topic Re: Block users from a particular IP in Operating System - HP-UX

Block users from a particular IP

Shahul — Wed, 02 Jul 2008 10:48:05 GMT

Hi,

I have a strange requirement, I would like to block some users coming to Unix server directly from their laptop. The server and their laptop are in same DNS. I have IP filter to block IPs, I can't block all laptop Ips as there are many. Is there any way I can mention that users should only come from a prticular IP and block all the rest? I know we can use staticroute for this, it's again we need to maintain the routes list.

TIA
Shahul

Re: Block users from a particular IP

Steven E. Protter — Wed, 02 Jul 2008 11:36:04 GMT

Shalom Shahul,

You might be able to do it with tcpwrappers if its coming in with a particular protocol.

You certainly will be able to block the traffic with the ipfilter firewall.

TCP Wrappers is available only from http://software.hp.com

ipfilter is available from the above website and your Core OS or Application CD/DVD.

Well TCP may be there do, I'm not going to check, but these are the tools.

SEP

Re: Block users from a particular IP

Hein van den Heuvel — Wed, 02 Jul 2008 15:01:21 GMT

So you have an unknown, and changing, number of sources which should be blocked.
And you have a know host which should be allowed for certain users.

I would suggest a login script which checks the 'who -um' output for those users and make sure an allowed hostname is reported.

Example output:

$ who -um
hein pts/tc Jul 2 11:39 . 29267 pool-71-168-yy-xx.cncdnh.east.verizon.net

hth,
Hein.

Re: Block users from a particular IP

Tim Nelson — Wed, 02 Jul 2008 15:22:39 GMT

"users" or "IP" addresses ?? This makes a difference.

If "users" then you can only block using some type of scripted shell function. e.g. if $LOGNAME = "BOB" then echo Sorry Bob, goodbye....

If "IP" then any one of the tcpwrapper, inetd.conf or IPSec solutions would work ( pick one ).

Re: Block users from a particular IP

john korterman — Wed, 02 Jul 2008 16:06:48 GMT

Hi Shahul,

I remember using /var/adm/inetd.sec for making restrictions on specific protocols; If you have not already tried, take a look at the man pages for "inetd.sec".

regards,
John K.

Re: Block users from a particular IP

Bill Hassell — Wed, 02 Jul 2008 17:09:41 GMT

This is not a strange requirement but it is almost impossible to do at the networking level. The reason is that a "user" has no meaning on the network. A "user" is defined when a connection is made and authentication programs are run (such as login and passwd). So you'll need to block the bad users after they have authenticated themselves, namely, in /etc/profile (and all the profiles for different shells that may be used on your system such as bash, csh, tcsh, etc).

At the top of the primary profile (ksh, POSIX sh, bash use /etc/profile), you lockout all interrupts that can bypass the profile tests. Then determine the IP address and username for this particular login and compare the result to a valid user+IP list. If not found on the list, exit.

To get the user's name and hostname/IPaddr, use:

who -muR | awk '{print $1,$NF}' | read USER HOSTIP
IPADDR=$(getip $HOSTIP)
echo "user=$USER, IP=$IPADDR"

Re: Block users from a particular IP

Shahul — Thu, 10 Jul 2008 13:50:34 GMT

Thanks to everyone.

I am going to script it, I think that is the best way. I will be doing something like this,

If $User = && $SourceIP !=
then
Kick them out
fi.

So that the user can come via only one IP address, that satisfy my requirement.

Rgds
Shahul

Re: Block users from a particular IP

Shahul — Thu, 10 Jul 2008 13:50:56 GMT

Closed