Detecting non-standard ftp usage (!= tcp 21) using IDSM2 5.0 & CN-MARS v3.4

Similar Messages

• How can ftp service on non-standard port be load balanced using Cisco ACE.

  How can ftp service on non-standard port be load balanced using Cisco ACE.For example ftp service required on tcp 2000 port

  Hi Samarjit,
  you can do this by specifying the port number in the class map that you create . Please find the below mentioend config guide where you can specify the tcp/udp port , range or ports or even the wild card to match the port.
  http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/administration/guide/mapolcy.html#wp1318826
  Regards
  Abijith

• Connect to non standard ftp port

  Hi ,
  Is it possible for PI to connec to non standard ftp port to pick files using ftp adapter??
  how abt non standard ftp servers?

  Hi Teja,
  > Is it possible for PI to connec to non standard ftp port to pick files using ftp adapter??
  According to my knowledge it is possible, you have to mention that port in the communication channel. 
  > how abt non standard ftp servers?
  Reffer the below links
  http://www.nsoftware.com/kb/tutorials/biztalkftpadapter.aspx
  http://wikis.sun.com/display/JavaCAPS/SunAdapterfor+Batch-FTP
  Regards
  Ramesh

• Doing proper NAT to FTP connections on non-standard port

  Router 1712, IOS 12.3
  There is an article from Cisco, "Using Non-Standard FTP Port Numbers with NAT".
  http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094e76.shtml
  It explains how to enable NATting router to perform proper translation of NAT-sensitive protocols, in this case FTP.
  The article assumes that the FTP server in question is on the inside interface of the router.
  The configuration proposed by the article is as follows:
  interface Ethernet0
  ip address 10.1.1.2 255.255.255.0
  ip nat inside
  interface Serial0
  ip address 192.168.10.1 255.255.255.252
  ip nat outside
  ip nat service list 10 ftp tcp port 2021
  ip nat inside source static 10.1.1.1 20.20.20.1
  access-list 10 permit 10.1.1.1
  In my case, the FTP server in question is on the outside interface. The router is performing source NAT for outbound connections. An example of my config is below:
  interface Ethernet0
  ip address 12.34.56.1 255.255.255.0
  ip nat outside
  interface Vlan324
  ip address 10.1.1.2 255.255.255.0
  ip nat inside
  ip nat service list 10 ftp tcp port 2021
  ip nat inside source static 10.1.1.100 12.34.56.100
  access-list 10 permit 12.34.56.200
  With this configuration, Layer 3 NAT is working. I'm able to establish an FTP control channel and issue FTP commands. However, I think that the IP addresses inside FTP control channel are not translated properly (to 12.34.56.100). Therefore, the FTP data channel is not working.
  I tried to enable the following debug, however didn't see any entries related to FTP control channel translation:
  debug ip nat
  debug ip nat detailed
  debug ip snat
  debug ip snat detailed
  debug ip ftp
  debug ftpserver
  My question is:
  Is the "ip nat service list <acl> ftp tcp <port>" command supposed to work when the FTP server in question is on the outside interface of the translating router ?

  Hi,
  I see that this question was asked quite some time ago but I have come across the same issue, i.e when the server is on the outside interface the ip in the "PORT" command from the client is not translated.
  Did you ever get a fix for it?
  Thanks

• Copy ftp start -- can we use a nondefault port?

  I have a limited availability of server assets and IP addresses and would like to separate the folders for anonymous general ftp connections and those used for router maintenance. Can I use port 2121 for example: copy ftp://[email protected]:2121/startup.txt start I tried it and it always goes to the IIS FTP site that is running port 21.
  IOS version is c2800nm-adventerprisek9-mz.124-19.bin

  Many routers provide an ALG on port 21 to listen on FTP commands to sniff out the port that needs to be open for active mode to work. However, that only works on port 21 in most causes.... so it doesn't work on non-standard
  ftp ports.
  Your can setup your FTP server for passive mode FTP (you'll need to forward an additional range of ports to the computer running the FTP server, specify within IIS to use those forwarded ports, and tell IIS to use
  your WAN ip as the passive mode ip).

• CSS 11501 ftp server setup problem using non-standard port

  Dear Expert,
  we would like to setup FTP server over CSS where our member sever use non-std-port to open both control/data channel (i.e. 6370 as ctrl and 6369 as data this case.) but seems we only get Passive mode FTP mode work only but not for Active mode FTP case for data channel establishement for server back to client...is there any professional advise can help on this case...? here is our setup info FYI
  #  sh ver
  Version:               sg0820501 (08.20.5.01)
  Flash (Locked):        08.10.1.06
  Flash (Operational):   08.20.5.01
  Type:                  PRIMARY
  Licensed Cmd Set(s):   Standard Feature Set
                         Secure Management
  CVDM Version:          cvdm-css-1.0_K9
  !*************** Global
  ftp data-channel-timeout 10
    ftp non-standard-ports
  !************************** SERVICE **************************
  service ftp_ftpgtw
    keepalive maxfailure 2
    keepalive frequency 15
    keepalive retryperiod 2
    keepalive type tcp
    ip address 192.168.52.170
    protocol tcp
    keepalive port 6370
    port 6370
    active
  # sh run group drfusegtwftp_grp 
  !*************************** GROUP ***************************
  group gtwftp_grp
    vip address 192.168.52.28
    add service ftp_ftpgtw
    active
    content ftp_gtwpkg-ftpgtw
      add service ftp_ftpgtw
      vip address 192.168.52.28
      port 21
      protocol tcp
      application ftp-control
      active

  Thanks for your confirmation on no prob found in config level 1st..:P..as to save us a lot of time in isolating problem at this level.
  What we can notice is seems the data port connection is fail to open  for server back to client....for our general sense..... the flow expected should be:
  TCP session A -- Client:1234 --> VIP:21 --> member svr:6370
  TCP session B -- Client: 5678 <--> VIP:20 <--> member Svr: 6379 [on demand generated between server/client]
  but we can only see session B fail  to setup when client side access VIP site on CSS..even we try to put the most standard case as below
  TCP session A -- Client:1234 --> VIP:21 --> member svr:21
  TCP session B -- Client: 5678 <--> VIP:20 <--> member Svr: 20
  we still unable to make the Active mode FTP access work either...hence we got no idea on how CSS handle FTP access when it involve services over multiple tcp ports..
  and from CSS xlate view...the problem is we can only see what NAT IP that used in CSS connect to client...but no way to confirm for which port for VIP using outgoing to client. neither it is dropped by CSS..nor it is never setup from VIP to Client side.

• Using non-standard sshd port after 10.8 upgrade

  After spending hours tracking down this solution as a result of losing my ssh settings after the upgrade to Mountain Lion, I thought it might be useful to post the steps taken to restore the configuration I used with Snow Leopard.
  Changing the sshd default listening port
  Disclaimer: This tutorial is specific to Mountain Lion (OS X 10.8). I was able to accomplish this using Snow Leopard (OS X 10.6) in fewer steps, but upgrading required this more involved solution. 
  Steps:
  1.) You must first enable the root user account in order to change the relevant files. This can be done from the terminal, or by going to System Preferences --> Users & Groups. Once there, click on 'Login Options' at the bottom of the Current User list, and 'Join' where it says 'Network Account Server'.
  This will bring up a smaller window. Click on 'Open Directory Utility' at the bottom. You will be prompted for your admin password. Now go to the 'Edit' tab at the top of the screen and toggle down to 'Enable Root User'.  You will be prompted to enter your admin password twice.
  2.) Log out of your regular user account. At the log in screen you will now see an additional entry for 'other'. Click on that and log in with the username 'root' and your admin password. If are inexperienced as a root-level user, be careful as you can cause problems to your system can be difficult to undo.
  Once in your root account, the first step is to create a new 'service definition' in the etc/services file. Open the file with text editor of choice and scroll to the current entry for sshd listening port, which will look like this:
  ssh    22/udp    # SSH Remote Login Protocol
  ssh    22/tcp     # SSH Remote Login Protocol
  Overwrite the '22' with the port number you would like sshd to listen on:
  ssh    12345/udp   # SSH Remote Login Protocol
  ssh    12345/tcp    # SSH Remote Login Protocol
  *12345 being our hypothetical, non-standard port.
  It is important to note that the new port number will not take by simply adding a new uncommented line to the file (I tried), unless of course you comment the original ssh entries. Easiest way is just to overwrite what is there already. Save changes.
  3.) You now need to edit the ssh.plist file, which is located at /System/Library/LaunchDaemons/ssh.plist. A word to those familiar with Linux/BSD environments: changing the default port in the sshd_config file, which exists in OS X, does NOT change the listening port. Simply changing the default port, saving the config file, and restarting the server (the sensible way) won't work. The OS X sshd server (openssh) is configured to get launch instructions from the ssh.plist file, as opposed to sshd_config. If you are more interested in this aspect of OS X, read up on LaunchDaemons (e.g. launchd).
  Before altering the ssh.plist file, you should save a backup copy in case of mistakes, or if you need to revert back to it in the future. Name your backup file something like original.ssh.plist, etc.
  In the ssh.plist file, locate the SocksServiceName entry and change it from the default:
  <key>SockServiceName</key>
  <string>ssh</string>
  To the following:
  <key>SockServiceName</key>
  <string>$alternate port number</string>
  In our example from above this value would be 12345.
  4.) Save your changes, and exit ssh.plist. You now need to move the backup file you created (original.ssh.plist) out of the System/Library/LaunchDaemons path.
  The updated sshd port will not take until you have only one ssh.plist file in the LaunchDaemons directory - this has to do with how launchd is configured to load files which is outside the scope of the current discussion.  (*If you've found a way around this, please share.) 
  5.) Restart the sshd server. Easiest way to accomplish this is going to System Preferences --> Sharing and clicking off 'Remote Login', then clicking back on it. 
  6.) Test the configuration by logging into the machine running the sshd server from another host using:
  ssh username@ipaddress -p 12345
  There are a few good tutorials out there that capture some of these steps, but many are dated and/or incomplete. If you are running a standard setup of OS X 10.8, this should work for you.
  Of course, don't be fooled into thinking that changing the default listening port from the ubiquitously-probed 22 equates to actual security. At best, it will cut down on the number of dubious connection attempts and probing.

  Hi all, above helped me change the sshd port number, thank you very much.
  Just upgraded to OS X 10.9.3 on my macbook pro.
  My findings were:
  Step 1(become a root user or sudo)
  Step 2 (/etc/services)
  This may not be required unless you want ssh to work without the "-p XXXX" option to connect to other ssh hosts.  I favor such as "ssh -p 2222 user@hostname" just to be sure I know what I am doing and also to leave ssh known port as its default "22".
  Step 3 (/System/Library/LaunchDaemons/ssh.plist)
  This is required if you want to change the sshd port number, I changed both "ssh" to "2222" in this file.
  Step 4 (launchctl)
  Below is a must as I understood:
  launchctl unload /System/Library/LaunchDaemons/ssh.plist
  launchctl load /System/Library/LaunchDaemons/ssh.plist
  it should be already working with the new port number.
  You can "ssh -p 2222 user@localhost" in the console terminal and see if its working.
  Since I am no expert on MacOS X, and it is a macbook pro that I am using, I also rebooted the system and changes were reflected permanantly.
  Thank you guys!

• Cisco Secure ACS 5.6 Backup to FTP server listening on non-standard ports

  When defining a software repository from CLI or GUI, I have not been able to define the custom port that our FTP server is listening on.  Does ACS support the use of custom ports for FTP?

  Hi Anthony,
  I don't thing so it will support non-standard ports as the options are only Disk,FTP,SFTP,TFTP and NFS.
  Regards,
  Chris

• Using the CSM to setup a HTTPS session on non-standard ports?

  Hi Guys,
  One of our clients wants to setup an SSL connection on a non-standard SSL port i.e. 4444 to begin with. Here the sever handles the SSL encryption / deccryption) instead of the SSL module.
  I've found the following config to work well:
  serverfarm FARM-MOBS-4444
  nat server
  no nat client
  predictor leastconns
  failaction purge
  real 130.194.12.81 4444
  inservice
  real 130.194.12.84 4444
  inservice
  probe MOBS-4444
  sticky 108 netmask 255.255.255.255 timeout 60
  vserver VMOBS-PROD-4444
  virtual 130.194.11.51 tcp https
  serverfarm FARM-MOBS-4444
  sticky 60 group 108
  persistent rebalance
  inservice
  With the above setup the CSM redirects the SSL connections (recieved on 443) to port 4444 on the sever and maintains this for the duration of the session.
  While the above setup works, is it possible to configure the VIP to use a HTTPS port other than 443 (which is default)? This would then allow for separate HTTPS paths to be setup on non-standard ports. I ask this since the client also wants to setup a HTTPS path on port 4443 as well.
  Any ideas would be useful.
  thanks
  Sheldon

  Hi Martin,
  Do you mean using the SSL module to perform the encryption / decryption? If so i've tried this and it does work without an issue.
  I was just wondering if it were possible to have a VIP setup where the HTTPS port is not 443 but say 4443, where the encryption / decryption is done by the real servers themselves.
  thanks
  Sheldon

• Cannot setup work email using SSL on non standard port

  All,
    I've been trying now for a few hours to setup a corporate email account.  I've tried via the curve and via the bb internet service but in both cases since the service cannot detect the settings since a non standard port is in use I cannot use the the service and am considering returning the device to go with another easier to use device.  I love the hardware design but if I cannot setup my corporate email this is no good to me.  I'd appreciate any tips anyone has.
  Thanks,
    Frustrated.

  Your corprorate email account is an exchange server or what?
  You are on a personal BIS plan?
  1. If any post helps you please click the below the post(s) that helped you.
  2. Please resolve your thread by marking the post "Solution?" which solved it for you!
  3. Install free BlackBerry Protect today for backups of contacts and data.
  4. Guide to Unlocking your BlackBerry & Unlock Codes
  Join our BBM Channels (Beta)
  BlackBerry Support Forums Channel
  PIN: C0001B7B4   Display/Scan Bar Code
  Knowledge Base Updates
  PIN: C0005A9AA   Display/Scan Bar Code

• G5 Second Display using the GeForce FX 5200 - Non-Standard

  I have a Dual 1.8 GHz PowerPC G5 Macintosh.
  The display adapter installed is as follows:
  GeForce FX 5200:
  Chipset Model: GeForce FX 5200
  Type: Display
  Bus: AGP
  Slot: SLOT-1
  VRAM (Total): 64 MB
  Vendor: nVIDIA (0x10de)
  Device ID: 0x0321
  Revision ID: 0x00a2
  ROM Revision: 2060
  Displays:
  VX2235wm-3:
  Resolution: 1680 x 1050 @ 60 Hz
  Depth: 32-bit Color
  Core Image: Supported
  Main Display: Yes
  Mirror: Off
  Online: Yes
  Quartz Extreme: Supported
  Display:
  Status: No display connected
  I want to attach a second display to my machine, but the second plug on the card is a non-standard DVI-type connector. It looks like this:
  x x x x x x x x x x X X
  x x x x x x x x x x -----
  x x x x x x x x x x X X
  ...with 10 rows of 3 as opposed to 8.
  I have had trouble finding an adapter to use to convert this to VGA (which is what I meed to connect my second monitor). I've searched the Apple Store online to no avail, as well as Google. Perhaps I've had no luck because I don't know the name of this part.
  Any help is much appreciated!
  ~Rob Blaze

  Hello! Does the port look like the one below? If so you'll need an adapter. Tom
  Actually, HERE is the page i was looking for that shows and describes all dvi connections.
  Apple ADC Connector
  [IMG]http://img300.imageshack.us/img300/9497/appleadcconnectorve2.jpg[/IMG]
  Message was edited by: Thomas Bryant

• How To: Use FCPX to create iPhone Portrait Movies (and other non-standard formats)

  Goal: Use Final Cut Pro X 10.0.7 to produce a 640x1136 video (iPhone 5 Portrait). You can use these same steps to produce virtually any dimensions you want. My example is for the iPhone 5, in Portrait mode.
  This information is available in various places, but you have to realy work to find it, so I thought I'd post a step-by-step guide here.
  By the way, you might think you could just create a FCPX Project with your desired dimensions, but you can't (at least with 10.0.7). Projects only support certainly dimensions. But there are other ways, as the rest of this post describes:
  1) Create an initial movie with the desired dimensions, to serve as a template. We'll call it "Template.mov". The only thing that matters is the dimensions. It can be in any codec FCPX understands, and virtually any length.
  I'm using a 2 second video shot on my iPhone for the template. You could also create a blank image (.png, whatever) with the proper dimensions, copy and paste it into a new Quick Time Pro 7 window, and Export it using custom settings. There's lots of different ways to do this.
  2) Drop Template.mov into a FCPX event.
  3) Select Template.mov in the Event browser, and select File->Duplicate (or command-D). You probably could just edit "Template.mov", but it's a good idea to save it for reuse.
  3) Change the name of the copied video. I'm using "iPhone Video".
  4) Right-click "iPhone Video" and select "Open in Timeline".
  5) If you made the Template video from a still image, you may need to change the duration (ctrl+D). You don't have to make it very long, but it needs to be longer than 1 frame. A few seconds should be enough.
  6) Use this timeline like you'd use a project's timeline. Drop in new content, trim, transition, etc. There may be things you can't do in it, but I haven't found any yet. I'm guessing Chapters may not work, but I haven't tried them.
  7) Note that when you drop new content into the timeline, it may size funny. That's because the default setting for "Spacial Conform" is "Fit". Simply select the newly-dropped content, and in the Video settings inspector, scroll down to "Spacial Conform" and change it. You could use "Fill", which fills the frame vertically, or "None", which uses the source's original height. Then crop/transform/whatever to get what you want.
  8) When you're ready to render, select "iPhone Video" in the Event browser, then use the "Share" button. You want to use the "Export File" destination, which you may have to add. Pick your codec, and let 'er rip.
  9) When the rendering is done, you should have a video in your desired dimensions.
  That's all there is to it. Hope this helps someone.
  Dan
  PS: Don't ask why someone would want to create an iPod video using FCPX. The point is that you may need to create a video with non-standard  dimensions at some point in time, and this is how to do it.
  PPS: Most of this information came from http://library.creativecow.net/articles/payton_t/FCPX_Custom-Resolution-Timeline s/video-tutorial. I just wrote it down, while I tried to do what the video suggested.

  Instructions for using QuickTime Pro 7 to create a template video with unusual dimensions.
  I suspect that anyone savy enough to be using FCPX has probably already figured out how to do this, either using my technique or another, so there probably isn't a real need for me to post this. For that matter, I may be the only person who cares about this at all. However, while I was trying to learn how to do all of this, I would have really appreciated having all the information in one place, so here goes.
  If you want to create a video with unusual dimensions (like 640x1136) using my steps above, you'll need a "template" video first. Here's an easy way to create one, using any image editor, and QuickTime Pro 7.
  1) Open QuickTime Pro 7 (QTP for short).
  2) From the menu, select File->New Player. You'll get a window with just the bottom portion of the player, i.e. the playback controls.
  3) Using an image editor, create a still image in the desired dimensions. You can use any image editor. It doesn't matter what the image contains (although it will end up showing as a thumbnail in FCPX).
  4) Copy the image to the clipboard.
  5) Switch back to QTP, and paste the image into the new player. Don't worry that there isn't a video window showing - just paste it into the window that has only playback controls. As soon as you do, the video window appears.
  6) Advance to the end of the movie (the short, 1-frame movie), then hold down Command+V (paste) and keep holding it down to paste multiple images in. Watch the time advance. You could, if you want, just hold down Command+V until you get the length you want. But if you want a long video, there's an easier way:
  7) When you reach a few seconds (or whatever duration your patience allows), select all (Command+A) and copy (Command+C). Then hold down Command+V to keep pasting in the longer clips. Wait until you reach a longer duration, then repeat the process. So, for example, 1 second, then 10 seconds, then 1 minute, then 10 minutes, then 1 hour. Or whatever you want.
  8) Save the video however you want. I usually use File->Export with H.264, with Quality set to "Least". Just make sure you don't let it change the dimensions. If you resized the player window, depending on which "save" or "export" method you've chosen, it might default to the resized dimensions, so double check that to make sure.
  That's it. You now have a template video you can use with my previous post(s).
  Dan

• Is it possible to load a non-standard image using some Java API?

  Hi,
  My "problem" is:
  1. I have an image called "mediterranean_sea.IMG" (non-standard image format)
  2. I need to process it (histogram, palette, etc).
  3. I'm wondering if it is possible to load this image an process it using some Java API.
  4. I've tried to do this using JAI but I think that this API only works with TIFF, PNG, JPEG, etc.
  Any idea?
  Thanks in advance,
  Roger

  [url http://forum.java.sun.com/thread.jsp?thread=468188&forum=31]Cross-post

• How to use non-standard port for vnc?

  Our Windows users who use RDC to connect to their desktops from off-site come in on a non-standard port number. Part of our security setup.
  I'd like to do the same with Mac users who use screen sharing and vnc to connect remotely.
  How can I specify another port number at both ends to accomplish this?
  I can find nothing in the Network Utility app, or in the KB.
  Surely there's a short sequence of Terminal commands that will do this?

  I haven't tried this so don't know whether it will work. But I think it will. Presuming the target machine is a Mac, see if editing its /etc/services file will do it. Find the two lines that start with "vnc-server" and change the port number there. Launch Terminal.app as an administratively privileged user, sudo pico /etc/services, ^w to search for vnc-server, make the changes, ^x to exit, y to save and overwrite. Also, you will need to have screen sharing enabled in the target machine's System Preferences' Sharing, and the authorized users defined there, too. Reboot. Now, on the remote client, assuming it is also a Mac, the user would type ⌘k in the Finder (or mouse to Finder > Go > Connect to Server), and enter something like vnc://123.45.67.89:55900 where you substitute the actual IP address or host name for where I have entered 123.45.67.89, and where you substitute the actual alternate port number where I have entered 55900. Of course, in the clients' Screen Sharing's Preferences, they should choose to encrypt the entire session, not just the login. Like I said, I haven't tried this because I just tunnel my vnc stuff through ssh, but I'm thinking that this should work.

• Http probe on non-standard tcp port 8021

  I've configured http probe on standard port 80 with no issue. I'm now trying http probe on non-standard tcp port 8021, confirmed with packet capture to confirm that the CSM is indeed probing, status code 403 is returned but the reals are showing "probe failed". Am I missing something? Thank you in advance.
  CSM v2.3(3)2
  probe 8021 http
  request method head
  interval 2
  retries 2
  failed 4
  port 8021
  serverfarm TEST
  nat server
  no nat client
  real 10.1.2.101
  inservice
  real 10.1.2.102
  inservice
  probe 8021
  vserver TEST
  virtual 10.1.2.100 tcp 8021
  serverfarm TEST
  replicate csrp connection
  persistent rebalance
  inservice
  VIP and real status:
  vserver type prot virtual vlan state conns
  Q_MAS_8021 SLB TCP 10.1.2.100/32:8021 ALL OUTOFSERVICE 0
  real server farm weight state conns/hits
  10.1.2.101 TEST 8 PROBE_FAILED 0
  10.1.2.102 TEST 8 PROBE_FAILED 0

  you need to specify what HTTP response code you expect.
  The command is :
  gdufour-cat6k-2(config-slb-probe-http)#expect status ?
  <0-999> expected status - minimum value in a range
  The default is to expect only 200.
  This is why your 403 is not accepted.
  Gilles.