topic Re: inetd.sec: Why user still able to TELNET in Operating System - HP-UX

inetd.sec: Why user still able to TELNET

Shukor — Mon, 17 Jan 2011 10:02:49 GMT

Hi experts,

I want to deny user access (telnet) from this IP range 23.148.* to 11.11 server. I've edited inetd.sec but user still able to telnet. Please find details below.

OS: HP-UX B.11.11
inetd.sec line: telnet deny 23.148.*

# who -Hu |grep 23.148
tracking pts/tPd Jan 17 16:25 1:34 11209 23.148.2.28
gnstrack pts/t2e Jan 17 13:07 0:28 12651 23.148.2.26
gnstrack pts/tUf Jan 17 17:31 0:03 26447 23.148.2.17
gnstrack pts/tch Jan 17 13:19 0:26 18937 23.148.2.26
gnstrack pts/t5j Jan 17 16:54 . 27832 23.148.2.16

# last -R |grep 23.148 |more
gnstrack pts/tQn 23.148.2.27 Mon Jan 17 17:54 still logged in
gnstrack pts/ttw 23.148.2.26 Mon Jan 17 17:49 still logged in
gnstrack pts/tUf 23.148.2.17 Mon Jan 17 17:31 still logged in
gnstrack pts/tRq 23.148.2.19 Mon Jan 17 17:28 still logged in
gnstrack pts/trO 23.148.2.18 Mon Jan 17 17:23 still logged in

Kindly advise. Thanks in advance. :)

Re: inetd.sec: Why user still able to TELNET

nijokj — Mon, 17 Jan 2011 10:37:52 GMT

Customize the /var/adm/inetd.sec file to selectively allow or deny telnet access to various hosts on the network.

Telnet deny 23.148.*.*

After editing this file issue
inetd -c command

try these and let me know if you facing any issue.

Re: inetd.sec: Why user still able to TELNET

Manix — Mon, 17 Jan 2011 10:40:21 GMT

Have you run "inetd -c"

Customize the /var/adm/inetd.sec file to selectively allow or deny telnet access to various hosts on the network.

Telnet deny 128.1.*.* 128.2.1-8.* host1 host2 host3 host4

After editing this file issue
inetd -c command
Continually monitor the syslog and /var/adm/btmp file for failed telnet login attemps.

Re: inetd.sec: Why user still able to TELNET

Jose Mosquera — Mon, 17 Jan 2011 10:44:08 GMT

Hi,

First try with specific full IP numbers to discard incorrect wildcards use.

Is doesnt work please review your last inetd commulative patch level, may neeeds update:
#swlist -l product | grep -i inet:
PHNE_xxxx - 1.0 inetd(1M) cumulative patch

Rgds.

Re: inetd.sec: Why user still able to TELNET

Shukor — Tue, 18 Jan 2011 00:56:36 GMT

Hi nijokj, Manix & Jose,

Good to see your response. I did as suggested (inetd -c after edit inetd -sec) but user still can access this morning.

# date
Tue Jan 18 08:39:23 MAL 2011
# who -Hu |grep 23.148 |more
gnstrack pts/tj Jan 18 07:32 1:01 12449 23.148.2.17
gnstrack pts/tI Jan 18 08:08 0:02 14411 23.148.2.19
gnstrack pts/t7b Jan 18 07:08 0:08 7789 23.148.2.19
gnstrack pts/tMc Jan 18 07:20 0:06 24491 23.148.2.17
gnstrack pts/tOc Jan 18 07:11 0:30 12739 23.148.43.173
gnstrack pts/tVc Jan 18 07:12 0:55 13654 23.148.2.29
gnstrack pts/tZc Jan 18 08:03 0:09 5488 23.148.2.18
gnstrack pts/tBd Jan 18 06:30 0:03 10151 23.148.2.18
gnstrack pts/t3d Jan 18 07:19 0:03 23213 23.148.2.29
gnstrack pts/t4d Jan 18 06:52 0:37 11414 23.148.2.19
gnstrack pts/t6d Jan 18 07:43 0:01 27730 23.148.2.27
gnstrack pts/tue Jan 18 07:21 0:18 26359 23.148.2.17
gnstrack pts/tGe Jan 18 08:07 0:24 12275 23.148.2.26
gnstrack pts/tHe Jan 18 08:07 0:15 12366 23.148.2.26
gnstrack pts/tWf Jan 18 06:35 0:08 17015 23.148.2.16
tracking pts/t7f Jan 18 08:09 . 15010 23.148.7.51

# swlist -l product | grep -i inet
PHNE_35017 1.0 inetd(1M) cumulative patch

Any other suggestion gentlements?

Thanks.
:(

Re: inetd.sec: Why user still able to TELNET

Mohammad Sanaullah — Tue, 18 Jan 2011 01:47:54 GMT

Hi
to disable telnet completely comment following line in /etc/inetd.conf

telnet stream tcp nowait root usr/lbin/telnetd telnetd

and after that restart the inetd service using inetd -c.

and for restrictive use of Telnet, follow:
inetd.sec line: telnet deny *
Restart inetd service by inetd -c.

Sana

Re: inetd.sec: Why user still able to TELNET

Shukor — Tue, 18 Jan 2011 03:34:10 GMT

Mohammad,

We don't want to completely disable the telnet service but to restrict access for certain user those coming from the abovesaid IP Address range. Anyway thanks!

Re: inetd.sec: Why user still able to TELNET

Shibin_2 — Tue, 18 Jan 2011 03:48:37 GMT

Your patch is outdated. Please apply the latest one PHNE_36202.

Re: inetd.sec: Why user still able to TELNET

nijokj — Tue, 18 Jan 2011 06:40:03 GMT

Hi,

Did you checked in your inetd.sec file telnet allow is existing or not.
If exists system will ignore the telnet deny.

Note:-
allow|deny determines whether the list of remote hosts in the next
field is allowed or denied access to the specified service. Multiple
allow|deny lines for each service is unsupported. If there are
multiple allow|deny lines for a particular service, all but the last
line are ignored.

Re: inetd.sec: Why user still able to TELNET

Shukor — Tue, 18 Jan 2011 08:30:15 GMT

Hi Shibin,

I don't see any symptoms of the mentioned patch that related to this telnet issue. Please advise further on patching.

Hi nijokj,

The same IP Address is not exist in allow portion.

Re: inetd.sec: Why user still able to TELNET

Jose Mosquera — Tue, 18 Jan 2011 08:54:42 GMT

Hi Shukor,

Have you made the single and full IP address test? Does Works?

In any case I've observe that PHNE_35017 have been superseded by PHNE_36202 resolving a lot of critical failures. Please check on:
http://www11.itrc.hp.com/service/patch/patchDetail.do?patchid=PHNE_36202&sel={hpux:11.11,}&BC=main|search|

As you will see the new patch do not have patch dependencies.

Rgds.

Re: inetd.sec: Why user still able to TELNET

nijokj — Tue, 18 Jan 2011 09:27:58 GMT

Hi,
In case allow is there system will allow only those IP to telnet to this system, remaining IPs denid by dÃ¨faut, Can you post your inetd.conf whole entries.

Re: inetd.sec: Why user still able to TELNET

ManojK_1 — Tue, 18 Jan 2011 09:54:29 GMT

Hi Shukur,

Can you please confirm that all these logins are through telnet.

Kill the logins from segment 23.148.2.0 and append the following entry in
/var/adm/inetd.sec and verify.

telnet deny 23.148.2.1-254

Manoj K

Re: inetd.sec: Why user still able to TELNET

Shukor — Tue, 18 Jan 2011 10:05:51 GMT

Hi,

I've removed all entry for telnet allow because too many and getting user to test again. Locally tested and it's worked (specified IP Address). Will update and assign point once Korea's user responded.

Re: inetd.sec: Why user still able to TELNET

Shukor — Wed, 19 Jan 2011 01:18:16 GMT

SOLUTION: Remove "telnet allow" portion and retain only "telnet deny" (telnet deny 23.148) in inetd.sec.

From the solution above, maybe I could say..don't put "telnet allow" and "telnet deny" together in inet.sec file.

Thanks everyone!! :)

Shukor