System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

how to block ftp from HPUX to linux server ??

SOLVED
Go to solution
chindi
Respected Contributor

how to block ftp from HPUX to linux server ??

hi guys,
i wuld lik to block ftp from an hpux server 11i v2 ..to a linux server....


Details of hpux server....:
===========================



RX4640
11i v2
8 gb RAM..

root #/ >cat /var/adm/inetd.sec
# @(#)B11.23_LRinetd.sec $Revision: 1.10.214.1 $ $Date: 96/10/08 13:20:06 $
#
#
# The lines in the file contain a service name, permission field and
# the Internet addresses or names of the hosts and/or networks
# allowed to use that service in the local machine.
# The form for each entry in this file is:
#
#
#
# For example:
#
# login allow 10.3-5 192.34.56.5 ahost anetwork
#
# The above entry allows the following hosts to attempt to access your system
# using rlogin:
# hosts in subnets 3 through 5 in network 10,
# the host with Internet Address of 192.34.56.5,
# the host by the name of "ahost",
# all the hosts in the network "anetwork"
#
# mountd deny 192.23.4.3
#
# The mountd entry denies host 192.23.4.3 access to the NFS rpc.mountd
# server.
#
# Hosts and network names must be official names, not aliases.
# See the inetd.sec(4) manual page for more information.



ftp deny 10.1.4.202





Details of linux server :
========================




[root@intmailserver vsftpd]# uname -a
Linux intmailserver 2.6.9-1.667smp #1 SMP Tue Nov 2 14:59:52 EST 2004 i686 i686 i386 GNU/Linux


[root@intmailserver vsftpd]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
DROP all -- 10.1.4.211 anywhere
DROP all -- anywhere 10.1.4.211

Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT ipv6-crypt-- anywhere anywhere
ACCEPT ipv6-auth-- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:5353
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:telnet
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:5901
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:5902
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:5903
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

19 REPLIES
Suraj K Sankari
Honored Contributor

Re: how to block ftp from HPUX to linux server ??

Hi,

You want to stop ftp from hp side or linux side.
if you want to stop from you hp side then stop the ftpd demon
edit the file /etc/inetd.conf
put # on ftp line
save the file
restart the net
inet -c

Suraj
chindi
Respected Contributor

Re: how to block ftp from HPUX to linux server ??

hi Suraj,

i need to block ftp from hpux server 10.1.4.a
to linux server 10.1.4.b ONLY.

n not the whole ftp daemon...
Wim Rombauts
Honored Contributor

Re: how to block ftp from HPUX to linux server ??

Basically, you have two options :
1) Go to you r linux machine and filter FTP traffic from your HP-UX machine there, but I am not familiar enough with Linux to tell you how to do that.
2) On your HP-UX box, since you have HP-UX 11.23, you could activate IPFilter and block outgoing FTP traffic to the IP-address of the Linux box.
chindi
Respected Contributor

Re: how to block ftp from HPUX to linux server ??

Hi,
Any other option then IP FILTER...
bcozz for that i need to take a reboot of that server ..which is not possible right now...




FaizirizaL
Frequent Advisor

Re: how to block ftp from HPUX to linux server ??

I think you should try this out.. Hope can help.. Thanks.

- Install TCP Wrappers. Follow these steps :

a) Install TCP Wrappers
- ftp TCP-WRAPPERS_11.11.depot to /tmp
- cd /tmp
- swinstall -s /tmp/TCP-WRAPPERS_11.11.depot TCP-WRAPPERS

b) Action after install TCP Wrappers
- Create a simple /etc/hosts.allow file :
(required to get list of ip address which allowed to access the server)


echo 'ALL: , , .... '\ > /etc/hosts.allow
chown root:sys /etc/hosts.allow
chmod go-w,a-xs /etc/hosts.allow

Note : Example for first command , echo 'ALL: 10.0.3.61 '\ > /etc/hosts.allow
These IP Address are for the pc which can have access to server



- Create /etc/hosts.deny :

echo 'ALL: ALL'> /etc/hosts.deny
chown root:sys /etc/hosts.deny
chmod go-w,a-xs /etc/hosts.deny


Modify inetd.conf

> open file /etc/inetd.conf using Reflextion X
> remark with â #â for column which have telnet and ftp
> add these lines at the file

telnet stream tcp nowait root /usr/lbin/tcpd /usr/lbin/telnetd telnetd
ftp stream tcp nowait root /usr/lbin/tcpd /usr/lbin/ftpd â l


chindi
Respected Contributor

Re: how to block ftp from HPUX to linux server ??

Hi FaizirizaL,
i have installed tcp wrapper...

but after that what is the syntax for the hosts.allow and hosts.deny


morever bcoz tcp wrapper is gettin installed in /usr/local/bin/tcpd ..

so what entry shuld i make in /etc/inetd.conf ????



FaizirizaL
Frequent Advisor

Re: how to block ftp from HPUX to linux server ??


Hi chindi,

For hosts.allow, you should put "ALL:ALL;" and for the hosts.deny, you should put "ALL:ip_linux_server;"

For the inetd.conf, find and remark the line of ftp and replace with this line,


ftp stream tcp nowait root /usr/lbin/tcpd /usr/lbin/ftpd â l
Johnson Punniyalingam
Honored Contributor

Re: how to block ftp from HPUX to linux server ??

>>>so what entry shuld i make in /etc/inetd.conf ????<<

No need to make changes in /etc/inetd.conf this refer's to allow&deny of Services like ftp,telnet,ssh,rlogin .. etc.

so looks to me Ok, /var/adm/inetd.sec will accomplish your purpose.


Thx,
Johnson
Problems are common to all, but attitude makes the difference
chindi
Respected Contributor

Re: how to block ftp from HPUX to linux server ??

Hi,

Johnson,

I want to block ftp from my hpux server to linux server..
wen i make an try in /var/adm/inetd.sec
ftp deny 10.1.4.b ( linux ip )

m not able to ftp from linux to ftp...whereas i want no ftp from hpux to linux server..


Dennis Handly
Acclaimed Contributor

Re: how to block ftp from HPUX to linux server ??

>I want to block ftp from my hp-ux server to linux server.

Both directions and also no matter which is the client?

chindi
Respected Contributor

Re: how to block ftp from HPUX to linux server ??

Hi Dennis,

I didnt get u ...
below is my /var/adm/inetd.sec file...

root #/ >ll /var/adm/inetd.sec
-r--r--r-- 1 root sys 1003 Dec 24 10:30 /var/adm/inetd.sec


root #/ >cat /var/adm/inetd.sec
# @(#)B11.23_LRinetd.sec $Revision: 1.10.214.1 $ $Date: 96/10/08 13:20:06 $
#
#
# The lines in the file contain a service name, permission field and
# the Internet addresses or names of the hosts and/or networks
# allowed to use that service in the local machine.
# The form for each entry in this file is:
#
#
#
# For example:
#
# login allow 10.3-5 192.34.56.5 ahost anetwork
#
# The above entry allows the following hosts to attempt to access your system
# using rlogin:
# hosts in subnets 3 through 5 in network 10,
# the host with Internet Address of 192.34.56.5,
# the host by the name of "ahost",
# all the hosts in the network "anetwork"
#
# mountd deny 192.23.4.3
#
# The mountd entry denies host 192.23.4.3 access to the NFS rpc.mountd
# server.
#
# Hosts and network names must be official names, not aliases.
# See the inetd.sec(4) manual page for more information.



ftp deny 10.1.4.202
chindi
Respected Contributor

Re: how to block ftp from HPUX to linux server ??

Hi FaizirizaL

i tried ur options ..but still m able to ftp
from my hpux server to linux server.



Dennis Handly
Acclaimed Contributor

Re: how to block ftp from HPUX to linux server ??

>I didn't get you.

I was asking whether you cared what direction the ftp was being used, which was host and which was client.

>below is my /var/adm/inetd.sec file
>ftp deny 10.1.4.202

This only disallows ftp clients ON 10.1.4.202 from going to your HP-UX machine.
chindi
Respected Contributor

Re: how to block ftp from HPUX to linux server ??

Hi Dennis,
It was not the requirement initially,
but nw suddenly there is an urge for it block ftp from my HPUX server to linux server.


So now how do i go ahead dennis ????
Johnson Punniyalingam
Honored Contributor
Solution

Re: how to block ftp from HPUX to linux server ??

Hi Chindi,

In the linux Server
===================

Example:-
Assume:
server1 IP is 192.168.0.1
server2 IP is 192.168.100.1

Deny ftp from server 2 to server 1
===================================

# iptables -A INPUT -s 192.168.100.1 -d 192.168.0.1 -p tcp -m tcp --dport 21 -j DROP

Thx,
Johnson
Problems are common to all, but attitude makes the difference
chindi
Respected Contributor

Re: how to block ftp from HPUX to linux server ??

Hi Johnson,
many many thanks to u.............

it is wrkng like a charm...


Points given :)
chindi
Respected Contributor

Re: how to block ftp from HPUX to linux server ??

Hi Johnson,


oopssss itss not wrkng .....there was load on my hpux server so i thought that itss wrkng..bcoz ftp prompt tuk a long time to come


attached herewith is my linux firewall rule;

[root@intmailserver ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
DROP all -- 10.1.4.211 anywhere
DROP all -- anywhere 10.1.4.211
DROP tcp -- 10.1.4.211 intmailserver tcp dpt:ftp

Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT ipv6-crypt-- anywhere anywhere
ACCEPT ipv6-auth-- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:5353
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:telnet
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:5901
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:5902
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:5903
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Johnson Punniyalingam
Honored Contributor

Re: how to block ftp from HPUX to linux server ??

Opps.. that hurts!!

>>itss wrkng..bcoz ftp prompt tuk a long time to come<<

have you tried ftp login..?
(I mean have you tried to login to linux server from HPUX)


or you could use /etc/hosts.deny
and get the stats from the system log file

(Example :- like tcp wrappers)
Problems are common to all, but attitude makes the difference
chindi
Respected Contributor

Re: how to block ftp from HPUX to linux server ??

Hi johnson,

i am bale to do ftp even afetr doing that settng...


and i have also tried /etc/hosts.deny and /etc/hosts.allow with tcp-wrappers..but m not sure abt my confign....