Re: prventing telnet in for all user except root and user1, user2

rana786 · ‎01-24-2006

Hi all,

I need to enhance system security and that is why I am going to prevent all users except root, user1, user2 from telnet in the system from anywhere any pc. How can I do that?

Rgds,
Rana

Walker_dhk

Arunvijai_4 · ‎01-24-2006

Hi Rana,

Do you have access to /etc/passwd file ? if yes, you can edit all user's shell to "/bin/false" except root, user1 and user2.

-Arun

"A ship in the harbor is safe, but that is not what ships are built for"

RAC_1 · ‎01-24-2006

Following code in /etc/profile will do it.

if [ ${LOGNAME} != "root" -o ${LOGNAME} != "user1" -o ${LOGNAME} != "user2" ]];then
echo "No direct telnet allowd"
exi1
fi

There is no substitute to HARDWORK

Muthukumar_5 · ‎01-24-2006

You are willing to block telnet access from any other machine to hp-ux machine without using root, user1 and user2.

You can do it with /etc/profile scripting as,

if [[ ${LOGNAME} = "root" || ${LOGNAME} = "user1" | ${LOGNAME} = "user2" ]]
then
ps | grep -q 'telnet'
if [[ $? -eq 0 ]]
then
echo "Telnet access to user ${LOGNAME} is denied. Contact @ information"
sleep 2
fi
fi

--
Muthu

Easy to suggest when don't know about the problem!

Jean-Yves Picard · ‎01-24-2006

Hello,

directly an answer:
put a filter in /etc/profile (supposing your user have a login shell)
like

if [ tty -s ]
then
cmd=exit
if [ $user = root ] ; then cmd=true ; fi
if [ $user = user1 ] ; then cmd=true ; fi
...

fi
$cmd

(tty -s will run filter only on terminal session)

not directly an answer:
but if you are concerned about security, you shouldn't use telnet at first.
at least use ssh.
using ssh, you can control which user can access system through public/private key.

Jean-Yves

Devender Khatana · ‎01-24-2006

Hi Rana,

Do not adopt the first response, it will not allow your user to login by any means not only telnet. Even rlogin,ssh,console login too will not work for all other users.

HTH,
Devender

Impossible itself mentions "I m possible"

Muthukumar_5 · ‎01-24-2006

RAC,

Hope we have to check the telnet login with ps | grep 'telnet' to exclude other service logings like ssh, rlogin.

Rana,

You can as well use tcp wrappers to control user based.

Note: /etc/profile is used to control terminal based logins. Not GUI based. For GUI based you have to turn on dtprofile to lookup /etc/profile file too.

--
Muthu

Easy to suggest when don't know about the problem!

Arunvijai_4 · ‎01-24-2006

Some threads of similar problem,

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=543133
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=469590

-Arun

"A ship in the harbor is safe, but that is not what ships are built for"

Arunvijai_4 · ‎01-24-2006

Also, you can use Security hardening tools such as Bastile, TCP Wrappers to do this.

http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=TCPWRAP
http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=B6849AA

-Arun

"A ship in the harbor is safe, but that is not what ships are built for"

Muthukumar_5 · ‎01-24-2006

Put exit code in my prev script as,

if [[ ${LOGNAME} = "root" || ${LOGNAME} = "user1" | ${LOGNAME} = "user2" ]]
then
ps | grep -q 'telnet'
if [[ $? -eq 0 ]]
then
echo "Telnet access to user ${LOGNAME} is denied. Contact @ information"
sleep 2
exit 1
fi
fi

That is important. After lunch, everything is working in 0 kms.

--
Muthu

Easy to suggest when don't know about the problem!

Muthukumar_5 · ‎01-24-2006

sorry again. Very bad. Just use this,

if [[ ${LOGNAME} != "root" || ${LOGNAME} != "user1" | ${LOGNAME} != "user2" ]]
then
ps | grep -q 'telnet'
if [[ $? -eq 0 ]]
then
echo "Telnet access to user ${LOGNAME} is denied. Contact @ information"
sleep 2
exit 1
fi
fi

Forget to do negative check. :(

--
Muthu

Easy to suggest when don't know about the problem!

rana786 · ‎01-24-2006

Hi all,

Thanks. Since it is a security concern, If I want to use ssh instead of telnet with strong security like previously specified then whatelse should I need.

Rgds,
Mostafa

Walker_dhk

Arunvijai_4 · ‎01-24-2006

Hi Rana,

You need to install and configure Secure shell, which can be downloaded from,

http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=T1471AA

And, put the code snippet from Muthukumar in /etc/profile,

------

if [[ ${LOGNAME} != "root" || ${LOGNAME} != "user1" | ${LOGNAME} != "user2" ]]
then
ps | grep -q 'telnet'
if [[ $? -eq 0 ]]
then
echo "Telnet access to user ${LOGNAME} is denied. Contact @ information"
sleep 2
exit 1
fi
fi
---

-Arun

"A ship in the harbor is safe, but that is not what ships are built for"

Muthukumar_5 · ‎01-24-2006

Easy to suggest when don't know about the problem!

rana786 · ‎01-24-2006

Its ok.

Walker_dhk

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: prventing telnet in for all user except root and user1, user2

prventing telnet in for all user except root and user1, user2