- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: Restricting Rlogin and telnet access
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-04-2005 09:55 PM
07-04-2005 09:55 PM
Restricting Rlogin and telnet access
I need to restrict rlogin and telnet access on unix 11.i for users other than root and selected other users. What would be the easiest way to do this.
Thanks for your help
Kind Regards
Debbie
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-04-2005 09:58 PM
07-04-2005 09:58 PM
Re: Restricting Rlogin and telnet access
--- /etc/profile ---
if [[ $LOGNAME != "root" || $LOGNAME != "debbie" ]]
then
ps | grep -qE 'telnet|rlogin'
if [[ $? -eq 0 ]]
then
echo "Telnet or Rlogin with $LOGNAME user is denied"
sleep 2
exit 1
fi
fi
hth.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-04-2005 10:47 PM
07-04-2005 10:47 PM
Re: Restricting Rlogin and telnet access
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-04-2005 11:41 PM
07-04-2005 11:41 PM
Re: Restricting Rlogin and telnet access
It is needed to give access to ssh based login rgt? If you give exit no login will be there to user.
hth.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-06-2005 12:04 AM
07-06-2005 12:04 AM
Re: Restricting Rlogin and telnet access
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-06-2005 12:31 AM
07-06-2005 12:31 AM
Re: Restricting Rlogin and telnet access
Having "exit" in the .profile or having
/bin/false as the shell in /etc/passwd file
will lockout the user even if (s)he is trying
to login without using rlogin/telnet. I'm
sure you don't want that.
You should consider using ssh instead of
telnet or rlogin. ssh provides not only
secure connection, but also a way to lock out
individual users (see manpages for ssh/sshd).
- Biswajit
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-06-2005 01:51 AM
07-06-2005 01:51 AM
Re: Restricting Rlogin and telnet access
Here's the script portion in /etc/profile:
----------------------------------------
#
# Configure telnet access - root can always telnet to the server
#
if [ -f /etc/telnet.allow ] ; then
user_id=${LOGNAME}
telnetused=`/usr/bin/ps -f | grep "[t]elnetd" | grep -v "grep" | wc -l`
if [ -s /etc/telnet.allow ] ; then
userallowcount=`grep "^$user_id$" /etc/telnet.allow | wc -l`
else
userallowcount=0
fi
if [ $telnetused -gt 0 -a $userallowcount -eq 0 -a "Xroot" != "X${LOGNAME}" ] ; then
DATEE=`/usr/bin/date +%Y%m%d`
TIMEE=`/usr/bin/date +%H%M%S`
NDNAME=`/usr/bin/uname -n`
BASENM=`/usr/bin/basename $0`
#if [ -f /etc/ALIASNAME ] ; then
# ALIASNAME=`cat /etc/ALIASNAME`
#fi
echo "ERMS1311: Error - Telnet access is not allowed... Terminating"
if [ -f /usr/bin/logger ] ; then
/usr/bin/logger -t "login" "ERMS1311: Error - Telnet access for ${LOGNAME} is not allowed... Terminating...
"
fi
echo "ERMS1001: Error - YOU DO NOT HAVE TELNET ACCESS TO THIS SERVER"
echo "SESSION TERMINATING IN 10 SECONDS"
echo "${DATEE} : ${TIMEE} : ${NDNAME} : ${user_id} : ERMS1311 Telnet access not allowed" >> /var
/adm/log/security/telnet_deny.log
sleep 10
exit 99
fi
fi
-----------------------------------
Failures are logged to a log file in addition to being logged to syslog.log via logger.
User is temporarily given an error message for ten seconds prior to exiting the current telnet session.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-06-2005 02:06 AM
07-06-2005 02:06 AM
Re: Restricting Rlogin and telnet access
JK
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-06-2005 04:16 AM
07-06-2005 04:16 AM
Re: Restricting Rlogin and telnet access
For what it's worth, that's my .02
-greg
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-06-2005 04:09 PM
07-06-2005 04:09 PM
Re: Restricting Rlogin and telnet access
Two comments about modifying /etc/profile to
block telnet/rlogin.
1) This trick will work only if the user
login shell is sh or ksh. If the user you
blocked using this trick "innocently" asks
you (or the sysadmin) to change the login
shell to "csh", you may not immediately
realize that you (or sysadmin) just granted
access to that user!!
2) In /etc/profile, if you are using a
statement like "sleep 10" with out taking
enough care after prining a "telnet/rlogin
access denied" message, a user can use Ctrl+|
(i.e hit | key while pressing Ctrl) and
interrupt executation of /etc/profile before
"exit" statement is executed and smoothly
login into the system!!
My suggestion: disable telnet/rlogin
altogether and ask the users to use ssl.
Another possible (but not foolproof) solution
would be to create account for each user
in only one machine (so that you can
associate each user with one and only one IP
address). Then use IPFilter system firewall
to block the telnet/rlogin connection request
from IP addresses you want to deny
connection.
- Biswajit
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-07-2005 01:33 AM
07-07-2005 01:33 AM
Re: Restricting Rlogin and telnet access
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-07-2005 01:35 AM
07-07-2005 01:35 AM
Re: Restricting Rlogin and telnet access
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-07-2005 01:58 AM
07-07-2005 01:58 AM
Re: Restricting Rlogin and telnet access
Example: This is one of my inetd.sec files:
login allow cadb03a cadb02a
shell allow cadb03a cadb02a
telnet allow cadb03a cadb02a l141972
exec allow cadb03a cadb02a
nfsd allow cadb03a cadb02a
finger deny
who deny
uucp deny
Telnet is denied from any system other than those mentioned in the "telnet allow" line. "Finger" is disabled for all hosts, as is "who" and "uucp".
-greg