topic Re: Login with valid client IP to HP-UX11i in Operating System - HP-UX

Login with valid client IP to HP-UX11i

Bernd Dittmar — Wed, 17 Mar 2004 07:20:39 GMT

Hello all,
i want to check, if a user comes from a valid client after login.
In .profile: check if client ip <> 192.168.x.x
then exit
Anny ideas ?

Regards Bernd

Re: Login with valid client IP to HP-UX11i

Mobeen_1 — Wed, 17 Mar 2004 07:32:01 GMT

Bernd,
Could you please elaborate a little more on what you are trying to achieve?

Are you trying to limit the users logging into your server based on a pattern of client ip addresses like 192.168.x.x

rgds
Mobeen

Re: Login with valid client IP to HP-UX11i

Bernd Dittmar — Wed, 17 Mar 2004 07:40:46 GMT

Hello Mobeen,

i want to check, if the user "ABC" is not telnet 'ing from the clients ip (e.g)
192.168.1.35, then exit in .profile.

I don't want to block a range of IP's.

Is there a system variable for the client IP ?

Regards Bernd

Re: Login with valid client IP to HP-UX11i

Mark Grant — Wed, 17 Mar 2004 08:01:11 GMT

You will need a table of valid IP addresses and then have something like this in the .profile

grep `who -R am i | cut -c39-` > /dev/null || {
echo "Invalid ip address"
exit
}

Look at the output of who -R to see where this is going.

Re: Login with valid client IP to HP-UX11i

Dietmar Konermann — Wed, 17 Mar 2004 08:27:08 GMT

Some recycled code from another script I hacked some years ago...

who -Rm | read line
FROM=${line##*$}; FROM=${FROM%%$*}
if [[ $FROM != [0-9]*.[0-9]*.[0-9]*.[0-9]* ]]; then
FROM=$(nslookup $FROM | grep Address | tail -1 | awk -F '[^0-9.]+' '{print $2}')
fi

if [[ "$FROM" != [0-9]*.[0-9]*.[0-9]*.[0-9]* ]]; then
echo "Unknown Source IP."
exit
fi

if [[ "$FROM" = 192.168.1.35 ]]; then
echo "Forbidden Source IP $FROM."
exit
fi

Best regards...
Dietmar.

Re: Login with valid client IP to HP-UX11i

Dietmar Konermann — Wed, 17 Mar 2004 08:57:43 GMT

Oops... I forgot another straight-forward and more bullet-proof approach.

Don't use .profile... use /var/adm/inetd.sec inestead:

telnet deny 192.168.1.35
ftp deny 192.168.1.35
shell deny 192.168.1.35
login deny 192.168.1.35

Best regards...
Dietmar.

Re: Login with valid client IP to HP-UX11i

Bernd Dittmar — Wed, 17 Mar 2004 09:11:54 GMT

Hello Dietmar,

it's o.k. in .profile !

I'll do the following:

..........
if [["$FROM" <> 192.168.1.116]]; then
echo "Wrong client / User combination"
exit
fi

Regards Bernd

Re: Login with valid client IP to HP-UX11i

Patrick Wallek — Wed, 17 Mar 2004 09:23:24 GMT

I have to agree with Dietmar here. Using /var/adm/inetd.sec will be MUCH MUCH easier and much less work thatn worrying with the users .profile. You can add multiple entries, or entire networks to inetd.sec and all you have to do after a change is an 'inetd -c' and you are done.

Re: Login with valid client IP to HP-UX11i

A. Clay Stephenson — Wed, 17 Mar 2004 10:47:23 GMT

inetd.sec is by far the better choice because it would be trivially easy for a user to change his own .profile (or at least remove it even if owned by root).

Re: Login with valid client IP to HP-UX11i

Bernd Dittmar — Fri, 19 Mar 2004 02:40:06 GMT

Hello Dietmar,
i've coded the following. But everytime the script does the "else" statement with tis message.

checkip_dittbern[16]: [[192.168.1.36: not found.
------------------------------------------
who -Rm | read line
FROM=${line##*$}; FROM=${FROM%%$*}
echo "$FROM"

sleep 2

if [[ $FROM != [0-9]*.[0-9]*.[0-9]*.[0-9]* ]]; then
FROM=$(nslookup $FROM | grep Adress | tail -1 | awk -F '[^0-9.]+''{print $2}')
fi

#if [["$FROM" = 192.168.1.116 ]]; then
if "$FROM" = 192.168.1.36
then
echo "Right IP $FROM"
sleep 2
exec ba6.1

else
echo "Wrong IP $FROM"
exit

fi
------------------------------------------

Re: Login with valid client IP to HP-UX11i

John Carr_2 — Fri, 19 Mar 2004 03:02:45 GMT

if [[ $FROM = "192.168.1.36" ]] ; then

you really should use inetd.sec this is what it is designed to do.

John.