topic Re: Permit root login through one network (NIC) only in Operating System - HP-UX

Permit root login through one network (NIC) only

Philip Kernohan — Wed, 26 Jan 2005 14:39:16 GMT

I need a secure method of permitting root access when a login comes through one NIC card and not the other.

For example, if my NICs are:

10.26.100.10 and
231.62.100.231

is it possible to permit root access through the 10.X.X.X NIC and *NOT* through the 231.X.X.X NIC?

I know the easiest method is be secure with the root password but allowing access from only within a particular physical environment would make me feel more comfortable.

Any and all help appreciated.

PK

Re: Permit root login through one network (NIC) only

RAC_1 — Wed, 26 Jan 2005 14:42:19 GMT

Do not give that ip address to anyone!!
Else, I can think of ipfilter, tcp wrappers

Anil

Re: Permit root login through one network (NIC) only

Ken Penland_1 — Wed, 26 Jan 2005 14:43:09 GMT

I asked a similar question in the past, and was pointed to ipfilter:

http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=B9901AA

Re: Permit root login through one network (NIC) only

Kevin Wright — Wed, 26 Jan 2005 14:52:50 GMT

Run an sshd daemon that just listens on that specific interface and set PermitRootlogin to yes.

Re: Permit root login through one network (NIC) only

Philip Kernohan — Wed, 26 Jan 2005 15:13:33 GMT

The IP addresses are for example only, they're not actually mine.

I'll check out the suggestions and assigns points shortly.

PK

Re: Permit root login through one network (NIC) only

Biswajit Tripathy — Wed, 26 Jan 2005 20:50:28 GMT

Ken / Anil,

No, you can't use IPFilter.

IPFilter can only allow/deny access based on IP
address / port #, but it does not have any control
over the user name. For ex, you allow/deny telnet
from 10.26.100.10, you have to allow/deny ALL
users from that machine.

- Biswajit

Re: Permit root login through one network (NIC) only

Steven E. Protter — Wed, 26 Jan 2005 23:19:59 GMT

If you are having problems with your root password being locked from the 231 network, I have a daemon I developed called monbad that effeictively stops the script kiddies.

You can probably put some code into your /etc/profile that can pick up where the login came from and reject the user. But that will only work for users that have the password.

IPFilter is designed to block ports and protocols, not individual users.

Let me know if you meed monbad and I'll post it somewhere. It is designed for secureshell logins but can easily be upgraded to handle telnet.

Letting root log on with telnet is a bad idea because the password goes through the network in clear text.

SEP

Re: Permit root login through one network (NIC) only

Philip Kernohan — Thu, 27 Jan 2005 01:50:10 GMT

SEP,

I'd be interested in monbad if you can share it?

The method I've heard of before used /etc/profile and a query of where that person was logging in from with probably 'who -a'(?) but I'm concerned this is easy to break (ctrl-\ perhaps?).

I reviewed IPFilter and found that it has no control over specific users as implied by the name.

More to research ...

PK