1748081 Members
5151 Online
108758 Solutions
New Discussion юеВ

disable ftp and telnet

 
SOLVED
Go to solution
yunardi
Frequent Advisor

disable ftp and telnet

Hi all,

I wan to completely disable telnet and ftp command in my HP-UX (11.11).

I have commented ftp and telnet line in /etc/inetd.conf and run inetd -c
It's working fine, other system can't telnet and ftp to my server.

But the problem is I still can do ftp and telnet to outside my server, how to disable the telnet and ftp so other user will not use telnet and ftp.

Please dont tel me to remove the telnet and ftp command :D
8 REPLIES 8
Kenan Erdey
Honored Contributor

Re: disable ftp and telnet

Hi,

why do you want to disable telnet and ftp to the outside ?
Computers have lots of memory but no imagination
yunardi
Frequent Advisor

Re: disable ftp and telnet

Hi Kenan,

Thanks for your response.

Actually my server is useing for data warehouse, files comes in and out very intensively.

I wan to do offline backup for all mountpoints, so I need to stop ftp to make sure there is no file coming from other system.

But I realize it's still possible for user to get file from other system using ftp from my server.

Btw I also have disable sftp from outside, but still can sftp to other system from my server. I want to disable it too.

Thanks,
Kenan Erdey
Honored Contributor

Re: disable ftp and telnet

Hi,

what software do you use for datawarehouse ? is information is stored as files ? it should be oracle, etc. i think. it's enough to shutdown oracle while the backup process.
Computers have lots of memory but no imagination
Manix
Honored Contributor

Re: disable ftp and telnet

you may try with /etc/services and comment out
ftp & telnet.

Thanks
Manix
HP-UX been always lovable - Mani Kalra
Matti_Kurkela
Honored Contributor
Solution

Re: disable ftp and telnet

Create a group and add to it the users that are allowed to use telnet and ftp. Then modify the permissions of the telnet and ftp binaries so that only members of that group can run them.

For example:
groupadd telftp
usermod -G telftp yunardi #(or use sam)

chgrp telftp /usr/bin/ftp /usr/bin/telnet
chmod o-rx /usr/bin/ftp /usr/bin/telnet

NOTE: if you install patches or run "swverify -F", the default permissions will be restored to /usr/bin/ftp and /usr/bin/telnet, so you'll have to re-apply the chgrp and chmod commands afterwards.


To stop your users from making changes while offline backup is running, you might want to completely prevent non-root logins for the time of the backup.

Make sure /etc/default/security has NOLOGIN=1, then create file /etc/nologin before starting the backup and remove it after the backup is complete. While the file exists, no non-root logins will be accepted.

The contents of the /etc/nologin file will be displayed to the user attempting to log in, so you might want to write something like "Logins disabled because of offline backup. The backup is estimated to be complete at HH:MM".

After creating the nologin file, kick out the existing sessions of the other users, and you can be certain no user can interfere with your backup.

Of course, if your system runs an application that runs file transfers based on its own internal scheduling system, you must stop the application or do something else to stop its scheduling system from triggering. If you have allowed your users to create cron or at jobs, stopping the cron daemon would be a possible brute-force method to prevent them from running.

MK
MK
yunardi
Frequent Advisor

Re: disable ftp and telnet

@kenan, database already stopped. But if the traffic ftp from other system still running, our filesystem will be full because the files aren't loaded into database.
(the trafic more than 100GB/day uploaded into 30TB of database)

@matti, This seemed a good idea, I'll try to do this.
Kapil Jha
Honored Contributor

Re: disable ftp and telnet

for securtiy reason ftp and telnet should be disabled on all the servers.

Do you want to disable the telenet and ftp completely from ur server to outside server, then why no remove the telnet and ftp command ?? [BAD solution]

but it actually depend on the telentd daemon running on remote server it has nothing to do with your server.

Or you can use sudo and don users to use telnet and ftp command.

BR,
Kapil+



I am in this small bowl, I wane see the real world......
Emil Velez
Honored Contributor

Re: disable ftp and telnet

see if you have bastille on the system.

The bastille product is meant as a general purpose security managment tool. IT will ask you a series of questions and then implement the security policy around the questions.

You can undo the changes with 1 command and redo the changes. The good thing is if you have multiple systems you can then move a config file over to another system and it will be locked down the same as the first.