prevent telnet

kacou — Fri, 06 Jun 2008 09:16:52 GMT

How can i prevent telnet for a specify user or account?

help me please

Re: prevent telnet

Asif Sharif — Fri, 06 Jun 2008 09:20:01 GMT

Hi Kacou,

See the below thread.

http://forums11.itrc.hp.com/service/forums/questionanswer.do?threadId=92298

Regards,
Asif Sharif

Re: prevent telnet

Jeeshan — Fri, 06 Jun 2008 09:34:34 GMT

Here is your answer

http://forums11.itrc.hp.com/service/forums/questionanswer.do?threadId=828012

Re: prevent telnet

kacou — Fri, 06 Jun 2008 10:59:44 GMT

i use the code below but the user with id 116 can not log using 'su'? why
--------------------------
uid=$(id -u)
if [[ ${uid} -eq "116" ]]
then
echo "This account is not allowed to login
directly"
exit 1
fi

Re: prevent telnet

Avinash20 — Fri, 06 Jun 2008 13:48:35 GMT

Since a user name is not known until the user tries to login, you need to restrict / permit using code in the system /etc/profile . You cannot restrict by user with /var/adm/inetd.sec, TCP Wrappers, nor IPFilter. Here are some suggestions to follow:
FIRST, determine if the user logged in via telnet. There are several methods to do this. Here are two to consider:
1. Examine the user tty to determine if it is a telnet device /dev/pts/t*
Click here to see an Example:
if [ `tty | cut -c 1-10` = "/dev/pts/t" ] ;
then
...Code to determine if user is denied or permitted;
See the next section of this document.
Security tip: use "logger" to log access attempt
by denied users.

fi
2. Examine the user login process list checking for telnetd to determine if the user is connected via telnet.
Click here to see how to check for telnetd:
if [ `ps | grep -q telnetd` ] ;
then
...Code to determine if user is denied or permitted;
See the next section of this document.
Security tip: use "logger" to log access attempt
by denied users.
fi

SECOND, detect if the user is denied / permitted access via telnet. There are many methods available. Here are 3 possibilities to consider for denying access:
1. Examine the user login name and test programmatically with user names hard-coded in /etc/profile. This is useful when only a very small number of users is to be permitted or denied. To see a code example to deny telnet by user name "testhack" go to ftp://ftp.hp.com/pub/enterprise/programming_code/c00843266_CodeExample_Denying_testhack.txt.
Click here to see a code example to deny access by user name:
if [ "$LOGNAME" = "testhack" ] ;
then
logger "telnet attempt by $LOGNAME not permitted"
exit
fi

2. Examine the user login name and test by reading an access/deny list from a flat file. Since the user has to be able to read the file it is not very secure. Make the permissions 444 and owner root/sys . You could create a database of some kind to be more secure. This is useful if you have a large number of users and more than a small number should be permitted or denied. The disadvantage is that the shell could be interrupted by the user before the check is complete, and the execution time could be lengthy causing long login times.
For an example to deny access to users in the /etc/.deny_telnet file, go to ftp://ftp.hp.com/pub/enterprise/programming_code/c00843266_CodeExample_Denying_Access.txt.
Click here to see a code example to deny access to users in the deny telnet file:
cat /etc/.deny_telnet | while read name
do
if [ "$LOGNAME" = $name ] ;
then
logger "telnet attempt by $LOGNAME not permitted"
exit
fi
done

3. Use a unique secondary group ID or IDs to identify the permitted or denied telnet users. In the example in /etc/group, testhack is in the group of users not permitted to telnet.
To see the example go to ftp://ftp.hp.com/pub/enterprise/programming_code/c00843266_Users_Not_Permitted.txt.
Click here to see an Example of Users Not Permitted Access:
users::20:root
notelnet::7777:testhack,sam,joe,jane,michelle
notelnet2::7778:jim,bill,sue

Code snippet to detect if effective user ID is member of group denied telnet access:

if [`id -Gr | grep -q -E '7777|7778'` ] ;
then
logger "telnet attempt by $LOGNAME not permitted"
exit
fi

NOTE: Whatever method is used, please try to be as flexible as possible, and consider ease of maintenance and administration.

Re: prevent telnet

Laurent Menase — Mon, 09 Jun 2008 05:44:38 GMT

SAFeR product with Fine Grain Privilege + RBAC

topic Re: prevent telnet in Operating System - HP-UX

prevent telnet

Re: prevent telnet

Re: prevent telnet

Re: prevent telnet

Re: prevent telnet

Re: prevent telnet