trunk port is a special port that runs ISL or 802.1q so that it can carry traffic from more than
one VLAN.
For devices in different VLANs to communicate, you must use a router or Layer 3 switch.
-
8/7/2019 System and Network Administration
4/46
Protocol Structure - VLAN: Virtual Local Area Network and the IEEE
802.1Q
IEEE 802.1Q Tagged Frame for Ethernet:
y TPID- defined value of 8100 in hex. When a frame has the EtherType equal to 8100, this framecarries the tag IEEE 802.1Q / 802.1P.
y TCI - Tag Control Information field including user priority, Canonical format indicator and VLANID.
y User Priority- Defines user priority, giving eight (2^3) priority levels. IEEE 802.1P defines theoperation for these 3 user priority bits.
y CFI- Canonical Format Indicator is always set to zero for Ethernet switches. CFI is used forcompatibility reason between Ethernet type network and Token Ring type network. If a frame
received at an Ethernet port has a CFI set to 1, then that frame should not be forwarded as it is
to an untagged port.y VID- VLAN ID is the identification of the VLAN, which is basically used by the standard 802.1Q. It
has 12 bits and allow the identification of4096 (2^12) VLANs. Of the 4096 possible VIDs, a VID of
0 is used to identify priority frames and value 4095 (FFF) is reserved, so the maximum possible
VLAN configurations are 4,094.
-
8/7/2019 System and Network Administration
5/46
CONFIGURING A VLAN IN LINUX
Commands to be used in configuring VLAN
add [interface-name] [vlan_id]
rem [vlan-name]
set_dflt [interface-name][vlan_id]
add_port [port-name][vlan_id]
rem_port [port-name][vlan_id]
set_egress_map [vlan-name][skb_priority][vlan_qos]
set_ingress_map [vlan-name][skb_priority][vlan_qos]
set_name_type [name-type]
set_bind_mode [bind-type]
* The [interface-name] is the name of the ethernet card that hosts
the VLAN you are talking about.
* The port-name is the name of the physical interface that a VLAN
may be attached to.
* The vlan_id is the identifier (0-4095) of the VLAN you are operating on.
* skb_priority is the priority in the socket buffer (sk_buff).
* vlan_qos is the 3 bit priority in the VLAN header
* name-type: VLAN_PLUS_VID (vlan0005), VLAN_PLUS_VID_NO_PAD (vlan5),
DEV_PLUS_VID (eth0.0005), DEV_PLUS_VID_NO_PAD (eth0.5)
* bind-type: PER_DEVICE # Allows vlan 5 on eth0 and eth1 to be unique.
PER_KERNEL # Forces vlan 5 to be unique across all devices.
-
8/7/2019 System and Network Administration
6/46
To get started, you will want to download the latest vlan.X.X.tar.gz file (to your $HOME directory.)
Unpack it with your favorite commands, for example: tar -xvzf vlan.1.6.tar.gz. Alternatively, you can get
it from the CVS Repository using something like this:
Install and configure on your machine.
Specify the vlan repository:
export CVSROOT=:pserver:[email protected]:/home/cvs_user/vlan
Log in to the repository:
cvs login (PASSWORD: anonymous)
Check out the source:
mkdir vlan; cd vlan; cvs -z3 checkout vlan
Now, you should have a vlan directory in your home directory. You only have to patch the kernel if you
are using Linux 2.4.14 or earlier. Now, read the README or other docs to figure out what kernel it
patches against. A list of mirrors are kept at www.kernel.org. Unzip and un-tar this in your home
directory as well, which should create a linux directory in your $HOME directory. Example: tar -xvzf
linux-2.2.14.tar.gz
Now add the VLAN kernel changes to the kernel if your kernel requires it. I finally figured out how to do
patches that diff can handle (I think I did it right at least!). You will find the patch in the vlan directory. It
will be called: vlan.patch, or something equally straight-foward. Apply the patch to your kernel:
cd $HOME/linux
patch -p 1 < $HOME/vlan/[vlan.patch]
Your new, patched, kernel should be in your INCLUDE path before trying to compile the vconfig
program. One way to get things working is to link $HOME/linux to the 'linux' directory that you just un-
zipped and patched. A command might be something like:
cd $HOME;
ln -s /home/greear/kernel/2.4/linux.dev linux
Build the vconfig program in the $HOME/vlan directory:
cd $HOME/vlan
make
-
8/7/2019 System and Network Administration
7/46
Now,compile your new kernel! Use the make xconfig command in your $HOME/linux directory to select
your kernel options. The option related to 802.1Q VLANs is found under the Networking options. If the
option is not highlighted, make sure you select "Experimental Drivers" in one of the first xconfig menus.
Assuming your kernel compiled cleanly you are now ready to try it out. Install your kernel in the normal
manner (fix up your /etc/lilo.conf file appropriately and run lilo as root.) Reboot your computer andchoose your new kernel.
As your computer comes back to life, there will be little sign that you are now 802.1Q capable, other
than a line spit out during the boot process. There should be a config programs in your $HOME/vlan
directory: vconfig. vconfig is used to create and destroy VLAN devices. So, lets create a VLAN device on
your first ethernet NIC. vconfig will list a short spiel on how to use it. The vconfig command I
usually use is:
vconfig add eth0 5
This attempts to create a VLAN device with VLAN-ID of 5 on the eth0 device. If you want to delete aVLAN, use something like:
vconfig rem eth0.5
You will also need to give it an ip, eg: ifconfig -i eth0.5 192.168.2.1
and configure it UP: ifconfig -i eth0.5 up
NOTE: You can get lots of VLAN related configuration information from the /proc/net/vlan/* files by
using 'cat' or 'more' to look at them.
-
8/7/2019 System and Network Administration
8/46
ping CommandDESCRIPTION
Verifies IP-level connectivity to another TCP/IP computer by sending Internet Control Message Protocol
(ICMP) Echo Request messages. The receipt of corresponding Echo Reply messages are displayed, along
with round-trip times. Ping is the primary TCP/IP command used to troubleshoot connectivity,
reachability, and name resolution. Used without parameters, ping displays help.
SYNTAX
ping [-t] [-a] [-nCount] [-l Size] [-f] [-iTTL] [-vTOS] [-rCount] [-sCount] [{-jHostList| -k HostList}] [-
wTimeout] [TargetName]
PARAMETERS
-t : Specifies that ping continue sending Echo Request messages to the destination until interrupted. To
interrupt and display statistics, press CTRL-BREAK. To interrupt and quit ping, press CTRL-C.
-a : Specifies that reverse name resolution is performed on the destination IP address. If this is
successful, ping displays the corresponding host name.
-n Count : Specifies the number of Echo Request messages sent. The default is 4.
-l Size : Specifies the length, in bytes, of the Data field in the Echo Request messages sent. The default is
32. The maximum size is 65,527.
-f : Specifies that Echo Request messages are sent with the Don't Fragment flag in the IP header set to 1.
The Echo Request message cannot be fragmented by routers in the path to the destination. This
parameter is useful for troubleshooting path Maximum Transmission Unit (PMTU) problems.
-i TTL : Specifies the value of the TTL field in the IP header for Echo Request messages sent. The default
is the default TTL value for the host. For Windows XP hosts, this is typically 128. The maximum TTL is
255.
-v TOS : Specifies the value of the Type of Service (TOS) field in the IP header for Echo Request messages
sent. The default is 0. TOS is specified as a decimal value from 0 to 255.
-r Count: Specifies that the Record Route option in the IP header is used to record the path taken by the
Echo Request message and corresponding Echo Reply message. Each hop in the path uses an entry in
the Record Route option. If possible, specify a Countthat is equal to or greater than the number of hops
between the source and destination. The Countmust be a minimum of 1 and a maximum of 9.
-
8/7/2019 System and Network Administration
9/46
-s Count: Specifies that the Internet Timestamp option in the IP header is used to record the time of
arrival for the Echo Request message and corresponding Echo Reply message for each hop. The Count
must be a minimum of 1 and a maximum of4.
-j HostList: Specifies that the Echo Request messages use the Loose Source Route option in the IP
header with the set of intermediate destinations specified in HostList. With loose source routing,
successive intermediate destinations can be separated by one or multiple routers. The maximum
number of addresses or names in the host list is 9. The host list is a series of IP addresses (in dotted
decimal notation) separated by spaces.
-k HostList: Specifies that the Echo Request messages use the Strict Source Route option in the IP
header with the set of intermediate destinations specified in HostList. With strict source routing, the
next intermediate destination must be directly reachable (it must be a neighbor on an interface of the
router). The maximum number of addresses or names in the host list is 9. The host list is a series of IP
addresses (in dotted decimal notation) separated by spaces.
-w Timeout: Specifies the amount of time, in milliseconds, to wait for the Echo Reply message that
corresponds to a given Echo Request message to be received. If the Echo Reply message is not receivedwithin the time-out, the "Request timed out" error message is displayed. The default time-out is 4000 (4
seconds).
TargetName : Specifies the destination, which is identified either by IP address or host name.
ICMP PACKET DETAILS
An IP header without options is 20 bytes. An ICMP ECHO_REQUEST packet contains an additional 8 bytes
worth of ICMP header followed by an arbitrary amount of data. When a packetsize is given, thisindicated the size of this extra piece of data (the default is 56). Thus the amount of data received inside
of an IP packet of type ICMP ECHO_REPLY will always be 8 bytes more than the requested data space
(the ICMP header).
If the data space is at least of size of struct timeval ping uses the beginning bytes of this space to include
a timestamp which it uses in the computation of round trip times. If the data space is shorter, no round
trip times are given.
DUPLICATE AND DAMAGED PACKETS
ping will report duplicate and damaged packets. Duplicate packets should never occur, and seem to be
caused by inappropriate link-level retransmissions. Duplicates may occur in many situations and arerarely (if ever) a good sign, although the presence of low levels of duplicates may not always be cause
for alarm. Damaged packets are obviously serious cause for alarm and often indicate broken hardware
somewhere in the ping packet's path (in the network or in the hosts).
-
8/7/2019 System and Network Administration
10/46
TRYING DIFFERENT DATA PATTERNS
The (inter)network layer should never treat packets differently depending on the data contained in the
data portion. Unfortunately, data-dependent problems have been known to sneak into networks and
remain undetected for long periods of time. In many cases the particular pattern that will have problems
is something that doesn't have sufficient `transitions'', such as all ones or all zeros, or a pattern right at
the edge, such as almost all zeros. It isn't necessarily enough to specify a data pattern of all zeros (for
example) on the command line because the pattern that is of interest is at the data link level, and the
relationship between what you type and what the controllers transmit can be complicated. This means
that if you have a data-dependent problem you will probably have to do a lot of testing to find it. If you
are lucky, you may manage to find a file that either can't be sent across your network or that takes much
longer to transfer than other similar length files. You can then examine this file for repeated patterns
that you can test using the -p option of ping.
TTL DETAILS
The TTL value of an IP packet represents the maximum number of IP routers that the packet can go
through before being thrown away. In current practice you can expect each router in the Internet to
decrement the TTL field by exactly one.
The TCP/IP specification states that the TTL field for TCP packets should be set to 60, but many systems
use smaller values (4.3 BSD uses 30, 4.2 used 15).
The maximum possible value of this field is 255, and most Unix systems set the TTL field of ICMP
ECHO_REQUEST packets to 255. This is why you will find you can `ping'' some hosts, but not reach them
with telnet(1) or ftp(1).
-
8/7/2019 System and Network Administration
11/46
EXAMPLE:
-
8/7/2019 System and Network Administration
12/46
netstat CommandDESCRIPTION
Displays active TCP connections, ports on which the computer is listening, Ethernet statistics, the IP
routing table, IPv4 statistics (for the IP, ICMP, TCP, and UDP protocols), and IPv6 statistics (for the IPv6,
ICMPv6, TCP over IPv6, and UDP over IPv6 protocols). Used without parameters, netstat displays active
TCP connections.
SYNTAX
netstat [-a] [-e] [-n] [-o] [-pProtocol] [-r] [-s] [Interval]
PARAMETERS
-a : Displays all active TCP connections and the TCP and UDP ports on which the computer is listening.
-e : Displays Ethernet statistics, such as the number of bytes and packets sent and received. This
parameter can be combined with -s.
-n : Displays active TCP connections, however, addresses and port numbers are expressed numerically
and no attempt is made to determine names.
-o : Displays active TCP connections and includes the process ID (PID) for each connection. You can find
the application based on the PID on theProcesses
tab in Windows Task Manager. This parameter can becombined with -a, -n, and -p.
-p Protocol: Shows connections for the protocol specified by Protocol. In this case, the Protocolcan be
tcp, udp, tcpv6, or udpv6. If this parameter is used with -s to display statistics by protocol, Protocolcan
be tcp, udp, icmp, ip, tcpv6, udpv6, icmpv6, or ipv6.
-s : Displays statistics by protocol. By default, statistics are shown for the TCP, UDP, ICMP, and IP
protocols. If the IPv6 protocol for Windows XP is installed, statistics are shown for the TCP over IPv6,
UDP over IPv6, ICMPv6, and IPv6 protocols. The -p parameter can be used to specify a set of protocols.
-r : Displays the contents of the IP routing table. This is equivalent to the route print command.
Interval: Redisplays the selected information every Intervalseconds. Press CTRL+C to stop the redisplay.
If this parameter is omitted, netstat prints the selected information only once.
-
8/7/2019 System and Network Administration
13/46
Netstat provides statistics for the following:
Proto
The name of the protocol (TCP or UDP).
Local Address
The IP address of the local computer and the port number being used. The name of the local
computer that corresponds to the IP address and the name of the port is shown unless the -n
parameter is specified. If the port is not yet established, the port number is shown as an asterisk (*).
Foreign Address
The IP address and port number of the remote computer to which the socket is connected. The
names that corresponds to the IP address and the port are shown unless the -n parameter is
specified. If the port is not yet established, the port number is shown as an asterisk (*).
(state)
Indicates the state of a TCP connection. The possible states are as follows:
CLOSE_WAIT
CLOSED
ESTABLISHED
FIN_WAIT_1
FIN_WAIT_2
LAST_ACK
LISTEN
SYN_RECEIVED
SYN_SEND
TIMED_WAIT
-
8/7/2019 System and Network Administration
14/46
EXAMPLE
-
8/7/2019 System and Network Administration
15/46
ipconfig CommandDESCRIPTION
Displays all current TCP/IP network configuration values and refreshes Dynamic Host Configuration
Protocol (DHCP) and Domain Name System (DNS) settings. Used without parameters, ipconfig displays
the IP address, subnet mask, and default gateway for all adapters.
SYNTAX
ipconfig [/all] [/renew [Adapter]] [/release [Adapter]] [/flushdns] [/displaydns] [/registerdns]
[/showclassidAdapter] [/setclassidAdapter[ClassID]]
PARAMETERS
/all : Displays the full TCP/IP configuration for all adapters. Without this parameter, ipconfig displays
only the IP address, subnet mask, and default gateway values for each adapter. Adapters can represent
physical interfaces, such as installed network adapters, or logical interfaces, such as dial-up connections.
/renew [Adapter] : Renews DHCP configuration for all adapters (if an adapter is not specified) or for a
specific adapter if the Adapterparameter is included. This parameter is available only on computers
with adapters that are configured to obtain an IP address automatically. To specify an adapter name,
type the adapter name that appears when you use ipconfig without parameters.
/release [Adapter] : Sends a DHCPRELEASE message to the DHCP server to release the current DHCP
configuration and discard the IP address configuration for either all adapters (if an adapter is not
specified) or for a specific adapter if theAdapterparameter is included. This parameter disables TCP/IP
for adapters configured to obtain an IP address automatically. To specify an adapter name, type the
adapter name that appears when you use ipconfig without parameters.
/flushdns : Flushes and resets the contents of the DNS client resolver cache. During DNS
troubleshooting, you can use this procedure to discard negative cache entries from the cache, as well as
any other entries that have been added dynamically.
/displaydns : Displays the contents of the DNS client resolver cache, which includes both entries
preloaded from the local Hosts file and any recently obtained resource records for name queries
resolved by the computer. The DNS Client service uses this information to resolve frequently queriednames quickly, before querying its configured DNS servers.
/registerdns : Initiates manual dynamic registration for the DNS names and IP addresses that are
configured at a computer. You can use this parameter to troubleshoot a failed DNS name registration or
resolve a dynamic update problem between a client and the DNS server without rebooting the client
computer. The DNS settings in the advanced properties of the TCP/IP protocol determine which names
are registered in DNS.
-
8/7/2019 System and Network Administration
16/46
/showclassidAdapter: Displays the DHCP class ID for a specified adapter. To see the DHCP class ID for
all adapters, use the asterisk (*) wildcard character in place ofAdapter. This parameter is available only
on computers with adapters that are configured to obtain an IP address automatically.
/setclassidAdapter[ClassID] : Configures the DHCP class ID for a specified adapter. To set the DHCP
class ID for all adapters, use the asterisk (*) wildcard character in place ofAdapter. This parameter is
available only on computers with adapters that are configured to obtain an IP address automatically. If a
DHCP class ID is not specified, the current class ID is removed.
EXAMPLE
-
8/7/2019 System and Network Administration
17/46
tracert Command
DESCRIPTION
Determines the path taken to a destination by sending Internet Control Message Protocol (ICMP) Echo
Request messages to the destination with incrementally increasing Time to Live (TTL) field values. The
path displayed is the list of near-side router interfaces of the routers in the path between a source host
and a destination. The near-side interface is the interface of the router that is closest to the sending host
in the path. Used without parameters, tracert displays help.
SYNTAX
tracert [-d] [-hMaximumHops] [-j HostList] [-w Timeout][TargetName]
PARAMETERS
-d : Prevents tracert from attempting to resolve the IP addresses of intermediate routers to their names.
This can speed up the display oftracert results.
-h MaximumHops : Specifies the maximum number of hops in the path to search for the target
(destination). The default is 30 hops.
-j HostList: Specifies that Echo Request messages use the Loose Source Route option in the IP header
with the set of intermediate destinations specified in HostList. With loose source routing, successive
intermediate destinations can be separated by one or multiple routers. The maximum number ofaddresses or names in the host list is 9. The HostListis a series of IP addresses (in dotted decimal
notation) separated by spaces.
-w Timeout: Specifies the amount of time in milliseconds to wait for the ICMP Time Exceeded or Echo
Reply message corresponding to a given Echo Request message to be received. If not received within the
time-out, an asterisk (*) is displayed. The default time-out is 4000 (4 seconds).
TargetName : Specifies the destination, identified either by IP address or host name.
-
8/7/2019 System and Network Administration
18/46
EXAMPLE
-
8/7/2019 System and Network Administration
19/46
netuser
DESCRIPTION
Adds or modifies user accounts or displays user account information.
SYNTAX
net user [UserName [Password| *] [options]] [/domain]
net user [UserName {Password| *}/add [options] [/domain]]
net user [UserName [/delete] [/domain]]
PARAMETERS
UserName : Specifies the name of the user account to add, delete, modify, or view. The name of the
user account can have as many as 20 characters.
Password: Assigns or changes a password for the user's account. Type an asterisk (*) to produce a
prompt for the password. The password is not displayed when you type it at the password prompt.
/domain : Performs the operation on the domain controller in the computer's primary domain.
options : Specifies a command-line option. The following table lists valid command-line options that youcan use.
Command-line option syntax Description
/active:{no | yes} Enables or disables the user account. If the user account is not
active, the user cannot access resources on the computer. The
default is yes (that is, active).
/comment:"text" Provides a descriptive comment about the user's account. This
comment can have as many as 48 characters. Enclose the text in
quotation marks.
/countrycode:nnn Uses the operating system Country/Region codes to implement
the specified language files for a user's Help and error messages. Avalue of 0 signifies the default Country/Region code.
/expires:{{mm/dd/yyyy|
dd/mm/yyyy| mmm,dd ,yyyy} |
never}
Causes the user account to expire if you specify date. Expiration
dates can be in [mm/dd/yyyy], [dd/mm/yyyy], or [mmm,dd ,yyyy]
format, depending on the Country/Region code. Note that the
account expires at the beginning of the specified date. For the
month value, you can use numbers, spell it out, or use a three-
letter abbreviation (that is, Jan, Feb, Mar, Apr, May, Jun, Jul, Aug,
-
8/7/2019 System and Network Administration
20/46
Command-line option syntax Description
Sep, Oct, Nov, Dec). You can use two or four numbers for the year
value. Use commas or slashes to separate parts of the date. Do not
use spaces. If you omit yyyy, the next occurrence of the date (that
is, according to your computer's date and time) is assumed. For
example, the following entries are equivalent if entered betweenJan. 10, 1994, and Jan. 8, 1995:
jan,9
1/9/95
january,9,1995
1/9
/fullname:"name" Specifies a user's full name rather than a user name. Enclose the
name in quotation marks.
/homedir:Path Sets the path for the user's home directory. The path must exist.
/passwordchg:{yes | no} Specifies whether users can change their own password. The
default is yes./passwordreq:{yes | no} Specifies whether a user account must have a password. The
default is yes.
/profilepath:[Path] Sets a path for the user's logon profile. This path points to a
registry profile.
/scriptpath:Path Sets a path for the user's logon script. Path cannot be an absolute
path. Path is relative to
%systemroot%\System32\Repl\Import\Scripts.
/times:{day[-day][,day[-day]] ,time[-
time][,time[-time]] [;] | all}
Specifies the times that users are allowed to use the computer.
Time is limited to 1-hour increments. For the dayvalues, you can
spell out or use abbreviations (that is, M,T,W,Th,F,Sa,Su). You can
use 12-hour or 24-hour notation for hours. If you use 12-hour
notation, use AM and PM, or A.M. and P.M. The value all means a
user can always log on. A null value (blank) means a user can never
log on. Separate day and time with commas, and units of day and
time with semicolons (for example, M,4AM-5PM;T,1PM-3PM). Do
not use spaces when designating times.
/usercomment:"text" Specifies that an administrator can add or change the "User
comment" for the account. Enclose the text in quotation marks.
/workstations:{ComputerName[,...] |
*}
Lists as many as eight workstations from which a user can log on to
the network. Separate multiple entries in the list with commas. If
/workstations has no list or if the list is an asterisk (*), users can
log on from any computer.
-
8/7/2019 System and Network Administration
21/46
EXAMPLE
-
8/7/2019 System and Network Administration
22/46
net statistics Command
DESCRIPTION
Displays the statisticslog for the local Workstation or Serverservice, or the running services for
which statistics are available. Used without parameters, net statisticslists the running services
for which statistics are available.
SYNTAX
net statistics [{workstation | server}]
PARAMETERS
workstation : Displays statistics for the local Workstation service.
server : Displays statistics for the local Server service.
EXAMPLE
-
8/7/2019 System and Network Administration
23/46
net start command
DESCRIPTION
Starts a service. Used without parameters, net start displays a list of services that are currently
operating.
SYNTAX
net start [service]
PARAMETERS
service : Starts the specified service. The following table lists values for service.
Value Description Remarks
alerter Starts the
Alerter service.
Start the Alerter service to send alert messages to specified users that are
connected to the server. Alert messages warn users about security,
access, and user session problems.
Use Server Manager (that is, systemroot\System32\Srvmgr.exe) to specify
the administrators who you want to receive administrative alerts. Server
Manager is available on Windows Server 2000 computers only.
Alert messages are sent as messages from the server to a user's
computer. The Messenger service must be running on the user's
computer for the user to receive alert messages.
browser Starts the
Computer
Browser service.
The Computer Browser service maintains an up-to-date list of computers
on your network and supplies the list to programs that request it.
"client
service for
netware"
Starts the Client
Service for
NetWare
service.
This command is available only if you have installed Client Service for
NetWare.
clipbook Starts the
ClipBook
service.
ClipBook permits you to cut and paste text and graphics over the network.
The ClipBook service supports ClipBook Viewer, which allows pages to be
seen by remote ClipBooks.eventlog Starts the Event
Log service.
The Event Log service logs event messages issued by programs and
Windows XP. Event Log reports contain information that can be useful in
diagnosing problems. Reports are viewed in Event Viewer. The Event Log
service must be started prior to using Event Viewer to view the logged
events.
-
8/7/2019 System and Network Administration
24/46
EXAMPLE
-
8/7/2019 System and Network Administration
25/46
net accounts command
DESCRIPTION
Updates the user accounts database and modifies password and logon requirements for all accounts.
SYNTAX
net accounts [/forcelogoff:{minutes | no}] [/minpwlen:length] [/maxpwage:{days | unlimited}]
[/minpwage:days] [/uniquepw:number] [/domain]
PARAMETERS
/forcelogoff:{minutes | no} : Sets the number of minutes to wait before ending a user's session with aserver when the user account or valid logon time expires. The default value, no, prevents users from
being forced to log off.
/minpwlen:length : Sets the minimum number of characters for a user account password. The range is
from 0 through 127 characters and the default is six characters.
/maxpwage:{days | unlimited} : Sets the maximum number of days that a user account's password is
valid. The unlimited value sets no maximum time. The /maxpwage command-line option must be
greater than /minpwage. The range is from 1 through 49,710 days (that is, unlimited equals 49,710
days), and the default value is 90 days.
/minpwage:days : Sets the minimum number of days before a user can change a new password. The
default value is zero days, which sets no minimum time. The range is from 0 through 49,710 days.
/uniquepw:number: Requires a user to not repeat the same password for the specified numberof
password changes. The range is from 0 through 24 password changes, and the default is five password
changes.
/domain : Performs the operation on the primary domain controller of the current domain. Otherwise,
the operation is performed on the local computer.
net help command: Displays help for the specified net command.
-
8/7/2019 System and Network Administration
26/46
-
8/7/2019 System and Network Administration
27/46
net stop command
DESCRIPTION
Stops a running service.
SYNTAX
net stopservice
PARAMETERS
service : Stops the specified service. The following table shows some values for service.
Value Description Remarks
alerter Stops the Alerter service. Stop the Alerter service that sends alert messages to
specified users that are connected to the server
computer. Alert messages warn users about
security, access, and user session problems.
Use Server Manager (that is,
systemroot\System32\Srvmgr.exe) to specify the
administrators who you want to receive
administrative alerts. Server Manager is available on
Windows 2000 Server computers only.
Alert messages are sent as messages from the serverto a user's computer. The Messenger service must
be running on the user's computer for the user to
receive alert messages.
browser Stops the Computer Browser
service.
The Computer Browser service maintains an up-to-
date list of computers on your network and supplies
the list to programs that request it.
"client service for
netware"
Stops the Client Service for
NetWare service.
This command is available only if you have installed
Client Service for NetWare.
clipbook Stops the ClipBook service. ClipBook permits you to cut and paste text and
graphics over the network.
The ClipBook service supports ClipBook Viewer,
which allows pages to be seen by remote ClipBooks.
dhcp client You cannot stop or pause the
DHCP Client service.
The DHCP Client service manages network
configuration by registering and updating IP
addresses and DNS names. The DHCP Client service
supports obtaining an IP address from the DHCP
service.
-
8/7/2019 System and Network Administration
28/46
EXAMPLE
-
8/7/2019 System and Network Administration
29/46
sc CommandService Control - Create, Start, Stop, Query or Delete any Windows SERVICE. The command options for
SC are case sensitive.
Syntax
SC [\\server] [command] [service_name] [Options]
Key
server: The machine where the service is running
Commands
query [qryOpt] Show status
queryEx [qryOpt] Show extended info - pid, flags
GetDisplayName Show the DisplayName
GetKeyName Show the ServiceKeyName
EnumDepend Show Dependencies
qc Show config - dependencies, full path etc
start START a service.
stop STOP a service
pause PAUSE a service.
continue CONTINUE a service.
create Create a service. (add it to the registry)
config permanently change the service configuration
delete Delete a service (from the registry)
control Send a control to a service
interrogate Send an INTERROGATE control request to a service
Qdescription Query the description of a service
-
8/7/2019 System and Network Administration
30/46
description Change the description of a service
Qfailure Query the actions taken by a service upon failure
failure Change the actions taken by a service upon failure
sdShow Display a service's security descriptor using SDDL
SdSet Sets a service's security descriptor using SDDL
sc configThis command has a number of functions but one is to determine the status of a service at
system startup. A service can be set to run automatically, manually or not at all. The commands
are
sc config ServiceName start=flag
Here ServiceName is the name of the service andflag has one of the valuesauto, demand. or
disabled. For example, to set a service to run manually the command is
sc config ServiceName start= demand
Note that there must be a space after the equals sign. The correct value for the parameter
ServiceName may not always be obvious and the next command can be used to find it for all
services.
sc query
Information about services and drivers can be obtained with this command. Used alone it
returns a list of running services with various information about the service. Lists can be
inconvenient to read on a screen and they can be redirected to a text file. To create a text list of
running services use the command
sc query > serviceslist.txtThe path for the text file serviceslist.txt
can be anywhere that is convenient. To create a list of all services, use
sc query type= service state= all > allserviceslist.txt
To create a list of active drivers, use
sc query type= driver
Or for a list of everything, use
sc query state= all
sc startTo start up a service that is not running, usesc start ServiceName
sc stopTo stop a running service, use sc stop ServiceName However, some services cannot or should
not be stopped.
-
8/7/2019 System and Network Administration
31/46
DNSDomain Name System
The Domain Name System (DNS) is a hierarchical naming system built on a distributed database for
computers, services, or any resource connected to the Internet or a private network. It associates
various information with domain names assigned to each of the participating entities. Most importantly,
it translates domain names meaningful to humans into the numerical identifiers associated with
networking equipment for the purpose of locating and addressing these devices worldwide.
The Domain Name System distributes the responsibility of assigning domain names and mapping those
names to IP addresses by designating authoritative name servers for each domain. Authoritative name
servers are assigned to be responsible for their particular domains, and in turn can assign other
authoritative name servers for their sub-domains. This mechanism has made the DNS distributed andfault tolerant and has helped avoid the need for a single central register to be continually consulted and
updated.
Application Layer
BGP DHCP DNS FTP HTTP IMAP IRC LDAP MGCP NNTP NTP POP RIP RPC RTP SIP SMTP
SNMP SSH Telnet TLS/SSL XMPP
Transport Layer
TCP UDP DCCP SCTP RSVP ECN
Internet Layer
IP ICMP ICMPv6 IGMP IPsec
Link Layer
ARP/InARP NDP OSPF Tunnels (L2TP) PPP Media Access Control (Ethernet, DSL, ISDN, FDDI)
Domain name space
The domain name space consists of a tree of domain names. Each node or leaf in the tree has zero or
more resource records, which hold information associated with the domain name. The tree sub-divides
into zones beginning at the root zone.
Administrative responsibility over any zone may be divided by creating additional zones. Authority is
said to be delegated for a portion of the old space, usually in form of sub-domains, to another
nameserver and administrative entity. The old zone ceases to be authoritative for the new zone.
-
8/7/2019 System and Network Administration
32/46
Address resolution mechanism
Domain name resolvers determine the appropriate domain name servers responsible for the domain
name in question by a sequence of queries starting with the right-most (top-level) domain label.A DNS
recursor consults three nameservers to resolve the address www.wikipedia.org.
The process entails:
A network host is configured with an initial cache (so called hints) of the known addresses of the root
nameservers. Such a hint file is updated periodically by an administrator from a reliable source.
A query to one of the root servers to find the server authoritative for the top-level domain.
A query to the obtained TLD server for the address of a DNS server authoritative for the second-level
domain.
Repetition of the previous step to process each domain name label in sequence, until the final stepwhich returns the IP address of the host sought.
The mechanism in this simple form would place a large operating burden on the root servers, with every
search for an address starting by querying one of them. Being as critical as they are to the overall
function of the system, such heavy use would create an insurmountable bottleneck for trillions of
queries placed every day. In practice caching is used in DNS servers to overcome this problem, and as a
result, root nameservers actually are involved with very little of the total traffic.
Reverse lookup
A reverse lookup is a query of the DNS for domain names when the IP address is known. Multipledomain names may be associated with an IP address. The DNS stores IP addresses in the form of domain
names as a specially formatted names in pointer (PTR) records within the infrastructure top-level
domain arpa. For IPv4, the domain is in-addr.arpa. For IPv6, the reverse lookup domain is ip6.arpa. The
IP address is represented as a name in reverse-ordered octet representation for IPv4, and reverse-
ordered nibble representation for IPv6.
When performing a reverse lookup, the DNS client converts the address into these formats, and then
queries the name for a PTR record following the delegation chain as for any DNS query. For example, the
IPv4 address 208.80.152.2 is represented as a DNS name as 2.152.80.208.in-addr.arpa. The DNS resolver
begins by querying the root servers, which point to ARIN's servers for the 208.in-addr.arpa zone. From
there the Wikimedia servers are assigned for 152.80.208.in-addr.arpa, and the PTR lookup completes by
querying the wikimedia nameserver for 2.152.80.208.in-addr.arpa, which results in an authoritative
response.
-
8/7/2019 System and Network Administration
33/46
Protocol details
DNS primarily uses User Datagram Protocol (UDP) on port number 53 to serve requests.DNS queries
consist of a single UDP request from the client followed by a single UDP reply from the server. The
Transmission Control Protocol (TCP) is used when the response data size exceeds 512 bytes, or for tasks
such as zone transfers. Some operating systems, such as HP-UX, are known to have resolver
implementations that use TCP for all queries, even when UDP would suffice.
NAME is the fully qualified domain name of the node in the tree. On the wire, the name may be
shortened using label compression where ends of domain names mentioned earlier in the packet can be
substituted for the end of the current domain name.
TYPE is the record type. It indicates the format of the data and it gives a hint of its intended use. For
example, the A record is used to translate from a domain name to an IPv4 address, the NS record lists
which name servers can answer lookups on a DNS zone, and the MX record specifies the mail server
used to handle mail for a domain specified in an e-mail address (see also List of DNS record types).
RDATA is data of type-specific relevance, such as the IP address for address records, or the priority and
hostname for MX records. Well known record types may use label compression in the RDATA field, but
"unknown" record types must not (RFC 3597).
The CLASS of a record is set to IN (for Internet) for common DNS records involving Internet hostnames,
servers, or IP addresses. In addition, the classes Chaos (CN) and Hesiod (HS) exist.Each class is an
independent name space with potentially different delegations of DNS zones.
In addition to resource records defined in a zone file, the domain name system also defines several
request types that are used only in communication with other DNS nodes (on the wire), such as when
performing zone transfers (AXFR/IXFR) or for EDNS (OPT).
-
8/7/2019 System and Network Administration
34/46
-
8/7/2019 System and Network Administration
35/46
IISInternet Information Services
Internet Information Services (IIS) formerly called Internet Information Server is a web server
application and set of feature extension modules created by Microsoft for use with Microsoft Windows.
It is the second most used web server behind Apache HTTP Server.
IIS is not turned on by default when Windows is installed, but it can be selected from the list of optional
features. It is available in all editions of Windows Vista and Windows 7, including Home Basic, but some
features are not supported on client versions of Windows.
Features
IIS 7 is built on a modular architecture. Modules, also called extensions, can be added or removed
individually so that only modules required for specific functionality have to be installed. IIS 7 includes
native modules as part of the full installation. These modules are individual features that the server uses
to process requests and include the following:
HTTP modules Used to perform tasks specific to HTTP in the request-processing pipeline, such as
responding to information and inquiries sent in client headers, returning HTTP errors, and redirecting
requests.
-
8/7/2019 System and Network Administration
36/46
Security modules Used to perform tasks related to security in the request-processing pipeline, such as
specifying authentication schemes, performing URL authorization, and filtering requests.
Content modules Used to perform tasks related to content in the request-processing pipeline, such as
processing requests for static files, returning a default page when a client does not specify a resource in
a request, and listing the contents of a directory.
Compression modules Used to perform tasks related to compression in the request-processing
pipeline, such as compressing responses, applying Gzip compression transfer coding to responses, and
performing pre-compression of static content.
Caching modules Used to perform tasks related to caching in the request-processing pipeline, such as
storing processed information in memory on the server and using cached content in subsequent
requests for the same resource.
Logging and Diagnostics modules Used to perform tasks related to logging and diagnostics in the
request-processing pipeline, such as passing information and processing status to HTTP.sys for logging,reporting events, and tracking requests currently executing in worker processes.
-
8/7/2019 System and Network Administration
37/46
Performance MonitorUsing Performance Monitor
Performance Monitor is a simple yet powerful visualization tool for viewing performance data, both in
real time and from log files. With it, you can examine performance data in a graph, histogram, or report.
Membership in the local Performance Log Users group, or equivalent, is the minimum required to
complete this procedure.
To Open Performance Monitor
1. Click on start and then click on control panel then choose Administrative tools.2. Then click on the Performance monitor then new window will appear.3. Then click on another view the new window will appear.4. Thus administrator can monitor the performance of system.
Performance Logs and Alerts overview
With Performance Logs and Alerts you can collect performance data automatically from local or remote
computers. You can view logged counter data using System Monitor or export the data to spreadsheet
programs or databases for analysis and report generation. Performance Logs and Alerts offers the
following capabilities:
y Performance Logs and Alerts collects data in a comma-separated or tab-separated format foreasy import to spreadsheet programs. A binary log-file format is also provided for circular
logging or for logging instances such as threads or processes that might begin after the log starts
collecting data. (Circular logging is the process of continuously logging data to a single file,
overwriting previous data with new data.)
y You can also collect data in an SQL database format. This option defines the name of an existingSQL database and log set within the database where the performance data will be read or
written. This file format is useful when collecting and analysing performance data at an
enterprise level rather than a per server basis.
-
8/7/2019 System and Network Administration
38/46
-
8/7/2019 System and Network Administration
39/46
Event ViewerDefinition:-
In Windows XP, an event is any significant occurrence in the system or in a program that requires users
to be notified, or an entry added to a log. The Event Log Service records application, security, and
system events in Event Viewer. With the event logs in Event Viewer, you can obtain information about
your hardware, software, and system components, and monitor security events on a local or remote
computer. Event logs can help you identify and diagnose the source of current system problems, or help
you predict potential system problems.
Event Log Types
A Windows XP-based computer records events in the following three logs:
y Application log: - the application log contains events logged by programs. For example, adatabase program may record a file error in the application log.
y Security log: - The security log records events such as valid and invalid logon attempts, as well asevents related to resource use, such as the creating, opening, or deleting of files.
y System log:-the system log contains events logged by Windows XP system componentsStep to View Event Logs
To open Event Viewer, follow these steps:
1. Click Start, and then click Control Panel. Click Performance and Maintenance, then clickAdministrative Tools, and then double-click Computer Management. Or, open the MMC
containing the Event Viewer snap-in.
-
8/7/2019 System and Network Administration
40/46
2. In the console tree, click Event Viewer.The Application, Security, and System logs are displayed in the Event Viewer window.
3. In the details pane, double-click the event that you want to view.The Event Properties dialog box containing header information and a description of the event is
displayed.
To copy the details of the event, click the Copy button, then open a new document in the
program in which you want to paste the event (for example, Microsoft Word), and then click
Paste on the Edit menu.
To view the description of the previous or next event, click the UP ARROW or DOWN ARROW
-
8/7/2019 System and Network Administration
41/46
Event Header
The event header contains the following information about the event:
y Date:-The date the event occurred.y Time:-The time the event occurred.y User:-The user name of the user that was logged on when the event occurred.y Computer:-The name of the computer where the event occurred.y Event ID:-An event number that identifies the event type. The Event ID can be used by product
support representatives to help understand what occurred in the system.
y Source:-The source of the event. This can be the name of a program, a system component, or anindividual component of a large program.
y Type:-The type of event. This can be one of the following five types: Error, Warning,Information, Success Audit, or Failure Audit.
y Category:-A classification of the event by the event source. This is primarily used in the securitylog.
Event Types
The description of each event that is logged depends on the type of event. Each event in a log can be
classified into one of the following types:
y Information:-An event that describes the successful operation of a task, such as an application,driver, or service. For example, an Information event is logged when a network driver loads
successfully.
y Warning:-An event that is not necessarily significant, however, may indicate the possibleoccurrence of a future problem. For example, a Warning message is logged when disk space
starts to run low.
y Error:-An event that describes a significant problem, such as the failure of a critical task. Errorevents may involve data loss or loss of functionality. For example, an Error event is logged if a
service fails to load during startup.
y Success Audit (Security log):-An event that describes the successful completion of an auditedsecurity event. For example, a Success Audit event is logged when a user logs on to thecomputer.
y Failure Audit (Security log):-An event that describes an audited security event that did notcomplete successfully. For example, a Failure Audit may be logged when a user cannot access a
network drive.
-
8/7/2019 System and Network Administration
42/46
DHCP
The Dynamic Host Configuration Protocol (DHCP) is a computer networking protocol used by hosts
(DHCP clients) to retrieve IP address assignments and other configuration information.
DHCP uses a client-server architecture. The client sends a broadcast request for
configuration information. The DHCP serverreceives the request and responds with configuration
information from its configuration database. In the absence of DHCP, all hosts on a network must be
manually configured individually - a time-consuming and often error-prone undertaking. DHCP is
popular with ISP's because it allows a host to obtain a temporary IP address.
Technical Overview
When a DHCP-configured client connects to a network, the DHCP client sends a
broadcast query requesting necessary information from a DHCP server. The DHCP server manages a pool
of IP addresses and information about client configuration parameters such as default gateway, domain
name, the name servers, other servers such as time servers, and so forth. On receiving a valid request,
the server assigns the computer an IP address, a lease (length of time the allocation is valid), and other
IP configuration parameters, such as the subnet mask and the default gateway. The query is typically
initiated immediately after booting, and must complete before the client can initiate IP-based
communication with other hosts.
Depending on implementation, the DHCP server may have three methods of allocating IP-addresses:
y dynamic allocation: A network administrator assigns a range of IP addresses to DHCP, and eachclient computer on the LAN has its IP software configured to request an IP address from the
DHCP during network initialization. The request-and-grant process uses a lease concept with a
controllable time period, allowing the DHCP server to reclaim (and then reallocate) IP addresses
that are not renewed (dynamic re-use of IP addresses).
y automatic allocation: The DHCP server permanently assigns a free IP address to a requestingclient from the range defined by the administrator. This is like dynamic allocation, but the DHCP
server keeps a table of past IP address assignments, so that it can preferentially assign to a client
the same IP address that the client previously had.
y static allocation: The DHCP server allocates an IP address based on a table with MAC address/IPaddress pairs, which are manually filled in (perhaps by a network administrator). Only
requesting clients with a MAC address listed in this table will be allocated an IP address.
-
8/7/2019 System and Network Administration
43/46
FTP
File Transfer Protocol (FTP) is a standard network protocol used to copy a file from one host to another
over a TCP-based network, such as the Internet. FTP is built on a client-server architecture and utilizes
separate control and data connections between the client and server. FTP users may authenticate
themselves using a clear-text sign-in protocol but can connect anonymously if the server is configured to
allow it.
History
The original specification for the File Transfer Protocol was written by Abhay Bhushan and published as
RFC 114 on 16 April 1971 and later replaced by RFC 765 (June 1980) and RFC 959 (October 1985), the
current specification. Several proposed standards amend RFC 959, for example RFC 2228 (June 1997)
proposes security extensions and RFC 2428 (September 1998) adds support for IPv6 and defines a new
type of passive mode.
Protocol overview
A client makes a TCP connection to the server's port 21. This connection, called the control connection,
remains open for the duration of the session, with a second connection, called the data connection,
opened by the server from its port 20 to a client port (specified in the negotiation dialog) as required to
transfer file data. The control connection is used for session administration (i.e., commands,
identification, passwords) exchanged between the client and server using a telnet-like protocol. For
example "RETR filename" would transfer the specified file from the server to the client. Due to this two-
port structure, FTP is considered an out-of-band, as opposed to an in-band protocol such as HTTP.
The server responds on the control connection with three digit status codes in ASCII with an optional
text message, for example "200" (or "200 OK.") means that the last command was successful. The
numbers represent the code number and the optional text represent explanations (e.g., ) or
needed parameters (e.g., ).[1] A file transfer in progress over the data
connection can be aborted using an interrupt message sent over the control connection.
FTP can be run in active or passive mode, which determine how the data connection is established. In
active mode, the client sends the server the IP address and port number on which the client will listen,
and the server initiates the TCP connection. In situations where the client is behind a firewall and unable
to accept incoming TCP connections, passive mode may be used. In this mode the client sends a PASV
command to the server and receives an IP address and port number in return. The client uses these to
open the data connection to the server. Both modes were updated in September 1998 to add support
for IPv6. Other changes were made to passive mode at that time, making it extended passive mode.
-
8/7/2019 System and Network Administration
44/46
ASCII mode: used for text. Data is converted, if needed, from the sending host's character
representation to "8-bit ASCII" before transmission, and (again, if necessary) to the receiving host's
character representation. As a consequence, this mode is inappropriate for files that contain data other
than plain text.
Image mode (commonly called Binary mode): the sending machine sends each file byte for byte, andthe recipient stores the bytestream as it receives it. (Image mode support has been recommended for all
implementations ofFTP).
EBCDIC mode: use for plain text between hosts using the EBCDIC character set. This mode is otherwise
like ASCII mode.
Local mode: Allows two computers with identical setups to send data in a proprietary format without
the need to convert it to ASCII
For text files, different format control and record structure options are provided. These features were
designed to facilitate files containing Telnet or ASA formatting.
Data transfer can be done in any of three modes:
Stream mode: Data is sent as a continuous stream, relieving FTP from doing any processing. Rather, all
processing is left up to TCP. No End-of-file indicator is needed, unless the data is divided into records.
Block mode: FTP breaks the data into several blocks (block header, byte count, and data field) and then
passes it on to TCP.
Compressed mode: Data is compressed using a single algorithm (usually Run-length encoding).
Security
FTP was not designed to be a secure protocolespecially by today's standardsand has many security
weaknesses.
Bounce Attacks
Spoof Attacks
Brute Force Attacks
Packet Capture (Sniffing)
Username Protection
Port Stealing
-
8/7/2019 System and Network Administration
45/46
FTP was not designed to encrypt its traffic; all transmissions are in clear text, and user names,
passwords, commands and data can be easily read by anyone able to perform packet capture (sniffing)
on the network. This problem is common to many Internet Protocol specifications (such as SMTP,
Telnet, POP and IMAP) designed prior to the creation of encryption mechanisms such as TLS or SSL.[2] A
common solution to this problem is use of the "secure", TLS-protected versions of the insecure
protocols (e.g. FTPS for FTP, TelnetS for Telnet, etc.) or selection of a different, more secure protocol
that can handle the job, such as the SFTP/SCP tools included with most implementations of the Secure
Shell protocol.
Anonymous FTP
A host that provides an FTP service may additionally provide anonymous FTP access. Users typically log
into the service with an 'anonymous' account when prompted for user name. Although users are
commonly asked to send their email address in lieu of a password, no verification is actually performed
on the supplied data;[7] examples of anonymous FTP servers can be found here.
Remote FTP or FTPmail
Where FTP access is restricted, a remote FTP (or FTPmail) service can be used to circumvent the
problem. An e-mail containing the FTP commands to be performed is sent to a remote FTP server, which
is a mail server that parses the incoming e-mail, executes the FTP commands, and sends back an e-mail
with any downloaded files as an attachment. Obviously this is less flexible than an FTP client, as it is not
possible to view directories interactively or to modify commands, and there can also be problems with
large file attachments in the response not getting through mail servers. The service was used when
some users' only internet access was via email through gateways such as a BBS or online service. As
most internet users these days have ready access to FTP, this procedure is no longer in everyday use.
Web browser support
Most common web browsers can retrieve files hosted on FTP servers, although they may not support
protocol extensions such as FTPS.[8] When an FTPrather than HTTPURL is supplied, the accessible
contents of the remote server is presented in a manner similar to that used for other Web content. A
full-featured FTP client can be run within Firefox in the form of an extension called FireFTP.
FTP URL syntax taking the form:
ftp://[[:]@][:]/[9]
NAT and Firewall traversal
FTP normally transfers data by having the server connect back to the client, after the PORT command is
sent by the client. This is problematic for both NATs and firewalls, which do not allow connections from
the Internet towards internal hosts. For NATs, an additional complication is the representation of the IP
-
8/7/2019 System and Network Administration
46/46
addresses and port number in the PORT command refer to the internal host's IP address and port, rather
than the public IP address and port of the NAT.
There are two approaches to this problem. One is that the FTP client and FTP server use the PASV
command, which causes the data connection to be established from the FTP client to the server. This is
widely used by modern FTP clients. Another approach is for the NAT to alter the values of the PORTcommand, using an application-level gateway for this purpose.
Secure FTP
There are several methods of securely transferring files that have been called "Secure FTP" at one point
or another.