HPE Community
Operating System - HP-UX
1836387 Members
3212 Online
110100 Solutions
New Discussion

Restrict users to IP address

 
SOLVED
Go to solution
Glynn Aherne_1
Advisor

‎05-06-2004 03:47 AM

‎05-06-2004 03:47 AM

Restrict users to IP address


Hi all,

I was wondering if it is possible to restrict a user from telnetting to a HP-UX server from two IP address.

I've been looking at tcp wrappers and IPfilter\IPSec but to no avail.

I know a script can be written and added to the login process but this is a last resort.

Thanks in advance,

G.
0 Kudos
Reply
6 REPLIES 6
Jeff Schussele
Honored Contributor

‎05-06-2004 03:51 AM

‎05-06-2004 03:51 AM

Solution

Re: Restrict users to IP address

Hi Glynn,

Well, the standard inetd.sec can only go down to hostname or IP granularity.
BUT tcp-wrappers *can* go down to user level.
You would set up the hosts.deny like:

telnetd : username@111.222.111.222 username@111.222.111.223

HTH,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
Reply
RAC_1
Honored Contributor

‎05-06-2004 03:56 AM

‎05-06-2004 03:56 AM

Re: Restrict users to IP address

in /var/adm/inetd.sec put following entries.

telnet deny "ip1"
telnet deny "ip2"

OR hosts.deny, if you have tcp wrappers.

telnet : user@ip1, user@ip2

Anil
There is no substitute to HARDWORK
Reply
Glynn Aherne_1
Advisor

‎05-06-2004 10:45 PM

‎05-06-2004 10:45 PM

Re: Restrict users to IP address

Jeff,

That doesn't seem to work.

Is there some configuration changes required for the username lookup to work ?

G.
0 Kudos
Reply
Robert True
Frequent Advisor

‎05-07-2004 12:34 AM

‎05-07-2004 12:34 AM

Re: Restrict users to IP address

Restart the daemon?
0 Kudos
Reply
Jeff Schussele
Honored Contributor

‎05-07-2004 01:53 AM

‎05-07-2004 01:53 AM

Re: Restrict users to IP address

Hi (again) Glynn,

Few things:

1) Run tcpdchk to verify the tcp-wrapper install & config

2) Make sure that inetd.conf is calling tcpd instead of telnetd - like

telnet stream tcp nowait root /opt/tcpwrapper/bin/tcpd telnetd

Of course use whatever is the actual path for your tcpd binary

3) If you've edited inetd.conf run inetd -c

4) Try nslookup those IPs & use the hostname instead of the IP

HTH,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
0 Kudos
Reply
Glynn Aherne_1
Advisor

‎05-07-2004 02:09 AM

‎05-07-2004 02:09 AM

Re: Restrict users to IP address

Jeff,

I got it to work but it doesn't solve my problem.

A bit of background.

The connection I'm trying to make is from a wintel PC using a telnet session to a HP-UX server.

What was required to get it to work was a "ident service" running on the PC so it could send the username (username that was used to log onto PC)to the HP server for verifcation.

Once the username and IP address are verified a telnet session is granted to the PC from the server.

Here's the problem,

Once the telnet session is granted I can attempt to login onto the server with any username, not the username verified in the hosts.allow file.

Is is possible to use the login service with TCP wrappers.

In other words once the username and password have been enter and the return key press, is it possible then to check the username and IP address with TCP-wrappers or by other means.

Thanks,

G.

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.