https://community.hpe.com/t5/operating-system-hp-ux/telnet-security/m-p/5006696#M425693 Hi,<BR /><BR />If you are unable to use ACLs, you could create a telnet wrapper script.<BR /><BR />#!/usr/bin/sh<BR />TELNET=/obfuscated/path/to/telnet<BR />DENIED_USER=user1<BR />[[ "$(whoami)" = "${DENIED_USER}" ]] &amp;&amp; echo "telnet denied" || ${TELNET}<BR />exit<BR /><BR />Move the telnet binary to an obscure directory that's not listed in ${PATH}. Save the script as /usr/bin/telnet.<BR /><BR />PCS Wed, 04 Oct 2006 07:14:56 GMT spex 2006-10-04T07:14:56Z https://community.hpe.com/t5/operating-system-hp-ux/telnet-security/m-p/5006694#M425691 Hi <BR /><BR /> for security reason,how can I deny a certain user telnet from a host to all other hosts?modify only can do in this host,any idea? Wed, 04 Oct 2006 04:06:40 GMT https://community.hpe.com/t5/operating-system-hp-ux/telnet-security/m-p/5006694#M425691 Ming.Dynasty 2006-10-04T04:06:40Z https://community.hpe.com/t5/operating-system-hp-ux/telnet-security/m-p/5006695#M425692 Hi,<BR />the only way I know of and I have never used it in a real environment, is to create an ACL for the telnet command:<BR /><BR />setacl -m user:fred:--- /usr/bin/telnet<BR /><BR />This will give the user fred a message of "Permissions denied" when he issues the telnet command. Wed, 04 Oct 2006 04:30:10 GMT https://community.hpe.com/t5/operating-system-hp-ux/telnet-security/m-p/5006695#M425692 Peter Godron 2006-10-04T04:30:10Z https://community.hpe.com/t5/operating-system-hp-ux/telnet-security/m-p/5006696#M425693 Hi,<BR /><BR />If you are unable to use ACLs, you could create a telnet wrapper script.<BR /><BR />#!/usr/bin/sh<BR />TELNET=/obfuscated/path/to/telnet<BR />DENIED_USER=user1<BR />[[ "$(whoami)" = "${DENIED_USER}" ]] &amp;&amp; echo "telnet denied" || ${TELNET}<BR />exit<BR /><BR />Move the telnet binary to an obscure directory that's not listed in ${PATH}. Save the script as /usr/bin/telnet.<BR /><BR />PCS Wed, 04 Oct 2006 07:14:56 GMT https://community.hpe.com/t5/operating-system-hp-ux/telnet-security/m-p/5006696#M425693 spex 2006-10-04T07:14:56Z https://community.hpe.com/t5/operating-system-hp-ux/telnet-security/m-p/5006697#M425694 Thanks for reply<BR /><BR />but if the user ftp in a new telnet program,all modify will not work. anyway it works for rookies well. lol Wed, 04 Oct 2006 21:31:09 GMT https://community.hpe.com/t5/operating-system-hp-ux/telnet-security/m-p/5006697#M425694 Ming.Dynasty 2006-10-04T21:31:09Z https://community.hpe.com/t5/operating-system-hp-ux/telnet-security/m-p/5006698#M425695 I don't think that limiting access to the client will be enough, since the user can easily install their own client, or compile their own locally.<BR /><BR />I think you're only option is to use something like a restricted-shell for that user with a very carefully-crafted white-list of commands. <BR /><BR />That said... I think your requirement may be going about it the wrong way. In general, the best security solutions rely on the resource to protect itself (in your case the hosts that you don't want the user to access). Going the other way around is asking for trouble... as one simple example illuminates... <BR /><BR />Say you do a bunch of work to restrict telnet... the user plugs a laptop into a port on your network... and accesses the servers... <BR /><BR />I'd think carefully about the threat you're trying to protect against, before investing in what could turn out to be a brittle solution.<BR /><BR />Hope that helps,<BR />-Robert Thu, 05 Oct 2006 10:42:33 GMT https://community.hpe.com/t5/operating-system-hp-ux/telnet-security/m-p/5006698#M425695 Robert Fritz 2006-10-05T10:42:33Z https://community.hpe.com/t5/operating-system-hp-ux/telnet-security/m-p/5006699#M425696 Sorted out<BR /><BR />thanks all Thu, 05 Oct 2006 20:22:48 GMT https://community.hpe.com/t5/operating-system-hp-ux/telnet-security/m-p/5006699#M425696 Ming.Dynasty 2006-10-05T20:22:48Z