HPE Community
Operating System - HP-UX
1825569 Members
3337 Online
109682 Solutions
New Discussion

Disallow any login to the system

 
Nisar Ahmad
Regular Advisor

‎09-05-2001 10:30 PM

‎09-05-2001 10:30 PM

Disallow any login to the system

I am suppose to instrall patches on our production system. What could be the best approach so that none can login to the system as I can't be in sigle use mode?

Thanks

Nisar
0 Kudos
Reply
8 REPLIES 8
federico_3
Honored Contributor

‎09-05-2001 10:46 PM

‎09-05-2001 10:46 PM

Re: Disallow any login to the system

If you are in single usewr mode nobody can connect to the system because the network processes are down.


Federico
0 Kudos
Reply
Herve BRANGIER
Respected Contributor

‎09-05-2001 10:47 PM

‎09-05-2001 10:47 PM

Re: Disallow any login to the system

Hi

ftp, login, rlogin,... and a lot of deamons are
launched by inetd. So I think you can stop
inetd : /sbin/init.d/inetd stop.
Or you can modify /var/adm/inetd.sec.

If you want to disallow others services you can
stop them...

HTH

Herv?

0 Kudos
Reply
Sridhar Bhaskarla
Honored Contributor

‎09-05-2001 11:08 PM

‎09-05-2001 11:08 PM

Re: Disallow any login to the system

You can do one thing.

cp /var/adm/inetd.sec /var/adm/inetd.sec.old
Edit your /var/adm/inetd.sec and
add these lines

telnet deny #For telnet
telnet allow your_system_IP SW-DEPOT-IP
login deny #For rlogin

ftp deny

Restart inetd by inetd -c

Now people cannot ftp or login to your box

Once you are done. Restore the previous inetd.sec and restart ined.

The other way is little bit dangerous.

Save /etc/passwd as /etc/passwd.old. Edit /etc/passwd and delete all the entries other than the default ones. Edit a file called /etc/banner that says "This system is under maitenance .. Your account is temporarly disabled" and modify the inetd.conf file to
replace telnetd with telned -b /etc/banner. Restart the inetd.

Once you are done with the installation, keep the password file back. One drawback is that it will unnecessarily register bad attempts in the system.

There are a lot many ways.

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
0 Kudos
Reply
Marcin Wicinski
Trusted Contributor

‎09-05-2001 11:53 PM

‎09-05-2001 11:53 PM

Re: Disallow any login to the system

Hi,

I suppose that you cannot install patches in single user mode because of special installation instruction suggestions. Very simple way to reject any logins is to check username in /.profile and f it is not root ten exit.

Later,
Marcin Wicinski
0 Kudos
Reply
Dayanand Naik
Frequent Advisor

‎09-06-2001 04:40 AM

‎09-06-2001 04:40 AM

Re: Disallow any login to the system

Hi Nisar,

It depends on what kinda patch are u going to install. but its not required for you to go into single user mode, you can stop the inetd services which contains rlogin,login,ftp and other network services.

issue this commnand to stop/start inetd services :

/sbin/init.d/inetd stop

after you finsh patching your system issue

/sbin/init.d/inetd start command

Hope this helps.

Regards
Dayanand Naik
Dayanand Naik
0 Kudos
Reply
Alex_17
Frequent Advisor

‎09-06-2001 04:44 AM

‎09-06-2001 04:44 AM

Re: Disallow any login to the system

Another way:

1) Copy your /etc/passwd to /etc/passwd.old
2) Write * in password field for every user
3) Install patches
4) Remove /etc/passwd
5) Rename old /etc/passwd

It's not very original but it may work.

ALex.
0 Kudos
Reply
linuxfan
Honored Contributor

‎09-06-2001 04:53 AM

‎09-06-2001 04:53 AM

Re: Disallow any login to the system

Hi Nisar,

Here is a very simple way

touch /etc/nologin

Modify your /etc/profile with

if [ -f /etc/nologin && ${LOGNAME} != "root" ]
then
echo "System is not available right now"
exit 1
fi

This way you don't need to modify anything else on your system, after installing the patches, just remove the /etc/nologin file

-HTH
Ramesh
They think they know but don't. At least I know I don't know - Socrates
0 Kudos
Reply
Ravi_8
Honored Contributor

‎09-06-2001 04:56 AM

‎09-06-2001 04:56 AM

Re: Disallow any login to the system

Hi,
the system patches such as kernel,network when they applied system needs to reboot, application patches such as PHCO* can be applied in multiuser user mode and no need to reboot the machine. your case of disallowing users to login and applying patches in single user mode is unnecessary.
never give up
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.