HPE Community
Operating System - HP-UX
1824052 Members
3571 Online
109667 Solutions
New Discussion юеВ

Login with valid client IP to HP-UX11i

 
Bernd Dittmar
Advisor

тАО03-16-2004 11:20 PM

тАО03-16-2004 11:20 PM

Login with valid client IP to HP-UX11i

Hello all,
i want to check, if a user comes from a valid client after login.
In .profile: check if client ip <> 192.168.x.x
then exit
Anny ideas ?

Regards Bernd
BaaN IV on HP-UX
0 Kudos
Reply
10 REPLIES 10
Mobeen_1
Esteemed Contributor

тАО03-16-2004 11:32 PM

тАО03-16-2004 11:32 PM

Re: Login with valid client IP to HP-UX11i

Bernd,
Could you please elaborate a little more on what you are trying to achieve?

Are you trying to limit the users logging into your server based on a pattern of client ip addresses like 192.168.x.x

rgds
Mobeen
0 Kudos
Reply
Bernd Dittmar
Advisor

тАО03-16-2004 11:40 PM

тАО03-16-2004 11:40 PM

Re: Login with valid client IP to HP-UX11i

Hello Mobeen,

i want to check, if the user "ABC" is not telnet 'ing from the clients ip (e.g)
192.168.1.35, then exit in .profile.

I don't want to block a range of IP's.

Is there a system variable for the client IP ?

Regards Bernd
BaaN IV on HP-UX
0 Kudos
Reply
Mark Grant
Honored Contributor

тАО03-17-2004 12:01 AM

тАО03-17-2004 12:01 AM

Re: Login with valid client IP to HP-UX11i

You will need a table of valid IP addresses and then have something like this in the .profile

grep `who -R am i | cut -c39-` > /dev/null || {
echo "Invalid ip address"
exit
}

Look at the output of who -R to see where this is going.
Never preceed any demonstration with anything more predictive than "watch this"
0 Kudos
Reply
Dietmar Konermann
Honored Contributor

тАО03-17-2004 12:27 AM

тАО03-17-2004 12:27 AM

Re: Login with valid client IP to HP-UX11i

Some recycled code from another script I hacked some years ago...

who -Rm | read line
FROM=${line##*\(}; FROM=${FROM%%\)*}
if [[ $FROM != [0-9]*.[0-9]*.[0-9]*.[0-9]* ]]; then
FROM=$(nslookup $FROM | grep Address | tail -1 | awk -F '[^0-9.]+' '{print $2}')
fi

if [[ "$FROM" != [0-9]*.[0-9]*.[0-9]*.[0-9]* ]]; then
echo "Unknown Source IP."
exit
fi

if [[ "$FROM" = 192.168.1.35 ]]; then
echo "Forbidden Source IP $FROM."
exit
fi

Best regards...
Dietmar.
"Logic is the beginning of wisdom; not the end." -- Spock (Star Trek VI: The Undiscovered Country)
0 Kudos
Reply
Dietmar Konermann
Honored Contributor

тАО03-17-2004 12:57 AM

тАО03-17-2004 12:57 AM

Re: Login with valid client IP to HP-UX11i

Oops... I forgot another straight-forward and more bullet-proof approach.

Don't use .profile... use /var/adm/inetd.sec inestead:

telnet deny 192.168.1.35
ftp deny 192.168.1.35
shell deny 192.168.1.35
login deny 192.168.1.35

Best regards...
Dietmar.
"Logic is the beginning of wisdom; not the end." -- Spock (Star Trek VI: The Undiscovered Country)
0 Kudos
Reply
Bernd Dittmar
Advisor

тАО03-17-2004 01:11 AM

тАО03-17-2004 01:11 AM

Re: Login with valid client IP to HP-UX11i

Hello Dietmar,

it's o.k. in .profile !

I'll do the following:

..........
if [["$FROM" <> 192.168.1.116]]; then
echo "Wrong client / User combination"
exit
fi

Regards Bernd
BaaN IV on HP-UX
0 Kudos
Reply
Patrick Wallek
Honored Contributor

тАО03-17-2004 01:23 AM

тАО03-17-2004 01:23 AM

Re: Login with valid client IP to HP-UX11i

I have to agree with Dietmar here. Using /var/adm/inetd.sec will be MUCH MUCH easier and much less work thatn worrying with the users .profile. You can add multiple entries, or entire networks to inetd.sec and all you have to do after a change is an 'inetd -c' and you are done.
0 Kudos
Reply
A. Clay Stephenson
Acclaimed Contributor

тАО03-17-2004 02:47 AM

тАО03-17-2004 02:47 AM

Re: Login with valid client IP to HP-UX11i

inetd.sec is by far the better choice because it would be trivially easy for a user to change his own .profile (or at least remove it even if owned by root).
If it ain't broke, I can fix that.
0 Kudos
Reply
Bernd Dittmar
Advisor

тАО03-18-2004 06:40 PM

тАО03-18-2004 06:40 PM

Re: Login with valid client IP to HP-UX11i

Hello Dietmar,
i've coded the following. But everytime the script does the "else" statement with tis message.

checkip_dittbern[16]: [[192.168.1.36: not found.
------------------------------------------
who -Rm | read line
FROM=${line##*\(}; FROM=${FROM%%\)*}
echo "$FROM"

sleep 2

if [[ $FROM != [0-9]*.[0-9]*.[0-9]*.[0-9]* ]]; then
FROM=$(nslookup $FROM | grep Adress | tail -1 | awk -F '[^0-9.]+''{print $2}')
fi


#if [["$FROM" = 192.168.1.116 ]]; then
if "$FROM" = 192.168.1.36
then
echo "Right IP $FROM"
sleep 2
exec ba6.1

else
echo "Wrong IP $FROM"
exit

fi
------------------------------------------
BaaN IV on HP-UX
0 Kudos
Reply
John Carr_2
Honored Contributor

тАО03-18-2004 07:02 PM

тАО03-18-2004 07:02 PM

Re: Login with valid client IP to HP-UX11i


if [[ $FROM = "192.168.1.36" ]] ; then

you really should use inetd.sec this is what it is designed to do.

John.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.