HPE Community
Operating System - HP-UX
1832086 Members
3263 Online
110037 Solutions
New Discussion

prevent telnet

 
SOLVED
Go to solution
kacou
Regular Advisor

‎06-06-2008 02:16 AM

‎06-06-2008 02:16 AM

prevent telnet

How can i prevent telnet for a specify user or account?

help me please
0 Kudos
Reply
5 REPLIES 5
Asif Sharif
Honored Contributor

‎06-06-2008 02:20 AM

‎06-06-2008 02:20 AM

Re: prevent telnet

Hi Kacou,

See the below thread.

http://forums11.itrc.hp.com/service/forums/questionanswer.do?threadId=92298

Regards,
Asif Sharif
Regards,
Asif Sharif
Reply
Jeeshan
Honored Contributor

‎06-06-2008 02:34 AM

‎06-06-2008 02:34 AM

Re: prevent telnet

Here is your answer

http://forums11.itrc.hp.com/service/forums/questionanswer.do?threadId=828012
a warrior never quits
Reply
kacou
Regular Advisor

‎06-06-2008 03:59 AM

‎06-06-2008 03:59 AM

Re: prevent telnet

i use the code below but the user with id 116 can not log using 'su'? why
--------------------------
uid=$(id -u)
if [[ ${uid} -eq "116" ]]
then
echo "This account is not allowed to login
directly"
exit 1
fi
0 Kudos
Reply
Avinash20
Honored Contributor

‎06-06-2008 06:48 AM

‎06-06-2008 06:48 AM

Solution

Re: prevent telnet

Since a user name is not known until the user tries to login, you need to restrict / permit using code in the system /etc/profile . You cannot restrict by user with /var/adm/inetd.sec, TCP Wrappers, nor IPFilter. Here are some suggestions to follow:
FIRST, determine if the user logged in via telnet. There are several methods to do this. Here are two to consider:
1. Examine the user tty to determine if it is a telnet device /dev/pts/t*
Click here to see an Example:
if [ `tty | cut -c 1-10` = "/dev/pts/t" ] ;
then
...Code to determine if user is denied or permitted;
See the next section of this document.
Security tip: use "logger" to log access attempt
by denied users.

fi
2. Examine the user login process list checking for telnetd to determine if the user is connected via telnet.
Click here to see how to check for telnetd:
if [ `ps | grep -q telnetd` ] ;
then
...Code to determine if user is denied or permitted;
See the next section of this document.
Security tip: use "logger" to log access attempt
by denied users.
fi

SECOND, detect if the user is denied / permitted access via telnet. There are many methods available. Here are 3 possibilities to consider for denying access:
1. Examine the user login name and test programmatically with user names hard-coded in /etc/profile. This is useful when only a very small number of users is to be permitted or denied. To see a code example to deny telnet by user name "testhack" go to ftp://ftp.hp.com/pub/enterprise/programming_code/c00843266_CodeExample_Denying_testhack.txt.
Click here to see a code example to deny access by user name:
if [ "$LOGNAME" = "testhack" ] ;
then
logger "telnet attempt by $LOGNAME not permitted"
exit
fi

2. Examine the user login name and test by reading an access/deny list from a flat file. Since the user has to be able to read the file it is not very secure. Make the permissions 444 and owner root/sys . You could create a database of some kind to be more secure. This is useful if you have a large number of users and more than a small number should be permitted or denied. The disadvantage is that the shell could be interrupted by the user before the check is complete, and the execution time could be lengthy causing long login times.
For an example to deny access to users in the /etc/.deny_telnet file, go to ftp://ftp.hp.com/pub/enterprise/programming_code/c00843266_CodeExample_Denying_Access.txt.
Click here to see a code example to deny access to users in the deny telnet file:
cat /etc/.deny_telnet | while read name
do
if [ "$LOGNAME" = $name ] ;
then
logger "telnet attempt by $LOGNAME not permitted"
exit
fi
done

3. Use a unique secondary group ID or IDs to identify the permitted or denied telnet users. In the example in /etc/group, testhack is in the group of users not permitted to telnet.
To see the example go to ftp://ftp.hp.com/pub/enterprise/programming_code/c00843266_Users_Not_Permitted.txt.
Click here to see an Example of Users Not Permitted Access:
users::20:root
notelnet::7777:testhack,sam,joe,jane,michelle
notelnet2::7778:jim,bill,sue

Code snippet to detect if effective user ID is member of group denied telnet access:

if [`id -Gr | grep -q -E '7777|7778'` ] ;
then
logger "telnet attempt by $LOGNAME not permitted"
exit
fi

NOTE: Whatever method is used, please try to be as flexible as possible, and consider ease of maintenance and administration.
"Light travels faster than sound. That's why some people appear bright until you hear them speak."
Reply
Laurent Menase
Honored Contributor

‎06-08-2008 10:44 PM

‎06-08-2008 10:44 PM

Re: prevent telnet

SAFeR product with Fine Grain Privilege + RBAC
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.