HPE Community
Operating System - HP-UX
1833015 Members
2350 Online
110048 Solutions
New Discussion

Re: disable direct access/login via telnet/ftp

 
monster00
Advisor

‎04-16-2009 07:22 PM

‎04-16-2009 07:22 PM

disable direct access/login via telnet/ftp


Hi

I'm doing hardening of the hpux server. how can i disable the telnet/ftp via direct login>?
0 Kudos
Reply
6 REPLIES 6
Steven Schweda
Honored Contributor

‎04-16-2009 08:08 PM

‎04-16-2009 08:08 PM

Re: disable direct access/login via telnet/ftp

http://forums.itrc.hp.com/service/forums/questionanswer.do?threadId=1211651
0 Kudos
Reply
Suraj K Sankari
Honored Contributor

‎04-16-2009 09:35 PM

‎04-16-2009 09:35 PM

Re: disable direct access/login via telnet/ftp

Hi,

FTP disabled
This means ftp should not be running. Comment out ftp line in /etc/inetd.conf and run "inetd -c"
Test by trying to ftp to the host.

TELNET disabled
This means telnet should not be running. Comment out telnet line in /etc/inetd.conf and run "inetd
-c" Test by trying to telnet to the host.

Suraj
0 Kudos
Reply
monster00
Advisor

‎04-16-2009 10:48 PM

‎04-16-2009 10:48 PM

Re: disable direct access/login via telnet/ftp

hi. yes i can disable the ftp/telnet thru the inetd.conf but i can't access it ...

i dont want to access it directly. it's like i want to login to another server A then from server A i can now telnet from server B (hardened server)
0 Kudos
Reply
Steven Schweda
Honored Contributor

‎04-16-2009 11:11 PM

‎04-16-2009 11:11 PM

Re: disable direct access/login via telnet/ftp

So you want any user on server A to be able
to get Telnet and FTP access to server B, but
only users on server A?

If you want some Telnet and FTP access to
server B, then you normally can't disable
the daemons in inetd.conf.

Forget about this idea of "direct". Server B
can't tell how a user got to server A. A
user on server A is a user on server A, even
if the Telnetted through five other systems
before reaching server A.

> [...] the hpux server [...]

"uname -a"? There is more than one version
of HP-UX, and they don't share all features.
For example, 11i v3 (11.31) offers
"bastille", but I don't see it for 11i v1
(11.11), although the v3 "man" page suggests
that it's available there, too.

http://docs.hp.com/en/B2355-60130/bastille.1M.html
0 Kudos
Reply
S. Ney
Trusted Contributor

‎04-17-2009 05:22 AM

‎04-17-2009 05:22 AM

Re: disable direct access/login via telnet/ftp

edit your inetd.conf file to use tcp wrappers. Locate the ftp entry and edit the line to:
ftp stream tcp nowait root /usr/lbin/tcpd /usr/lbin ftpd -l

Locate the telenet entry and edit the line to:
telnet stream tcp nowait root /usr/lbin/tcpd/ /usr/lbin/telnetd telnetd

create /etc/hosts.allow and /etc/hosts.deny files. You can now specify what services can come from what hosts. I've attached a doc on tcp wrappers for you. Or do a man on hosts_access and tcpd for more information.
0 Kudos
Reply
Torsten.
Acclaimed Contributor

‎04-17-2009 05:38 AM

‎04-17-2009 05:38 AM

Re: disable direct access/login via telnet/ftp

See

http://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=B6849AA

Product #: B6849AA
Version: B.03.00.31; B02.01.03
Software specification: HP-UX 11i v1 and later (Bastille B.3.0.31)
HP-UX 11.00 (Bastille B.02.01.03)


Hope this helps!
Regards
Torsten.

__________________________________________________
There are only 10 types of people in the world -
those who understand binary, and those who don't.
__________________________________________________
No support by private messages. Please ask the forum!

If you feel this was helpful please click the KUDOS! thumb below!   
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.