topic Securing Telnet/Ftp commands in Linux in Operating System - Linux

Securing Telnet/Ftp commands in Linux

Gopinath B — Wed, 21 Nov 2001 05:18:52 GMT

Hi ,

I have a redhat linux box which is serving as a server in our office network. What i want is that , i want to protect commands such as ftp and telnet from normal users and can only be executed by root user. That is , i dont want any of the normal user logs into this system can telnet or ftp from this linux box to other systems in the same network.At the same time , i need ftp and telnet servers running on this linux box.Simply, i dont want ftp and telnet clients can be used from this linux box by normal users.

Moreover, i dont want to use chmod 700 for these commands since there is a possibility that users can copy these commands from other linux systems to this and start using ftp and telnet clients, since the linux box is running ftp and telnet servers.

If anyone can help me on this i will be really greatfull and thanks in advance ..

Gopinath

Re: Securing Telnet/Ftp commands in Linux

Paulo A G Fessel — Wed, 21 Nov 2001 11:13:08 GMT

Take a look on sudo, that is probably included with RH (http://www.courtesan.com/sudo/). It can limit what users can do and where. We use it here to limit the group of people that are able to update our DNS's servers data.

TIA

Paulo Fessel

Re: Securing Telnet/Ftp commands in Linux

Bernie Vande Griend — Wed, 21 Nov 2001 13:36:05 GMT

I don't think you have many options if you still want to allow root to ftp/telnet. There are options for preventing any ftp/telnets from your server such as the firewall software or possibily TCP/wrapper. There are also options you could use to prevent users from running telnet/ftp commands such as the one you mentioned or even use sudo or a wrapper script. But none of these solve the issue of a user putting his own ftp/telnet command in his home directory and using that instead. However, if you lock down incoming ftp's then it will be more difficult for them to do so.

Re: Securing Telnet/Ftp commands in Linux

Marco Paganini — Wed, 21 Nov 2001 16:01:37 GMT

Hello,

It's fairly easy if you want to block ALL outgoing telnet and ftp. You just need to add some rules to your iptables. However, blocking connections on a 'per user' basis would be difficult.

You can try the 'owner' iptables module. This module allows you to block outgoing packets generated by a specific user. I've personally never used it but it may be worth a try in your case.

Regards,
Paga

Re: Securing Telnet/Ftp commands in Linux

Marco Paganini — Wed, 21 Nov 2001 16:25:56 GMT

Hello again,

I've done some tests here. There iptables rules should work for you:

iptables -A OUTPUT -p tcp --dport telnet -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT -p tcp --dport ftp -m owner --uid-owner 0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT -p tcp --dport ftp -m state --state NEW,ESTABLISHED,RELATED -j REJECT
iptables -A OUTPUT -p tcp --dport ftp -m state --state NEW,ESTABLISHED,RELATED -j REJECT

These rules should allow incoming telnet/ftp connections from any user and block outgoing connections to telnet and ftp that do not come from user root. I believe that kills your problem.

Note: If you see an error on redhat when you run iptables, try to remove the 'ipchains' module (I'm supposing here you have kernel 2.4). You can remove the ipchains module with:

rmmod ipchains

And try the commands above again. If that works, you may consider removing ipchains permanently from your system and using iptables only.

Regards,
Paga

Re: Securing Telnet/Ftp commands in Linux

Marco Paganini — Wed, 21 Nov 2001 16:33:30 GMT

Hello again and again. :)

Oh boy... The cut & paste operation mangled my script. Please disconsider the script in the message above. Use the one attached on this message.

Regards,
Paga