Re: Anyone tried setting up a Linux TFTP Server for Cisco?Thanks, for
everyone who replied. I didn't mean to start a Linux versus Microsoft
controversy but that is okay. I think they are valuable discussions. I did
read in the Cisco literature that the Windows base tftp servers are limited
to 16 MB and the Linux/Unix versions are not. Since flash images are fast
approaching that size I thought I would start getting prepared. Whether or
not that is actually true, I don't know. Thanks, Alan your suggestions did
the trick.
Thanks,
Brian
-----Original Message-----
From: Elijah Savage [mailto:[EMAIL PROTECTED]]
Sent: Thursday, March 22, 2001 11:17 AM
To: W. Alan Robertson; Brian Kimsey-Hickman; [EMAIL PROTECTED]
Subject: RE: Anyone tried setting up a Linux TFTP Server for Cisco?
I know its off topic, but I hate such narrow minded comments...
> If you have ever installed any *ix system, you'd be darn well
> aware that the thing is w i d e open. There is almost
> no security there. It has to be added and maintained. Win32
> systems are similar. Very trusting and friendly until they are
> properly taken care of. Is *ix inherently more secure? no way.
No holy war here either. But I could not resist the reply to this comment.
Of course it depends on the administrator of the box, but it depends also
how you install it. I have never installed a linux box with ftp or telnet by
default(openssh). Because these boxes I setup are usually dns or web servers
you can install them so that they run in a chrooted environments which tends
to be a tad bit more secure. This is one reason I like nix over any win
platform because I can install what I want and how I want it, which usually
makes a nix box more secure than any win platform. So to me how I stated
above nix is more secure, but of course you have to know what you are doing.
You probably will say well this is not a base install. And my reply is well
if you do a custom install which you can do right out of the box without
recompiling the kernel or anything fancy nix will me more secure than win32
platforms out of the box. I would like to see a custom install on win32
instead of click here to continue.
I challenge anyone to make a valid, non-ideological based
> comparison of a base Win32 and a base Liux install. If Linux
> were so damned secure in its current state, I woulnd't see IDS
> logs filling up with folks scanning for obvious Linux vulns, now
> would I? Bottom dollar is, without proper administration, both
> Win32 and *ix suck big time. With proper care and feeding, they
> can both become releatively secure.
>
You are seeing IDS logs filling up due to the fact that most script
kiddies out there are learning nix and what vulnerabilities are associated
with it. And from my years of experience and dealing with these individuals
it is more of a challenge for them, like a notch in their belt if they
compromise a nix box rather than a win32 platform. They will be readily
accepted by their peers if this is accomplished and shunned away for saying
hey I cracked a nt server. Due to the fact and the latest security survey (I
can't remeber right off hand by whom) that show due to the recent influx of
MCSE certified individuals that lack experience on securing these boxes that
get broken into its not a challenge to them any more. It showed there were a
very high number of individuals out there that did not even have the known
IIS patch applied. I am not knocking MCSE individuals here because I myself
am a MCSE+I we all have to start some where. But there are more individuals
out there in the industry with NT boxes than there are with Unix boxes under
their control.
If you ask me this is some of the reason why you see so many entries in
your log for nix vulnerabilities than you do for the win32 platform.
-----Original Message-----
From: W. Alan Robertson
Sent: Thu 3/22/2001 10:23 AM
To: Brian Kimsey-Hickman; [EMAIL PROTECTED]
Cc:
Subject: Re: Anyone tried setting up a Linux TFTP Server for Cisco?
Rather than get into a Holy War about why Linux is better than Windows,
I
figured I'd just answer your question.
in.tftpd doesn't constantly run like other processes, like a http
server, as an
example.
in.tftpd is typically started as needed, and terminated when finished.
The
controlling process is inetd. The configuration file for inetd can be
found at
'/etc/inetd.conf'.
Edit that file...
Scroll down to a line that reads like this (the exact line varies by
Linux
distribution):
#tftp dgram udp wait nobody /usr/sbin/tcpd
/usr/sbin/in.tftpd /tftpboot
The # means that this line is commented out. If you remove the hash
mark,
leaving:
tftp dgram udp wait nobody /usr/sbin/tcpd
/usr/sbin/in.tftpd /tftpboot
you will have enabled the tftp service for the box. The "/tftpboot"
reference
refers to the tftp service home directory, so make certain that it
exists. You
can also move the location if you'd like. Just specify a different
path, and
ensure that it exists.
Finally, you need to restart the inetd process, so that it will be aware
of that
fact that you want it to manage tftp services.
Do a 'ps ax | grep inetd'. That will something like:
yavin:/etc# ps ax | grep inet
252 ? S 0:00 /usr/sbin/inetd
369 ? SW 0:00 [rinetd]
7945 pts/1 S 0:00 grep inet
yavin:/etc#
To restart it, type this: 'kill -HUP [pid]'
In my example, 252 is the pid (Process ID).
I almost forgot... One thing you also need to check is the directory
pemissions
of /tftpboot...
Make sure that the directory is World Readable, and World Writable.
Tftp does
no user authentication, so you have to give global read/write access to
it's
directory. Also, before sending a file up to the tftp server, you will
need to
'touch filename'. Generally, the service will allow you to overwrite a
file
that exists, but it will not allow you to create a wholly new file.
Silly,
isn't it?
Best of luck...
Alan
----- Original Message -----
From: "Brian Kimsey-Hickman" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, March 22, 2001 8:17 AM
Subject: Anyone tried setting up a Linux TFTP Server for Cisco?
> I was wondering if anyone had tried to set up to Linux box as a TFTP
server
> for Cisco configurations and images. I have tried in.tftp but don't
seem to
> be having a lot of luck.
>
> Thanks,
>
> Brian
>
> _________________________________
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
_________________________________
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
