Operating System - HP-UX
1834254 Members
2204 Online
110066 Solutions
New Discussion

Restrict users to IP address

 
SOLVED
Go to solution
Glynn Aherne_1
Advisor

Restrict users to IP address


Hi all,

I was wondering if it is possible to restrict a user from telnetting to a HP-UX server from two IP address.

I've been looking at tcp wrappers and IPfilter\IPSec but to no avail.

I know a script can be written and added to the login process but this is a last resort.

Thanks in advance,

G.
6 REPLIES 6
Jeff Schussele
Honored Contributor
Solution

Re: Restrict users to IP address

Hi Glynn,

Well, the standard inetd.sec can only go down to hostname or IP granularity.
BUT tcp-wrappers *can* go down to user level.
You would set up the hosts.deny like:

telnetd : username@111.222.111.222 username@111.222.111.223

HTH,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
RAC_1
Honored Contributor

Re: Restrict users to IP address

in /var/adm/inetd.sec put following entries.

telnet deny "ip1"
telnet deny "ip2"

OR hosts.deny, if you have tcp wrappers.

telnet : user@ip1, user@ip2

Anil
There is no substitute to HARDWORK
Glynn Aherne_1
Advisor

Re: Restrict users to IP address

Jeff,

That doesn't seem to work.

Is there some configuration changes required for the username lookup to work ?

G.
Robert True
Frequent Advisor

Re: Restrict users to IP address

Restart the daemon?
Jeff Schussele
Honored Contributor

Re: Restrict users to IP address

Hi (again) Glynn,

Few things:

1) Run tcpdchk to verify the tcp-wrapper install & config

2) Make sure that inetd.conf is calling tcpd instead of telnetd - like

telnet stream tcp nowait root /opt/tcpwrapper/bin/tcpd telnetd

Of course use whatever is the actual path for your tcpd binary

3) If you've edited inetd.conf run inetd -c

4) Try nslookup those IPs & use the hostname instead of the IP

HTH,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
Glynn Aherne_1
Advisor

Re: Restrict users to IP address

Jeff,

I got it to work but it doesn't solve my problem.

A bit of background.

The connection I'm trying to make is from a wintel PC using a telnet session to a HP-UX server.

What was required to get it to work was a "ident service" running on the PC so it could send the username (username that was used to log onto PC)to the HP server for verifcation.

Once the username and IP address are verified a telnet session is granted to the PC from the server.

Here's the problem,

Once the telnet session is granted I can attempt to login onto the server with any username, not the username verified in the hosts.allow file.

Is is possible to use the login service with TCP wrappers.

In other words once the username and password have been enter and the return key press, is it possible then to check the username and IP address with TCP-wrappers or by other means.

Thanks,

G.