HPE Community
Operating System - HP-UX
1751969 Members
4786 Online
108783 Solutions
New Discussion юеВ

Restricting network services to a group of users

 
Robin King_1
Regular Advisor

тАО05-02-2006 09:30 PM

тАО05-02-2006 09:30 PM

Restricting network services to a group of users

I posted a message a while back about this, but was loking specifically at ACL's. That didn't work, so I 'll try a general shout for help...

I have an HP-UX 11.23 server, and for contractual reasons, I need to make sure that a small group of users are allowed access to the box (SSH), but once on the server, they can't 'leave' the server and use it do jump onto other nodes on the LAN.

I need to cater for all protocols, telnet, ftp, SSH etc.

Any suggestions would be greatly appreciated.
1 person had this problem.
0 Kudos
Reply
6 REPLIES 6
Warren_9
Honored Contributor

тАО05-02-2006 09:39 PM

тАО05-02-2006 09:39 PM

Re: Restricting network services to a group of users

hi,

how about change the owner and permission of the telnet,ftp,ssh to group "x" not all "x". Just like we usually do on "su".

then configure the second group to those users wwho need to use the telnet/ftp/ssh.

GOOD LUCK!!

0 Kudos
Reply
RAC_1
Honored Contributor

тАО05-02-2006 09:40 PM

тАО05-02-2006 09:40 PM

Re: Restricting network services to a group of users

For telnet/ssh, this will work.

On all hosts where you do not want to them access, put following code in /etc/profile.

if [ ${LOGNAME} = "user_name" ];then
echo "No access here-${hostname}"
exit 1
fi

For ftp, put those users in /etc/ftpd/ftpusers file.
There is no substitute to HARDWORK
0 Kudos
Reply
Robin King_1
Regular Advisor

тАО05-02-2006 09:55 PM

тАО05-02-2006 09:55 PM

Re: Restricting network services to a group of users

Warren, the problem is tracking down every possible was to exit the box, that included things like perl and obscure protocols I probably haven't even heard of. I have very strict security guys that I have to keep happy.

RAC, unfortunately that's not really possible, there are hundreds of servers on the LAN, very few of them are UNIX.

What I'm trying on HP-UX can be achieved in secnds on Solaris, but changing the ACL for /dev/udp and /dev/tcp to deny rwx to the users specific group. For some unknown reason it doesn't have the same effect on HP.
0 Kudos
Reply
Ninad_1
Honored Contributor

тАО05-02-2006 09:58 PM

тАО05-02-2006 09:58 PM

Re: Restricting network services to a group of users

Guys,

I guess what Robin is asking is not restricting connection to the particular server, but once connected to this server, the user should not be able to telnet/ssh/ftp any other server from here.
Is that right Robin?

regards,
Ninad
0 Kudos
Reply
Robin King_1
Regular Advisor

тАО05-02-2006 09:59 PM

тАО05-02-2006 09:59 PM

Re: Restricting network services to a group of users

Correct Ninad
0 Kudos
Reply
Roland Piette
Regular Advisor

тАО05-03-2006 09:10 PM

тАО05-03-2006 09:10 PM

Re: Restricting network services to a group of users

Hi Robin,

I suggest to look at man page for inetd.conf file and also hosts.equiv.

I hope it will help you.

Roland
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.