Operating System - HP-UX
1833780 Members
2333 Online
110063 Solutions
New Discussion

Re: Restricting Rlogin and telnet access

 
Debbie Downing_2
Regular Advisor

Restricting Rlogin and telnet access

Hi Guys

I need to restrict rlogin and telnet access on unix 11.i for users other than root and selected other users. What would be the easiest way to do this.

Thanks for your help
Kind Regards

Debbie
12 REPLIES 12
Muthukumar_5
Honored Contributor

Re: Restricting Rlogin and telnet access

You can easily do it with /etc/profile scripting.

--- /etc/profile ---

if [[ $LOGNAME != "root" || $LOGNAME != "debbie" ]]
then

ps | grep -qE 'telnet|rlogin'

if [[ $? -eq 0 ]]
then

echo "Telnet or Rlogin with $LOGNAME user is denied"
sleep 2
exit 1
fi
fi

hth.



Easy to suggest when don't know about the problem!
Vibhor Kumar Agarwal
Esteemed Contributor

Re: Restricting Rlogin and telnet access

Just write "exit" at the end of .profile of those users whom you don't want to telnet/rlogin.
Vibhor Kumar Agarwal
Muthukumar_5
Honored Contributor

Re: Restricting Rlogin and telnet access

Vibhor,

It is needed to give access to ssh based login rgt? If you give exit no login will be there to user.

hth.
Easy to suggest when don't know about the problem!
Pradeep_3
Frequent Advisor

Re: Restricting Rlogin and telnet access

try in /etc/passwd file with /usr/bin/false option for particular user name.for this /etc/shells file must exist.
Biswajit Tripathy
Honored Contributor

Re: Restricting Rlogin and telnet access

Debbie,

Having "exit" in the .profile or having
/bin/false as the shell in /etc/passwd file
will lockout the user even if (s)he is trying
to login without using rlogin/telnet. I'm
sure you don't want that.

You should consider using ssh instead of
telnet or rlogin. ssh provides not only
secure connection, but also a way to lock out
individual users (see manpages for ssh/sshd).

- Biswajit


:-)
Jack C. Mahaffey
Super Advisor

Re: Restricting Rlogin and telnet access

I've implemented telnet restriction access by creating a file named /etc/telnet.allow that only contains the logins that are allowed telnet access along with some scripting in /etc/profile.


Here's the script portion in /etc/profile:

----------------------------------------
#
# Configure telnet access - root can always telnet to the server
#
if [ -f /etc/telnet.allow ] ; then
user_id=${LOGNAME}
telnetused=`/usr/bin/ps -f | grep "[t]elnetd" | grep -v "grep" | wc -l`
if [ -s /etc/telnet.allow ] ; then
userallowcount=`grep "^$user_id$" /etc/telnet.allow | wc -l`
else
userallowcount=0
fi
if [ $telnetused -gt 0 -a $userallowcount -eq 0 -a "Xroot" != "X${LOGNAME}" ] ; then
DATEE=`/usr/bin/date +%Y%m%d`
TIMEE=`/usr/bin/date +%H%M%S`
NDNAME=`/usr/bin/uname -n`
BASENM=`/usr/bin/basename $0`
#if [ -f /etc/ALIASNAME ] ; then
# ALIASNAME=`cat /etc/ALIASNAME`
#fi

echo "ERMS1311: Error - Telnet access is not allowed... Terminating"

if [ -f /usr/bin/logger ] ; then
/usr/bin/logger -t "login" "ERMS1311: Error - Telnet access for ${LOGNAME} is not allowed... Terminating...
"
fi
echo "ERMS1001: Error - YOU DO NOT HAVE TELNET ACCESS TO THIS SERVER"
echo "SESSION TERMINATING IN 10 SECONDS"
echo "${DATEE} : ${TIMEE} : ${NDNAME} : ${user_id} : ERMS1311 Telnet access not allowed" >> /var
/adm/log/security/telnet_deny.log
sleep 10
exit 99
fi
fi

-----------------------------------

Failures are logged to a log file in addition to being logged to syslog.log via logger.

User is temporarily given an error message for ten seconds prior to exiting the current telnet session.

Jim Krol
Advisor

Re: Restricting Rlogin and telnet access

You might want to investigate PAM. I use it to require dbas to log in as their own ID. Read the man page on pam. I believe its purpose is to do this type of thing, whereas /etc/profile is not.

JK
Greg OBarr
Regular Advisor

Re: Restricting Rlogin and telnet access

Are you sure you really want to allow telnet access directly to root? That is not advisable. It's easy to write a script to continuously try telnetting in as root and try different passwords until they get in. Best practice is to disallow root login except at the console by creating the file /etc/securetty and putting the word "console" in that file. You can still use remsh as root, but you can't telnet into the system as root. If you need to get in as root from a system that isn't in the /.rhosts file, you telnet in using your user ID, then use "su -" to become root.

For what it's worth, that's my .02

-greg
Biswajit Tripathy
Honored Contributor

Re: Restricting Rlogin and telnet access

Debbie,
Two comments about modifying /etc/profile to
block telnet/rlogin.

1) This trick will work only if the user
login shell is sh or ksh. If the user you
blocked using this trick "innocently" asks
you (or the sysadmin) to change the login
shell to "csh", you may not immediately
realize that you (or sysadmin) just granted
access to that user!!

2) In /etc/profile, if you are using a
statement like "sleep 10" with out taking
enough care after prining a "telnet/rlogin
access denied" message, a user can use Ctrl+|
(i.e hit | key while pressing Ctrl) and
interrupt executation of /etc/profile before
"exit" statement is executed and smoothly
login into the system!!

My suggestion: disable telnet/rlogin
altogether and ask the users to use ssl.
Another possible (but not foolproof) solution
would be to create account for each user
in only one machine (so that you can
associate each user with one and only one IP
address). Then use IPFilter system firewall
to block the telnet/rlogin connection request
from IP addresses you want to deny
connection.

- Biswajit
:-)
Jack C. Mahaffey
Super Advisor

Re: Restricting Rlogin and telnet access

ctrl+| does not interrupt the telnet session on my hosts. Neither does ctrl+c, ctrl+] or other combinations.
Jack C. Mahaffey
Super Advisor

Re: Restricting Rlogin and telnet access

If my understanding of this post is correct, the question was how to restrict specific logins, not to disable rlogin and telnet all together.
Greg OBarr
Regular Advisor

Re: Restricting Rlogin and telnet access

You can also, as I believe someone else suggested, grant telnet (and other services too for that matter) to only specfic hostnames or IP addresses. If the users you want to let in are always coming in from specific systems (i.e. their PC or workstation at their desk), you can edit the file /var/adm/inetd.sec and allow telnet and other services only to those hosts.

Example: This is one of my inetd.sec files:

login allow cadb03a cadb02a
shell allow cadb03a cadb02a
telnet allow cadb03a cadb02a l141972
exec allow cadb03a cadb02a
nfsd allow cadb03a cadb02a
finger deny
who deny
uucp deny

Telnet is denied from any system other than those mentioned in the "telnet allow" line. "Finger" is disabled for all hosts, as is "who" and "uucp".

-greg