HPE Community
Operating System - HP-UX
1834802 Members
2751 Online
110070 Solutions
New Discussion

Restricting Rlogin and Telnet access

 
SOLVED
Go to solution
Debbie Downing_2
Regular Advisor

‎04-24-2005 08:09 PM

‎04-24-2005 08:09 PM

Restricting Rlogin and Telnet access

Hi Guys

Can anyone advise what would be the easiest way to restrict users other than root and a selected amount of users using rlogin and telnet.

Kind Regards

Debbie
0 Kudos
Reply
8 REPLIES 8
Robert-Jan Goossens
Honored Contributor

‎04-24-2005 08:19 PM

‎04-24-2005 08:19 PM

Solution

Re: Restricting Rlogin and Telnet access

Hi Debbie,

Check this faq.

http://www.interex.org/pubcontent/enterprise/jul01/09uxqa.html

I need more access and security features on my system but can't go to a Trusted System. What can I do to control login features?

HTH,
Robert-Jan
Reply
Joseph Loo
Honored Contributor

‎04-24-2005 08:27 PM

‎04-24-2005 08:27 PM

Re: Restricting Rlogin and Telnet access

hi,

to restrict telnet: use tcpwrappers or just add a exit 0 to the user's shell.

to restrict rlogin: use .rhosts and hosts.equiv file

or another method if the user is associated to their workstations, u may deny access in /var/adm/inetd.sec


regards.
what you do not see does not mean you should not believe
0 Kudos
Reply
Muthukumar_5
Honored Contributor

‎04-24-2005 09:44 PM

‎04-24-2005 09:44 PM

Re: Restricting Rlogin and Telnet access

You can use /etc/profile file for denying specified users to login. You can use .rhosts or /etc/hosts.equiv or /etc/profile file.

For example to deny telnet based login then,

if [[ $USER = "denyuser" ]]
then
ps | grep 'telnetd
if [[ $? -eq 0 ]]
then
echo "Access denied to denyuser"
sleep 2
fi
fi

You have to use array to handle user list and checking with index.

You can not use /var/adm/inetd.sec file for this bcas it is for controlling IP / Hostname based.
Easy to suggest when don't know about the problem!
0 Kudos
Reply
Deepak Kulkarni
Regular Advisor

‎04-24-2005 11:01 PM

‎04-24-2005 11:01 PM

Re: Restricting Rlogin and Telnet access

Hi Debbie,


Create two groups. To this groups add the users to which you want to give rlogin & telnet access. Say for example.

vi /etc/group

...
...
...
telgrp::600:root,debbie,joseph,deepak,muthu
rloggrp::601:root,debbie,joseph,deepak,muthu
-r-sr-xr-- 1 rloggrp bin 36864 Nov 14 2000 /usr/bin/rlogin
-r-xr-xr-- 1 telgrp bin 106496 Nov 14 2000 /usr/bin/telnet


Give execute permission for this group only.





Cheers
Deepak
Reply
Nguyen Anh Tien
Honored Contributor

‎04-25-2005 07:39 PM

‎04-25-2005 07:39 PM

Re: Restricting Rlogin and Telnet access

Tips: You can get available solution on ITRC forum by searching with key work "Telnet access"

For Quick reference:
If you wan to denie by IP. You use /var/adm/inetd.sec
login deny 10.0.0.7 # block IP 10.0.0.7 to access via rlogin
Telnet deny 10.0.0.7 # block IP 10.0.0.7 to access via Telnet

If you wanna to denie by user ID, you must download TCP Wrapper and Install.
refer to these link (search by keyword TCP Wrapper)
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=53458
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=798601
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=373226
HTH
HP is simple
0 Kudos
Reply
Debbie Downing_2
Regular Advisor

‎04-25-2005 08:29 PM

‎04-25-2005 08:29 PM

Re: Restricting Rlogin and Telnet access

Thanks everyone for your help, there are a few option here that I am interested in trying.

Much appreciated.

Regards

Debbie
0 Kudos
Reply
sreejith_4
Frequent Advisor

‎04-25-2005 09:13 PM

‎04-25-2005 09:13 PM

Re: Restricting Rlogin and Telnet access

also adding /var/adm/inetd.sec which will be useful in ur case.

Sreejith M
0 Kudos
Reply
Robert Fritz
Regular Advisor

‎04-26-2005 02:28 AM

‎04-26-2005 02:28 AM

Re: Restricting Rlogin and Telnet access

A slightly different capability: Bastille can restrict root access to the tty (effectively telnet and bsd-r-services), along with a bunch of other security settings:
https://payment.ecommerce.hp.com/portal/swdepot/try.do?productNumber=B6849AA

I'm curous why you're resticting non-root from just telnet and rlogin. Normally, one restricts root-telnets to avoid cleartext root logins (and exposing the password) vs. non-root accounts. If your system is not for general login, then I'd expect you'd also want to restrict other account access as well, like ftp, ssh, and the other r-services, for example. If the latter is the case, there are some other settings you may consider.

-Robert

Those Who Would Sacrifice Liberty for Security Deserve Neither." - Benjamin Franklin
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.