HPE Community
Operating System - HP-UX
1834089 Members
2312 Online
110063 Solutions
New Discussion

disable telnet and allow su

 
Fernando Jose P de Souz
Regular Advisor

‎01-24-2005 05:07 AM

‎01-24-2005 05:07 AM

disable telnet and allow su

Hi,

i would like a help:

i want to deny access by telnet,
but i want to allow access by su, ftp and rlogin.

How can i proced this?

Wait

Fernando.
0 Kudos
Reply
7 REPLIES 7
Rick Garland
Honored Contributor

‎01-24-2005 05:09 AM

‎01-24-2005 05:09 AM

Re: disable telnet and allow su

In the /etc/services file you can turn off the telnet protocol. Do an 'inetd -c' to have the config reread.

This will not affect the ftp and rlogin and su.

0 Kudos
Reply
Fernando Jose P de Souz
Regular Advisor

‎01-24-2005 05:13 AM

‎01-24-2005 05:13 AM

Re: disable telnet and allow su

i forgot a topic:

i want to deny telnet just a one user.

0 Kudos
Reply
HGN
Honored Contributor

‎01-24-2005 05:13 AM

‎01-24-2005 05:13 AM

Re: disable telnet and allow su

Hi

The file /etc/inetd.conf has the entry for telnet which can be commented out. You can re-read the inetd or you can do a kill -HUP on the inetd process. Only the commented process will be affected and others will still keep working.

Rgds

HGN
0 Kudos
Reply
Florian Heigl (new acc)
Honored Contributor

‎01-24-2005 05:15 AM

‎01-24-2005 05:15 AM

Re: disable telnet and allow su

put a hash in front of the line starting telnet in /etc/inetd.conf like in the following
#telnet stream tcp nowait
root /usr/lbin/telnetd telnetd

possibly there's a second line for ipv6 starting with telnet6, but usually there isn't.

after saving the file, restart inetd with inetd -c
yesterday I stood at the edge. Today I'm one step ahead.
0 Kudos
Reply
Florian Heigl (new acc)
Honored Contributor

‎01-24-2005 05:19 AM

‎01-24-2005 05:19 AM

Re: disable telnet and allow su

Fernado: Ah just read Your second post - on other unices I did this using /etc/hosts.allow and /etc/hosts.deny, but it appears they are not there on hp-ux.

the ugly way would be updating the users .profile (he MUST NOT own it after that change) to check for his terminal, if it's /dev/pty/*, an immediate logout must happen.

But I wouldn't call this a good solution :(
yesterday I stood at the edge. Today I'm one step ahead.
0 Kudos
Reply
Rick Garland
Honored Contributor

‎01-24-2005 05:39 AM

‎01-24-2005 05:39 AM

Re: disable telnet and allow su

How about turning off the telnet protocol from the users PC/workstation?

If you remove the telnet from the user side then you won't need to do anything on the UNIX side.

Note this is only for 1 user. If you have multiple users the another solution is called for.

If you know the IP address of the user's location (and this does not change) then can do the hosts.deny and hosts.allow.

Other options are available as well.

0 Kudos
Reply
Bill Hassell
Honored Contributor

‎01-24-2005 08:14 AM

‎01-24-2005 08:14 AM

Re: disable telnet and allow su

There is n way to turn off telnet in inetd.conf for one user. This must be done in /var/adm/inetd.sec (hosts.deny equivalent). In there, you put the IP address of the problem system. NOTE: you cannot deny a specific user for telnet because telnet does not authenticate anyone--there is no way to predict what a user will type at the keyboard for a login, so if the bad user keeps changing IP addresses (ie, DHCP), then it's fairly easy: just add a lockout in /etc/profile:

BADUSER=william
if [ $(id -un) = $BADUSER ]
then
exit
fi

This requires that the bad user has /usr/bin/sh as their login shell (which is the default). You can easily test this by logging in as the bad user and see that it immediately exits.


Bill Hassell, sysadmin
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.