HPE Community
Operating System - HP-UX
1856561 Members
9052 Online
104113 Solutions
New Discussion

Re: Block users from a particular IP

 
SOLVED
Go to solution
Shahul
Esteemed Contributor

‎07-02-2008 03:48 AM

‎07-02-2008 03:48 AM

Block users from a particular IP

Hi,

I have a strange requirement, I would like to block some users coming to Unix server directly from their laptop. The server and their laptop are in same DNS. I have IP filter to block IPs, I can't block all laptop Ips as there are many. Is there any way I can mention that users should only come from a prticular IP and block all the rest? I know we can use staticroute for this, it's again we need to maintain the routes list.

TIA
Shahul
0 Kudos
7 REPLIES 7
Steven E. Protter
Exalted Contributor

‎07-02-2008 04:36 AM

‎07-02-2008 04:36 AM

Re: Block users from a particular IP

Shalom Shahul,

You might be able to do it with tcpwrappers if its coming in with a particular protocol.

You certainly will be able to block the traffic with the ipfilter firewall.

TCP Wrappers is available only from http://software.hp.com

ipfilter is available from the above website and your Core OS or Application CD/DVD.

Well TCP may be there do, I'm not going to check, but these are the tools.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Hein van den Heuvel
Honored Contributor

‎07-02-2008 08:01 AM

‎07-02-2008 08:01 AM

Re: Block users from a particular IP

So you have an unknown, and changing, number of sources which should be blocked.
And you have a know host which should be allowed for certain users.

I would suggest a login script which checks the 'who -um' output for those users and make sure an allowed hostname is reported.

Example output:

$ who -um
hein pts/tc Jul 2 11:39 . 29267 pool-71-168-yy-xx.cncdnh.east.verizon.net

hth,
Hein.
0 Kudos
Tim Nelson
Honored Contributor

‎07-02-2008 08:22 AM

‎07-02-2008 08:22 AM

Re: Block users from a particular IP

"users" or "IP" addresses ?? This makes a difference.

If "users" then you can only block using some type of scripted shell function. e.g. if $LOGNAME = "BOB" then echo Sorry Bob, goodbye....

If "IP" then any one of the tcpwrapper, inetd.conf or IPSec solutions would work ( pick one ).

0 Kudos
john korterman
Honored Contributor

‎07-02-2008 09:06 AM

‎07-02-2008 09:06 AM

Re: Block users from a particular IP

Hi Shahul,

I remember using /var/adm/inetd.sec for making restrictions on specific protocols; If you have not already tried, take a look at the man pages for "inetd.sec".

regards,
John K.
it would be nice if you always got a second chance
0 Kudos
Bill Hassell
Honored Contributor

‎07-02-2008 10:09 AM

‎07-02-2008 10:09 AM

Solution

Re: Block users from a particular IP

This is not a strange requirement but it is almost impossible to do at the networking level. The reason is that a "user" has no meaning on the network. A "user" is defined when a connection is made and authentication programs are run (such as login and passwd). So you'll need to block the bad users after they have authenticated themselves, namely, in /etc/profile (and all the profiles for different shells that may be used on your system such as bash, csh, tcsh, etc).

At the top of the primary profile (ksh, POSIX sh, bash use /etc/profile), you lockout all interrupts that can bypass the profile tests. Then determine the IP address and username for this particular login and compare the result to a valid user+IP list. If not found on the list, exit.

To get the user's name and hostname/IPaddr, use:

who -muR | awk '{print $1,$NF}' | read USER HOSTIP
IPADDR=$(getip $HOSTIP)
echo "user=$USER, IP=$IPADDR"


Bill Hassell, sysadmin
0 Kudos
Shahul
Esteemed Contributor

‎07-10-2008 06:50 AM

‎07-10-2008 06:50 AM

Re: Block users from a particular IP

Thanks to everyone.

I am going to script it, I think that is the best way. I will be doing something like this,

If $User = && $SourceIP !=
then
Kick them out
fi.

So that the user can come via only one IP address, that satisfy my requirement.

Rgds
Shahul
0 Kudos
Shahul
Esteemed Contributor

‎07-10-2008 06:50 AM

‎07-10-2008 06:50 AM

Re: Block users from a particular IP

Closed
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.