topic Re: Telnet and ftp in Operating System - HP-UX

Telnet and ftp

Angelo Mercieca — Sun, 22 Feb 2004 14:15:41 GMT

I would like to stop the use of telnet and ftp commands by all users except by root and specified users. Is this possible? If so, how do I go about doing it?
Thank you.

Re: Telnet and ftp

Pieter_5 — Sun, 22 Feb 2004 14:21:49 GMT

You can disable acces to ftp by placing a user in the file /etc/ftpd/ftpusers.

Re: Telnet and ftp

Bill Hassell — Sun, 22 Feb 2004 15:16:10 GMT

The easiest way is to remove their accounts. If the problem users use your system with tools like email, you can replace their shell /usr/bin/sh with /usr/bin/false. They can login but will immediately be disconnected.

Re: Telnet and ftp

Michael Tully — Sun, 22 Feb 2004 16:54:38 GMT

The easiest way would be to create a seperate /etc/passwd file for the duration of how long you wish to not allow the majority of users onto your system. Only other way is to have a list of the specified users and apply this list to /etc/profile. You can place some code in /etc/profile that reviews the list and evaluate whether these users can login or not. My suggestion is the first, by using a second /etc/passwd list.
This posting, may help with the code with /etc/profile should you like to make use of it.

Re: Telnet and ftp

Sridhar Bhaskarla — Mon, 23 Feb 2004 01:24:01 GMT

Hi,

I don't know if I understood your question correctly. If you are asking about the users that can 'telnet|ftp' *into* the system, then you already got the answer.

If you are asking about restricting the users to access 'telnet|ftp' on the system, then one way is to change the permissions on these executables. Create a group with users that need access to telnet and ftp. Change the permissions on these commands to allow only owner and the group to execute.

However, there are other ways by which users can simulate telnet and ftp and the above doesn't really stop the ones that want to use them.

A solid alternative is to create the users with restricted shell. For ex., create the user with the shell /usr/bin/rsh. Edit his/her profile and place PATH=/usr/restrict/bin. Make the owner as root. This way user can execute only the commmands in /usr/restrict/bin directory. You can link|copy the commands you want to there.

-Sri

Re: Telnet and ftp

T G Manikandan — Mon, 23 Feb 2004 01:55:48 GMT

you can stop telnet login of root by creating a file /etc/securetty.

Also add root user to /etc/ftpd/ftpusers

to deny ftp login as root.

Re: Telnet and ftp

Sridhar Bhaskarla — Mon, 23 Feb 2004 02:06:11 GMT

Hi (Again),

I forgot to caution about changing the permissions. Your swverify will report errors as the permissions got changed on these binaries. Also, they may get replaced by a patch. So, whenever you install patches, make sure to check the permissions.

There are softwares like eTrust Access control, powerbroker etc., that can be used to effectively shut down the permissions on what the user can|cannot do. But you have to play $$ for that.

-Sri

Re: Telnet and ftp

rmueller58 — Mon, 23 Feb 2004 09:18:02 GMT

You can selective enable/disable internetworking services from SAM.. with the following path (at least 11x)

Networking and Communication -->
System Access-->
Internet Services -->

From this path you can disable the services