topic Re: disable telnet and allow su in Operating System - HP-UX

disable telnet and allow su

Fernando Jose P de Souz — Mon, 24 Jan 2005 13:07:10 GMT

Hi,

i would like a help:

i want to deny access by telnet,
but i want to allow access by su, ftp and rlogin.

How can i proced this?

Wait

Fernando.

Re: disable telnet and allow su

Rick Garland — Mon, 24 Jan 2005 13:09:10 GMT

In the /etc/services file you can turn off the telnet protocol. Do an 'inetd -c' to have the config reread.

This will not affect the ftp and rlogin and su.

Re: disable telnet and allow su

Fernando Jose P de Souz — Mon, 24 Jan 2005 13:13:22 GMT

i forgot a topic:

i want to deny telnet just a one user.

Re: disable telnet and allow su

HGN — Mon, 24 Jan 2005 13:13:49 GMT

Hi

The file /etc/inetd.conf has the entry for telnet which can be commented out. You can re-read the inetd or you can do a kill -HUP on the inetd process. Only the commented process will be affected and others will still keep working.

Rgds

HGN

Re: disable telnet and allow su

Florian Heigl (new acc) — Mon, 24 Jan 2005 13:15:45 GMT

put a hash in front of the line starting telnet in /etc/inetd.conf like in the following
#telnet stream tcp nowait
root /usr/lbin/telnetd telnetd

possibly there's a second line for ipv6 starting with telnet6, but usually there isn't.

after saving the file, restart inetd with inetd -c

Re: disable telnet and allow su

Florian Heigl (new acc) — Mon, 24 Jan 2005 13:19:23 GMT

Fernado: Ah just read Your second post - on other unices I did this using /etc/hosts.allow and /etc/hosts.deny, but it appears they are not there on hp-ux.

the ugly way would be updating the users .profile (he MUST NOT own it after that change) to check for his terminal, if it's /dev/pty/*, an immediate logout must happen.

But I wouldn't call this a good solution :(

Re: disable telnet and allow su

Rick Garland — Mon, 24 Jan 2005 13:39:26 GMT

How about turning off the telnet protocol from the users PC/workstation?

If you remove the telnet from the user side then you won't need to do anything on the UNIX side.

Note this is only for 1 user. If you have multiple users the another solution is called for.

If you know the IP address of the user's location (and this does not change) then can do the hosts.deny and hosts.allow.

Other options are available as well.

Re: disable telnet and allow su

Bill Hassell — Mon, 24 Jan 2005 16:14:12 GMT

There is n way to turn off telnet in inetd.conf for one user. This must be done in /var/adm/inetd.sec (hosts.deny equivalent). In there, you put the IP address of the problem system. NOTE: you cannot deny a specific user for telnet because telnet does not authenticate anyone--there is no way to predict what a user will type at the keyboard for a login, so if the bad user keeps changing IP addresses (ie, DHCP), then it's fairly easy: just add a lockout in /etc/profile:

BADUSER=william
if [ $(id -un) = $BADUSER ]
then
exit
fi

This requires that the bad user has /usr/bin/sh as their login shell (which is the default). You can easily test this by logging in as the bad user and see that it immediately exits.