Re: How to prevent Telnet'ing Out from a Server - Want to telnet in

Laurie A. Krumrey · ‎11-15-2001

Hi All,

I want to be able to telnet into my K100 HPUX
11.0 but I don't want anyone to be able to
telnet out to my other HP Servers.

I'm setting up a play Unix box for folks who
want to learn Unix but I don't want them getting too smart and telneting or ftp'ing into
my production boxes from this play box. I know
they would have to have an account on the production boxes but I'm just thinking like an auditor.

Do I comment telnet out of the /etc/services?
But wouldn't that prevent anyone from telnet'ing into the server?

I need to think about Security even on the
play box because it's on our network.

Any thoughts..
Laurie

Happiness is a choice

Santosh Nair_1 · ‎11-15-2001

I don't believe there is anything that you can do to prevent someone from telnetting out of your machine...other than taking the execute permissions off the telnet (and ftp) executables. But a smart user could just copy the executable into their home directory and change the permissions back. A better way to handle this would be to put the machine behind a firewall and filter out all outgoing telnet/ftps.

Hope this helps.

-Santosh

Life is what's happening while you're busy making other plans

James R. Ferguson · ‎11-15-2001

Hi Laurie:

I'd suggest you set up the '/var/adm/inetd.sec' security file. Have a look by:

# man 4 inetd.sec

These man pages contain a good explanation.

Regards!

...JRF...

harry d brown jr · ‎11-15-2001

Change the permissions on /usr/bin/telnet to 500, so only root can telnet off the machine! Telnet'ers into your box do not use telnet, they use telnetd!

chmod 500 /usr/bin/telnet

live free or die
harry

Live Free or Die

Sanjay_6 · ‎11-15-2001

Hi Laurie,

Son't see any way to prevent telnet out of a box until you withdraw the execute permission to the that file for everyone other than root. The other way would be to put an entry on all your production servers denying telnet from your test server which does not seem like a recommended option.

Hope this helps.

Regds

John Bolene · ‎11-15-2001

Even if you changed the permissions on telnet or changed its name so they could not use it, an enterprising person would just ftp a version from another machine.

You could make it harder and disable DNS resolution, they would have to look up the IP's.

I do like JRF's answer on the '/var/adm/inetd.sec' security file.

It is always a good day when you are launching rockets! http://tripolioklahoma.org, Mostly Missiles http://mostlymissiles.com

Darrell Allen · ‎11-15-2001

Hi Laurie,

As others say, you can change the perms to at most 550 with owner bin:bin. And as Santosh says, smart users will just copy telnet from /usr/bin to their directory (or somewhere else like /tmp) and change perms to execute it there.

You could try making /usr/bin/telnet a wrapper script that verified whom the user was before allowing access. Smart users could read the script and still copy the executable.

You could move telnet to a directory that is only in root's path and the directory only have perms for root to access it. That may be your best option.

Then again, smart users can just copy telnet from another system (same OS level) and run it from there.

If they're that smart them may need a job as an SA.

Darrell

"What, Me Worry?" - Alfred E. Neuman (Mad Magazine)

Roger Baptiste · ‎11-15-2001

hi,

it's a bit tricky. Since you
are saying that you want to login to production boxes from
this Playbox, but do not what
others to do the same.

You have two options:
Tweaking at the production boxes end through inetd.sec
-- BUT---::
Using Inetd.sec''s allow/deny options on the production boxes will block all logins from the playstation (including yours). ALso, you would need to do the inetd.sec setting on all the production boxes where you want to deny users access.

Other option is to tweak at
the Playbox end:
-- here you can simply remove the telnet binary or put a wrapper over telnet binary, say a script which checks for user id and if it is not your id, it simply exits with a warning. Something like:
if [ $LOGNAME != "laurie" ]
then
echo "You are warned "
exit 1
else

fi

But any intreprid user can easily hack this or simply copy telnet binary into his homedirectory and use it.

Another option would be to put this playstation on a different subnet; or simply remove it from the network!

If i was paranoid, i would keep the system standalone and plug out the lan connection!

-raj

Take it easy.

Marco Paganini · ‎11-15-2001

Hello Laurie,

You can just change the permissions of your "telnet" program to "500" or something like that (only root can execute it). However, that does create a FALSE sense of security, since people can just ftp a telnet program from another place and run it.

If you want to proceed like that, make sure users cannot copy any files in by denying access to ftp, rcp, scp, tftp and any other possible means (you can set all those clients to chmod 500 just like telnet).

It would be better if you installed a firewall between this machine and your production machines, though.

Regards,
Paga

Keeping alive, until I die.

Deshpande Prashant · ‎11-15-2001

HI
I would go with extra security using inetd.sec, if firewall is not a option.

Thanks.
Prashant.

Take it as it comes.

Ishmael Vestas Lesolame · ‎11-16-2001

Nice try guys!!!

More than likely one of the users is a member of ITRC forums. Otherwise sooner or later they will find out why they can't telnet.

Please do not award points for this!!

Ish

If you keyboard is locked, call a locksmith, not HP!

Mary Ann Lipa · ‎11-16-2001

firewall is definitely an option...
otherwise change /usr/bin/telnet's permission to 500 so only root can execute telnet

d_b

Which is worse, smoking or picking your nose in a public place?

Deepak Extross · ‎11-16-2001

Guys,
Removing execute permission or writing a wrapper isn't going to work...it'll be just a few days before someone hacks around it.
It could be a nice way to test the ingenuity of your users, though. Donno about your folks, but I'd expect to see:
1. copies of the telnet exe in home directories and /tmp
2. telnet exes renamed with innocuous sounding names, say a.out to evade detection by 'ps'.
3. scripts/exes which invoke telnet.
4. aliases mapping 'telnet' to innocent commands.
My wicked mind could ramble on, but I guess I've made the point.

p.s. yeah, my sysadmin hates me

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: How to prevent Telnet'ing Out from a Server - Want to telnet in

How to prevent Telnet'ing Out from a Server - Want to telnet in