Operating System - HP-UX
1820880 Members
3635 Online
109628 Solutions
New Discussion юеВ

Login with valid client IP to HP-UX11i

 
Bernd Dittmar
Advisor

Login with valid client IP to HP-UX11i

Hello all,
i want to check, if a user comes from a valid client after login.
In .profile: check if client ip <> 192.168.x.x
then exit
Anny ideas ?

Regards Bernd
BaaN IV on HP-UX
10 REPLIES 10
Mobeen_1
Esteemed Contributor

Re: Login with valid client IP to HP-UX11i

Bernd,
Could you please elaborate a little more on what you are trying to achieve?

Are you trying to limit the users logging into your server based on a pattern of client ip addresses like 192.168.x.x

rgds
Mobeen
Bernd Dittmar
Advisor

Re: Login with valid client IP to HP-UX11i

Hello Mobeen,

i want to check, if the user "ABC" is not telnet 'ing from the clients ip (e.g)
192.168.1.35, then exit in .profile.

I don't want to block a range of IP's.

Is there a system variable for the client IP ?

Regards Bernd
BaaN IV on HP-UX
Mark Grant
Honored Contributor

Re: Login with valid client IP to HP-UX11i

You will need a table of valid IP addresses and then have something like this in the .profile

grep `who -R am i | cut -c39-` > /dev/null || {
echo "Invalid ip address"
exit
}

Look at the output of who -R to see where this is going.
Never preceed any demonstration with anything more predictive than "watch this"
Dietmar Konermann
Honored Contributor

Re: Login with valid client IP to HP-UX11i

Some recycled code from another script I hacked some years ago...

who -Rm | read line
FROM=${line##*\(}; FROM=${FROM%%\)*}
if [[ $FROM != [0-9]*.[0-9]*.[0-9]*.[0-9]* ]]; then
FROM=$(nslookup $FROM | grep Address | tail -1 | awk -F '[^0-9.]+' '{print $2}')
fi

if [[ "$FROM" != [0-9]*.[0-9]*.[0-9]*.[0-9]* ]]; then
echo "Unknown Source IP."
exit
fi

if [[ "$FROM" = 192.168.1.35 ]]; then
echo "Forbidden Source IP $FROM."
exit
fi

Best regards...
Dietmar.
"Logic is the beginning of wisdom; not the end." -- Spock (Star Trek VI: The Undiscovered Country)
Dietmar Konermann
Honored Contributor

Re: Login with valid client IP to HP-UX11i

Oops... I forgot another straight-forward and more bullet-proof approach.

Don't use .profile... use /var/adm/inetd.sec inestead:

telnet deny 192.168.1.35
ftp deny 192.168.1.35
shell deny 192.168.1.35
login deny 192.168.1.35

Best regards...
Dietmar.
"Logic is the beginning of wisdom; not the end." -- Spock (Star Trek VI: The Undiscovered Country)
Bernd Dittmar
Advisor

Re: Login with valid client IP to HP-UX11i

Hello Dietmar,

it's o.k. in .profile !

I'll do the following:

..........
if [["$FROM" <> 192.168.1.116]]; then
echo "Wrong client / User combination"
exit
fi

Regards Bernd
BaaN IV on HP-UX
Patrick Wallek
Honored Contributor

Re: Login with valid client IP to HP-UX11i

I have to agree with Dietmar here. Using /var/adm/inetd.sec will be MUCH MUCH easier and much less work thatn worrying with the users .profile. You can add multiple entries, or entire networks to inetd.sec and all you have to do after a change is an 'inetd -c' and you are done.
A. Clay Stephenson
Acclaimed Contributor

Re: Login with valid client IP to HP-UX11i

inetd.sec is by far the better choice because it would be trivially easy for a user to change his own .profile (or at least remove it even if owned by root).
If it ain't broke, I can fix that.
Bernd Dittmar
Advisor

Re: Login with valid client IP to HP-UX11i

Hello Dietmar,
i've coded the following. But everytime the script does the "else" statement with tis message.

checkip_dittbern[16]: [[192.168.1.36: not found.
------------------------------------------
who -Rm | read line
FROM=${line##*\(}; FROM=${FROM%%\)*}
echo "$FROM"

sleep 2

if [[ $FROM != [0-9]*.[0-9]*.[0-9]*.[0-9]* ]]; then
FROM=$(nslookup $FROM | grep Adress | tail -1 | awk -F '[^0-9.]+''{print $2}')
fi


#if [["$FROM" = 192.168.1.116 ]]; then
if "$FROM" = 192.168.1.36
then
echo "Right IP $FROM"
sleep 2
exec ba6.1

else
echo "Wrong IP $FROM"
exit

fi
------------------------------------------
BaaN IV on HP-UX
John Carr_2
Honored Contributor

Re: Login with valid client IP to HP-UX11i


if [[ $FROM = "192.168.1.36" ]] ; then

you really should use inetd.sec this is what it is designed to do.

John.