https://community.hpe.com/t5/operating-system-hp-ux/telnet-and-ssh/m-p/2775752#M753897 Leaving the telnet port open is never a good idea, remember that 80% of attacks originate from within your organisation, and IP addresses are very simple to spoof.<BR />Modify all but your admin accounts so that users login times are limited to normal business hours, then limit any administrative access as much as possible. <BR />You can use GSP and Secure Web Console as backdoors if the machine goes belly-up, and perhaps put these behind a firewall, or onto a VLAN.<BR /><BR />As far as SSH is concerned set it up so that users have to login as themselves then su to privelidged accounts, especially when relying on keys. The main problem with keys is that they are stored on your pc which is less secure than the Unix system, and that there is nothing to force users to protect them with adequate challenge-phrases, or to periodically renew phrases.<BR /><BR />I hope this helps. Wed, 31 Jul 2002 04:30:51 GMT Andrew Cowan 2002-07-31T04:30:51Z https://community.hpe.com/t5/operating-system-hp-ux/telnet-and-ssh/m-p/2775746#M753891 I have installed ssh 3.4 onto my machine without problems. Generated all my keys and works OK from the clients.<BR />Does anyone know the best way to tie down rlogin and telnet so that users can only use ssh.<BR /><BR />Thanks in advance. Tue, 30 Jul 2002 15:10:44 GMT https://community.hpe.com/t5/operating-system-hp-ux/telnet-and-ssh/m-p/2775746#M753891 Peter Hakesley_2 2002-07-30T15:10:44Z https://community.hpe.com/t5/operating-system-hp-ux/telnet-and-ssh/m-p/2775747#M753892 Hello,<BR /><BR />You can use /var/adm/inet.sec as a starter and put in <BR /><BR />telnet deny *<BR />login deny *<BR /><BR />Hope this helps<BR /><BR />Chris Tue, 30 Jul 2002 15:15:11 GMT https://community.hpe.com/t5/operating-system-hp-ux/telnet-and-ssh/m-p/2775747#M753892 Christopher McCray_1 2002-07-30T15:15:11Z https://community.hpe.com/t5/operating-system-hp-ux/telnet-and-ssh/m-p/2775748#M753893 Hello again,<BR /><BR />sorry, omit the * and you'll be fine.<BR /><BR />Chris Tue, 30 Jul 2002 15:16:37 GMT https://community.hpe.com/t5/operating-system-hp-ux/telnet-and-ssh/m-p/2775748#M753893 Christopher McCray_1 2002-07-30T15:16:37Z https://community.hpe.com/t5/operating-system-hp-ux/telnet-and-ssh/m-p/2775749#M753894 The best way is to remove them from /etc/inetd.conf, and then restart inetd. Then you can make sure they aren't running by doing a netstat -an and making sure port 23 isn't listening.<BR /><BR />Otherwise, inetd.sec is a great option if you want to allow yourself (admins) access only.<BR /><BR />And if you want things really secure, search these forums for Bastion Host and follow the process there.<BR /><BR />Cheers!<BR />James Tue, 30 Jul 2002 15:18:55 GMT https://community.hpe.com/t5/operating-system-hp-ux/telnet-and-ssh/m-p/2775749#M753894 James Beamish-White 2002-07-30T15:18:55Z https://community.hpe.com/t5/operating-system-hp-ux/telnet-and-ssh/m-p/2775750#M753895 <BR />Remove the telnet and rlogin binaries and replace them with symbolic links to ssh<BR />That will stop them!<BR /> Tue, 30 Jul 2002 15:21:23 GMT https://community.hpe.com/t5/operating-system-hp-ux/telnet-and-ssh/m-p/2775750#M753895 Stefan Farrelly 2002-07-30T15:21:23Z https://community.hpe.com/t5/operating-system-hp-ux/telnet-and-ssh/m-p/2775751#M753896 Another thought,<BR /><BR />You may want to put in a couple of ip addresses that can use telnet, just as a failsafe in case ssh goes hokey:<BR /><BR />telnet allow 1.2.3.4<BR /><BR />or<BR /><BR />telnet allow 1.2.3.4-6<BR /><BR />as an example<BR /><BR />You never know!!!!<BR /><BR />Chris Tue, 30 Jul 2002 15:23:11 GMT https://community.hpe.com/t5/operating-system-hp-ux/telnet-and-ssh/m-p/2775751#M753896 Christopher McCray_1 2002-07-30T15:23:11Z https://community.hpe.com/t5/operating-system-hp-ux/telnet-and-ssh/m-p/2775752#M753897 Leaving the telnet port open is never a good idea, remember that 80% of attacks originate from within your organisation, and IP addresses are very simple to spoof.<BR />Modify all but your admin accounts so that users login times are limited to normal business hours, then limit any administrative access as much as possible. <BR />You can use GSP and Secure Web Console as backdoors if the machine goes belly-up, and perhaps put these behind a firewall, or onto a VLAN.<BR /><BR />As far as SSH is concerned set it up so that users have to login as themselves then su to privelidged accounts, especially when relying on keys. The main problem with keys is that they are stored on your pc which is less secure than the Unix system, and that there is nothing to force users to protect them with adequate challenge-phrases, or to periodically renew phrases.<BR /><BR />I hope this helps. Wed, 31 Jul 2002 04:30:51 GMT https://community.hpe.com/t5/operating-system-hp-ux/telnet-and-ssh/m-p/2775752#M753897 Andrew Cowan 2002-07-31T04:30:51Z https://community.hpe.com/t5/operating-system-hp-ux/telnet-and-ssh/m-p/2775753#M753898 I think the best way to do this would be to stop inetd from starting them. To do this take the entries from the inetd.conf and then run inetd -c to reconfigure the daemon. You should also remove them from the services file.<BR /><BR />An important task to do after that is to create a process that will check the file to ensure that it is not opened again without your knowledge. Either a sys admin, malicious user, or an installation of a product may open it up so you should check it on a regular basis.<BR /><BR />Another thing to consider is removing ftp and all the other r commands as well. Wed, 31 Jul 2002 11:52:37 GMT https://community.hpe.com/t5/operating-system-hp-ux/telnet-and-ssh/m-p/2775753#M753898 Daimian Woznick 2002-07-31T11:52:37Z