Chapter 4 - Advanced configuration

In depth description of all IPS features. Application oriented.

4.1 - Site personalities

4.1.1 - Access and security

4.1.2 - Service components

4.1.3 - User accounts

4.2 - Service components

4.2.1 - FTP component

4.2.2 - HTTP component

4.2.3 - POP3 component

4.2.4 - SMTP component

4.3 - Service responses

4.3.1 - Basic response messages

4.3.2 - Enhanced repsonse messages

4.4 - RexxHooks


OLD DOCS BELOW:

Configuration files

All IPS configuration files are AscII based text files divided into sections, each section has a number of parameters. An example file could look like this:

[SECTION1]
Param1=Test
Param2=321

[SECTION2]
Param2=Some value
Param1=This good

Group configuration file

\cfg\ips.cfg

This is the main IPS configuration file. This file just has to exist.


\cfg\[cfggrp]\[cfggrp].cfg

For each sub-directory IPS find below \cfg\ it assume that it include another configuration group. A configuration group is a method of defining multiple different users/groups setups for sites with multiple-home setup. Each of these sub-directories must have a group configuration file with the same name as the directory and an extension of .cfg.

Group configuration files are made up by one [GLOBAL], one [ACCESS], one [SERVICES] and one or more service specific sections.

[GLOBAL] section example:
[GLOBAL]
SiteDescription=Example IPS powered site
SiteAdminUser=Admin
SiteAdminMail=Admin@site.com
UserDirectory=.\cfg\main\users
StatDirectory=.\cfg\main\stats
HomeDirectoryRoot=\e\home
GroupsDefined=users
ServiceSections=TELNET FTP SMTP POP3

[GLOBAL] section parameters:

Parameter

Description

Default

SiteDescription

Informational text describing your site.

none

SiteAdminUser

UserID for the main administrative user. Also known as root on UNIX systems.

none

SiteAdminMail

E-mail address for the main administrative user.

none

UserDirectory

Directory for the user files, relative to IPS-root or absolute. OS format.

none

StatDirectory

Directory for the stat files, relative to IPS-root or absolute. OS format.

none

HomeDirectoryRoot

Root directory for the users home directories. UNIX format.

none

GroupsDefined

A list of defined user groups.

none

ServiceSections

A list of service sections defined in this file

none



[ACCESS] section example:
[ACCESS]
e:\pub\incoming\*;admin;users;777;011
e:\pub\*;admin;users;755;000
e:\;admin;users;111;000
;admin;users;711;000
*;admin;users;700;000


In the [ACCESS] section you list accesses defined for you files systems. Access masks are OS style path masks. This may include * and ? wild-chars anywhere in the path. You should note that the first matching mask is used.

This format is also used for the [ACCESS] section in the user files.

[ACCESS] section parameters:

Parameter

Description

Example value

PathMask

Mask which must match to make this access line active

e:\pub\incoming\*

Owner

UserID of the user given the owner rights of this access line. Also known as the owner of the items.

admin

Group

GroupID of whose members are give the group rights of this access line.

users

UnixAccess

UNIX style access numbers. This number consist of three digits one for each of the owner, group and other settings; meaning that the user Owner is given the access of the first digit, users which are members of the Group are giving the access of the second digit, and all other users are given the access of the third and last digit.

Each digit are made added together from these accesses:

1=Execute (or list) access
2=Write access
4=Read access.

773

ExtendedAccess

Special IPS additions to the standard UNIX accesses. Works the same way as above with one digit for owner, group and other.

Available extended accesses include:

1=Limit delete.

001



Parameters common for all service-sections example:
[service-section]
Protocol=
Address=
Port=
Host=
LogFile=
LogFlag=
DebugFlag=



Parameters common for all service-sections:

Parameter

Description

Default

Host

Host name this service should identify itself as.

none

Protocol

What protocol should this services run. Possible choices are:

telnetd for shell login
ftpd for File Transfer Protocol (rfc959)
smtpd for Simple Mail Transfer Protocol (rfc821)
pop3d for Post Office Protocol - Version 3 (rfc1939)

none

Address

Optional parameter used to select which IP address the service should listen on for multiple homed setup on a machine with multiple IP addresses. The address should be specified in as four decimal numbers separated with only a dot.

Any IP address

Port

Optional parameter used to run services on non-standard ports. Please keep in mind that many fire-walls could block users for accessing services on non-standard ports.

Protocol dependent:

ftpd 21
telnetd 23
smtpd 25
pop3d 110
Timeout

Time in seconds the connection can be inactive before it is closed.

none

LogFile

Name of file to log all activity on this service. This file should always have the default extension of .log.

none

LogFlag

Level of logging to perform. These levels are Protocol dependent. You should set the level for those log entries you don't want.

FTPd:

1=PASS, USER
2=APPE, DELE, RETR, RNFR, RNTO, STOR
4=CDUP, CWD, LIST, NLST, XCUP, XCWD
8=MKD, RMD, XMKD, XRMD
16=MDTM, SIZE, TYPE
32=PORT, REST
64=PWD, SITE, SYST, XPWD

ABOR, FEAT, HELP, MODE, NOOP, PASV, QUIT, REIN, STAT,

SMTPd:

1=HELO
2=MAIL, RCPT
4=DATA
8=RSET

POP3d:

1=PASS, USER
2=DELE, RETR
4=LIST, STAT
8=RSET

QUIT

none

DebugFlag

Level of debug logging to perform. This is added together from these levels;

1=Incoming commands
2=Outgoing command replies
4=Long commands or replies
8=Trace internals

Level 8 should only be used if requested by support personnel.

none

ClientAddress

List of IP or Host masks to allow or deny access. First matching mask will be used.

One example:
"127.* !*" Will allow access from all IP's starting with 127. and deny all others.

none



FTP services

Parameter

Description

Default

RootDirectory

Basic root directory of FTPd. UNIX format.

none

MaxUserBandwidth

Maximum retrieve bandwidth for each normal user session.

none

MaxAnonBandwidth

Maximum retrieve bandwidth for each guest session.

none

TimeoutMax

Maximum time-out allowed by SITE IDLE command.

none

WelcomeFile

Path of initial welcome files. OS format.

none

HideIfNoAccess

Hide files and directories which the user has no access to from directory listings.

none

MinFreeSpace

Do not allow uploads on disks with less than xx MB free space.

none

DisableEA

Disable EA access system. (1=disable)

0

DisableDircount

Disable display of subdirectory count. (1=disable)

0

rxOnConnect

Path of RexxHook called when a new user connects. Script should return 0 if connection are ok, or a response if not.

none

RxOnCommand

Path of RexxHook called when each command is received before it is executed. Script should return 0 or a changed command line.

none

rxOnPass

Path of RexxHook called when the password for a guest session is received. Script should return 0 if ok, or a response to reject the log-in.

none

rxOnRetr

Path of RexxHook called before a file is sent to the user. Script should return 0 if the transfer are to proceed, and a response if it is rejected.

none

RxOnSite

Path of RexxHook called before executing internal SITE commands, this script could return 0 to allow internal execution of the command or it could reject it by returning a response.

none

rxOnStor

Path of RexxHook called before a file is received from the user. Script should return 0 if the transfer are to proceed, and a response if it is rejected.

none

rxOnUser

Path of RexxHook called after a user name is received and a user file found. Script should return 0 if log-in are ok, a response to reject.

none

POP3 services

Parameter

Description

Default

rxOnCommand

Path of RexxHook called when each command is received before it is executed. Script should return 0 or a changed command line.

none

rxOnConnect

Path of RexxHook called when a new user connects. Script should return 0 if connection are ok, or a response if not.

none

rxOnUser

Path of RexxHook called after a user name is received and a user file found. Script should return 0 if log-in are ok, a response to reject.

none



SMTP services

Parameter

Description

Default

ForwardAddress

Like ClientAddress, but control the hosts allowed to forward messages through this server.

none

ForwardToServer

If set, alle outgoing messages will be forward to this server. Direct address should be given and not a hostname.

none

QueueDirectory

Directory messages are queued in.

none

LocalDomains

List of domains which are handled by this server.

none

rxOnCommand

Path of RexxHook called when each command is received before it is executed. Script should return 0 or a changed command line.

none

rxOnConnect

Path of RexxHook called when a new user connects. Script should return 0 if connection are ok, or a response if not.

none

rxOnData

Path of RexxHook called when a new message body is received but before any delivery is done. Should always return 0. Access to message file is allowed during this call.

none



TELNET services:

Parameter

Description

Default





Language configuration files

In the .\cfg\ directory the various language files are stored, these files comes standard with IPS and contains all the responses sent to a user/client during a session. The files are named ips<protocol>. File may optionally have a language identifier as an extension.

The files are similar, but have some differences between protocols.

.\cfg\ipsftp

This file has one section for each FTP command, and values for all responses to be given. The ident of the values are the FTP response number and one additional character. Lowercase characters specifies a direct response, and upper case characters specifies a file path for a multi-line response. The files in the .\msg\ directory are specified in the standard supplied ipsftp file. This file may change between releases without further notice. (Maybe a diff is smart on every upgrade).

System variables and FIBs may be used in responses. FTP clients may change session language by issuing a SITE LANG command which will load another ipsftp file.

.\cfg\ipspop3

Since POP3 is mainly used by automatic programs I see no need to document this.

.\cfg\ipssmtp

Since SMTP is mainly used by automatic programs I see no need to document this.



User files

Users are defined using a one file pr. user account approach. User files are by default placed in .\cfg\*\users\[userid]. The * is the site personality (default distribution only comes with one personality named main).

Default users are admin, ftp, anonymous and user. They are in their different files .\cfg\main\users\admin, .\cfg\main\users\ftp, .\cfg\main\users\anonymous and .\cfg\main\users\user.

Passwords for the default users are adminpassword for the admin one and password for the user one. ftp and anonymous are both anonymous users which take an e-mail address as password.

Parameters for user files [USER] section:

Parameter

Description

Default

Username

This is the name of the user which must match the file name if the user account should work. Since file names in OS/2 and NT is not case sensitive this is where the correct case is important.

none

Fullname

The full name of the user.

none

Aliases

A list of Username aliases. These are just like having multiple usernames.

none

Password

Users password encrypted with the .\bin\pwd2 or .\bin\pwd32 utility. When making a new user you can add a - in front of a non encrypted password and it will be encrypted on the first login. If set to the exact text "<external>" special external authentication is expected.

none

ChangePassword

Set to 1 if this account can change its password, else set to 0

none

APOPSecret

Uncrypted secret for APOP authentication on the POP3 service.

none

Anonymous

Set to 1 if this is an anonymous user account, else set to 0.

none

Administrator

Set to 1 if this is an administrative user accounts, else set to 0.

none

RootDirectory

If this user should have another virtual root then set this. The virtual root for the users is the RootDirectory setting in the FTP section + the setting here.

none

LoginDirectory

If you want to direct a user to a specified directory at login, please set this here, this is relative to the virtual root for the user.

none

ClientAddress

User address allow/deny filter.

*

MaxBandwidth

Maximum retrieve bandwidth for each normal user session.

0

MemberOfGroups

List of the groups this user is a member of

none



User files [ACCESS] section:

User files also has an access section. This section is read before the same section in the main.cfg file. Format is the same as in main.cfg.

User files [STAT] section:

This section is a read only section which contain some of the statistics from the stat files in the stats directory. The entries here are read only and just put here for easy reading by addon applications.