HPE Community
Operating System - HP-UX
1848421 Members
2314 Online
104027 Solutions
New Discussion

Permit root login through one network (NIC) only

 
Philip Kernohan
Advisor

‎01-26-2005 06:39 AM

‎01-26-2005 06:39 AM

Permit root login through one network (NIC) only

I need a secure method of permitting root access when a login comes through one NIC card and not the other.

For example, if my NICs are:

10.26.100.10 and
231.62.100.231

is it possible to permit root access through the 10.X.X.X NIC and *NOT* through the 231.X.X.X NIC?

I know the easiest method is be secure with the root password but allowing access from only within a particular physical environment would make me feel more comfortable.

Any and all help appreciated.

PK
It's nice to be important but it's more important to be nice
0 Kudos
Reply
7 REPLIES 7
RAC_1
Honored Contributor

‎01-26-2005 06:42 AM

‎01-26-2005 06:42 AM

Re: Permit root login through one network (NIC) only

Do not give that ip address to anyone!!
Else, I can think of ipfilter, tcp wrappers

Anil
There is no substitute to HARDWORK
0 Kudos
Reply
Ken Penland_1
Trusted Contributor

‎01-26-2005 06:43 AM

‎01-26-2005 06:43 AM

Re: Permit root login through one network (NIC) only

I asked a similar question in the past, and was pointed to ipfilter:

http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=B9901AA
'
0 Kudos
Reply
Kevin Wright
Honored Contributor

‎01-26-2005 06:52 AM

‎01-26-2005 06:52 AM

Re: Permit root login through one network (NIC) only

Run an sshd daemon that just listens on that specific interface and set PermitRootlogin to yes.
0 Kudos
Reply
Philip Kernohan
Advisor

‎01-26-2005 07:13 AM

‎01-26-2005 07:13 AM

Re: Permit root login through one network (NIC) only

The IP addresses are for example only, they're not actually mine.

I'll check out the suggestions and assigns points shortly.

PK
It's nice to be important but it's more important to be nice
0 Kudos
Reply
Biswajit Tripathy
Honored Contributor

‎01-26-2005 12:50 PM

‎01-26-2005 12:50 PM

Re: Permit root login through one network (NIC) only

Ken / Anil,

No, you can't use IPFilter.

IPFilter can only allow/deny access based on IP
address / port #, but it does not have any control
over the user name. For ex, you allow/deny telnet
from 10.26.100.10, you have to allow/deny ALL
users from that machine.

- Biswajit
:-)
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎01-26-2005 03:19 PM

‎01-26-2005 03:19 PM

Re: Permit root login through one network (NIC) only

If you are having problems with your root password being locked from the 231 network, I have a daemon I developed called monbad that effeictively stops the script kiddies.

You can probably put some code into your /etc/profile that can pick up where the login came from and reject the user. But that will only work for users that have the password.

IPFilter is designed to block ports and protocols, not individual users.

Let me know if you meed monbad and I'll post it somewhere. It is designed for secureshell logins but can easily be upgraded to handle telnet.

Letting root log on with telnet is a bad idea because the password goes through the network in clear text.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Philip Kernohan
Advisor

‎01-26-2005 05:50 PM

‎01-26-2005 05:50 PM

Re: Permit root login through one network (NIC) only

SEP,

I'd be interested in monbad if you can share it?

The method I've heard of before used /etc/profile and a query of where that person was logging in from with probably 'who -a'(?) but I'm concerned this is easy to break (ctrl-\ perhaps?).

I reviewed IPFilter and found that it has no control over specific users as implied by the name.

More to research ...

PK
It's nice to be important but it's more important to be nice
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.