topic Re: telnet in Operating System - HP-UX

telnet

amit singh_3 — Wed, 24 Mar 2004 06:03:22 GMT

How to block the user from accessing the
system through telnet.
how to restrict the user from using the telnet
utility?

Amit Singh

Re: telnet

Jean-Luc Oudart — Wed, 24 Mar 2004 06:08:56 GMT

If you know the user's IP@
change /var/adm/inetd.sec

man inetd.sec

Regards,
Jean-Luc

Re: telnet

Mark Grant — Wed, 24 Mar 2004 06:10:57 GMT

Or if it's to stop everyone using it, comment out the telnetd entery in /etc/inetd.conf and restart inetd.

Re: telnet

amit singh_3 — Wed, 24 Mar 2004 06:15:07 GMT

ur not getting me,
what I want to say is that...
I am having auser "ana" & "root" from the other servers. I want that they should not do the telnet to my servers.
What should i do ?

Amit Singh

Re: telnet

Naveej.K.A — Wed, 24 Mar 2004 06:15:24 GMT

why would like to stop telnet for a particular user?? Then what access you want to give the user other than telnet??

Is it a permanently or temporarily.
type:

> home direcotyr of user/logout

this will creat a file logout in user's home directory

and then put this entry in the .profile of the user's home directory.

if (test -f logout)
then exit 0
fi

to enable access to the user remove the file logout from the home directory of the user.

with best wishes.
naveej

Re: telnet

Mourad Derriche — Wed, 24 Mar 2004 06:15:35 GMT

As suggested, use /var/adm/inetd.sec to restrict inbound access.

Regarding limiting the use of the telnet application, it's another matter where you have the option to incorporate a set of different approaches. Each approach have some cons.

1) Completely remove telnet from the system.

2) Move the telnet binary to a directory which is only accessible by certain users.

3) Wrap the telnet binary in a script.

4) Setup a jailed shell, which doesnt include the binary.

No matter which approach you choose, you have to ensue that the user aint able to transfer data to the account, otherwise the user would be able to circumvent the restriction by uploading a binary with telnet capabilities.

Re: telnet

Naveej.K.A — Wed, 24 Mar 2004 06:30:54 GMT

In yoour case, as you know from where the user is going to telnet and with what user name the user is going to log in..

U can easily set up a script in the .profile of the home directory of the user or in the /etc/profile , which matches the IP address and the user name by executing whomai and who -u and hence denying access...

With best wishes
naveej

Re: telnet

amit singh_3 — Wed, 24 Mar 2004 06:42:11 GMT

In linux we are having the /etc/xinetd.d/telnet in which we can specify the uid's which are allowed to the system.
does HP-Ux is having that kind of functionality? thats what I want to know.

also if I want to block the root from the
other system for doing the telnet to my machine, I can edit the /etc/securetty file
in linux and remove the line "telnet" from that, but what to do in HP-Ux?

Amit Singh

Re: telnet

Jean-Luc Oudart — Wed, 24 Mar 2004 06:48:11 GMT

on HPUX

/etc/securetty
one line
console

so only root cannot telnet from a remote system. You will have to telnet as another user then su for root.

Regards,
Jean-Luc

Re: telnet

Shaikh Imran — Wed, 24 Mar 2004 06:48:54 GMT

Hi,
For telnet restrictions try from SAM
for denying root telnet access just create a file /etc/securetty and add "console" with the following command:
#cat "console" > /etc/securetty

Reg

Re: telnet

KapilRaj — Wed, 24 Mar 2004 06:51:41 GMT

Can think of installing "SSH" and disabling telnet I think ssh can have such controls though not tested

Regds,

Kaps

Re: telnet

amit singh_3 — Wed, 24 Mar 2004 07:14:43 GMT

hey jean I agree with U but what about the
normal user? if I want that the particular user should not do the telnet to my machine
then which file should I change?

Amit singh

Re: telnet

Shaikh Imran — Wed, 24 Mar 2004 07:23:19 GMT

The /etc/securetty file is for root only and normal users can login from any other pc but root can only login through console.
You can use a normal user login and use su to get the root login if required.

Reg

Re: telnet

Jean-Luc Oudart — Wed, 24 Mar 2004 07:42:18 GMT

If you have /etc/default/security setup

remove/rename this user home directory and amend the security file with :
ABORT_LOGIN_ON_MISSING_HOMEDIR=1
Therefore the user with no valid home directory will fail to login.

Jean-Luc
PS : I haven't tried myself, this is from documentation
check this link
http://www.interex.org/pubcontent/enterprise/jul01/09uxqa.html

Re: telnet

amit singh_3 — Thu, 25 Mar 2004 02:05:29 GMT

hey jean,

thanks for Ur help.
but would U tell me what will happen if I put the name of the user in /etc/nologin.
& do You have any document on these things.
I will be thankfull to U.

byeeeee

Amit Singh

Re: telnet

KapilRaj — Thu, 25 Mar 2004 02:16:30 GMT

a file /etc/nologin will reject all users except root from logging onto the node

I never tried inserting an userid out there

Kaps

Re: telnet

Suresh Patoria — Thu, 25 Mar 2004 02:28:10 GMT

Hi

Make the comment in /etc/services and /etc/inetd.conf file

Thanx

Re: telnet

Jean-Luc Oudart — Thu, 25 Mar 2004 04:36:54 GMT

Hi Amit,

as mentioned /etc/nologin is too extreme for what you are looking for.
In my previous post I mentioned another possibility (eventhough I have not tested it!).

Also, you should assign points to the forumers who contributed to your threads.

Regards,
Jean-Luc

Re: telnet

Robert-Jan Goossens — Thu, 25 Mar 2004 05:06:04 GMT

Hi Amit,

Block one user for telnet, but he can still use ftp ?

change his shell entry in the /etc/passwd file to /usr/bin/false.

Robert-Jan

Re: telnet

amit singh_3 — Thu, 25 Mar 2004 09:26:20 GMT

hey Robert,

If I am changing the shell entry in passwd file then how he will be getting the shell
whenever he is logging.
another thing is that if that user from the other server then?
I think this is not the permanent solution to this.

Amit Singh