HP-UX - General

Re: Questions about telnet and ftp.

 
SOLVED
Go to solution
fg_1
Trusted Contributor

Questions about telnet and ftp.

Hello all

The question I have is a 2 part one. First, we have several FTP specific accounts which only have access to their home directory and we had a situation where those accounts have the ability to use TELNET, I would like to see if there is a way to prevent TELNET usage by certain account logins and users.

Second, What methods would you folks use to secure FTP and TELNET (NOT COMPLETELY WIPE IT OUT) on 11.00 systems.

Thanks again.

fg.
9 REPLIES 9
Chris Wilshaw
Honored Contributor
Solution

Re: Questions about telnet and ftp.

For the second part, give the users a shell of /usr/bin/false

(make sure that this, and any other shell you want are added to the file /etc/shells)

Alternatively, you can edit the .profile/.cshrc file for the users so that it just contains

exit 0

Personally, if I want users just to have FTP access, I use both of the above (just to make absolutely certain).
U.SivaKumar_2
Honored Contributor

Re: Questions about telnet and ftp.

Hi,

create a user named ftponly with required home directory But the login shell as /bin/false.

Edit /etc/shells file and put this
/bin/false.

Now the user ftponly can only use FTP but he cannot login to the server through telnet.

To secure FTP and Telnet a well kown method is to use Kerberos authentication. Almost all FTP servers and telnet daemons have kerberos support and you will have to use kerberized FTP and telnet clients to access kerberos services.

Other option is to use secure shell ssh for login and sftp server , a component of ssh
with sftp client for securing ftp.

regards,

U.SivaKumar

Innovations are made when conventions are broken
Christian Gebhardt
Honored Contributor

Re: Questions about telnet and ftp.

Hi

To second question:

On our productiv systems we have disabled all telnet/ftp connections and only allow access via ssh/sftp.


On systems for development we have installed an tcpwrapper to allow several connecttions via telnet/ftp

Chris
Christian Gebhardt
Honored Contributor

Re: Questions about telnet and ftp.

Rainer von Bongartz
Honored Contributor

Re: Questions about telnet and ftp.




1) Don't give them users a shell
put /bin/false in their passwd entry

2) Install SSH from software.hp.com


Regards
Rainer
He's a real UNIX Man, sitting in his UNIX LAN making all his UNIX plans for nobody ...
F. X. de Montgolfier
Valued Contributor

Re: Questions about telnet and ftp.

Hi,

1. concerning better security for ftp and telnet:

I think that you may want to look at the inetd.sec feature of HP-UX:

http://docs.hp.com/hpux/onlinedocs/B2355-90682/B2355-90682.html

This feature enables you to allow/deny any internet service based on IP addresses (or subnets). Typically, if you want to allow telnet only from the subnet 10.20.40, you'd put:

telnet allow 10.20.40.*

in the /var/adm/inetd.sec.


2. For restricting the telnet environment of your users, you may want to look at rsh or rksh, which are the standard resticted shells for HP-UX. Typically, you won't be able to cd using rsh, for instance.

3. If you want to completely deny telnet access to a user, you should use /usr/bin/false as the login shell of that user.

Hope this helps,

FiX
Dave La Mar
Honored Contributor

Re: Questions about telnet and ftp.

fg -
I can respond to the ftp portion as I had the same situation in the past.

I used the following to set up a particular user as well as
DOC NR0801KBRC00007714

http://support2.itrc.hp.com/service/cki/search.do?searchString=A5651654&mode=id&submit=Search&searchCrit=allwords&docType=Security&docType=Patch&docType=EngineerNotes&docType=BugReports&docType=Hardware&docType=ReferenceMaterials&docType=ThirdParty

I think you will find what you need here as well.

Best of luck.

dl
"I'm not dumb. I just have a command of thoroughly useless information."
fg_1
Trusted Contributor

Re: Questions about telnet and ftp.

Thanks for everyone's assistance, there were numerous responses with information that helped in solving this issue.

Thanks again to all, enjoy the points.

fg.
Steven E. Protter
Exalted Contributor

Re: Questions about telnet and ftp.

I'd actually replace ftp and telnet. Both send passwords back and forth clear text.

They are actually VERY EASY to replace.

Its called secure shell
https://payment.ecommerce.hp.com/cgi-bin/swdepot_parser.cgi/cgi/try.pl?productNumber=T1471AA&date=

You can actually set yourself up so that root user on your HP-UX without passwords between machines.

Attached is a cookbook.

To actually secure ftp and telnet, get chroot() into the user profile. That way they can't touch parts of the system other than their own home directory.

The Bastille tool, does this as sort of an expert question and answer tool, like how you do your taxes.

Here is a link....
https://payment.ecommerce.hp.com/cgi-bin/swdepot_parser.cgi/cgi/try.pl?productNumber=B6849AA&date=

Good Luck,

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com