Operating System - HP-UX
1833723 Members
3535 Online
110063 Solutions
New Discussion

Script to block any unauthorised user to login in a server..

 
SOLVED
Go to solution
chindi
Respected Contributor

Script to block any unauthorised user to login in a server..

I am looking to write a script which will block/allow any user from gettng in to my server even though he has d password...

I have list of specific ip's from where i need to enable my prodcn access and block from the rest...

I know it can be done through ip filter , but downtime is the concern...and my network team is not that confident to do it on a network level...

root #/ >uname -a
HP-UX cedgedr3 B.11.23 U ia64 2366811051 unlimited-user license
11 REPLIES 11
Shibin_2
Honored Contributor

Re: Script to block any unauthorised user to login in a server..

If you have list of specific IP's you can enable access in your /var/adm/inetd.sec file.

If they use telnet, you need to define there
if they use ssh, define it there.

So, you can block specific IP ranges to access your server, instead of writing script to prevent users.
Regards
Shibin
chindi
Respected Contributor

Re: Script to block any unauthorised user to login in a server..

Hi Shibin,

You mean an entry in /var/adm/inetd.sec will do it ??

for ex :

ssh allow 10.1.5.26
ssh deny 10.1.5.29

its not working for me....shibin ..
Matti_Kurkela
Honored Contributor

Re: Script to block any unauthorised user to login in a server..

/var/adm/inetd.sec only works for those services that are configured to use inetd, i.e. the services defined in /etc/inetd.conf.

Although SSH *can* be configured to run with inetd, that is *not* the default configuration for it. Normally sshd runs as a stand-alone daemon, so /var/adm/inetd.sec has no effect to it. Instead, you can configure access restrictions in sshd configuration file (if you're using HP-UX Secure Shell, the configuration file is at /opt/ssh/etc/sshd_config). See "man sshd_config" for the available options and further instructions.

MK
MK
chindi
Respected Contributor

Re: Script to block any unauthorised user to login in a server..

Hi Shibin ,

i have also tried

SSH - edit sshd_config and add:
DenyUsers user1, user2 ...

but how do i deny all and then allow some specific ..ip's only...
chindi
Respected Contributor

Re: Script to block any unauthorised user to login in a server..

Hi Matti ,

i was trying smthg like below;

VALID_IP="10.1.5.26 10.1.5.32"
for MYIP in $VALID_IP
do
MYIP=`who -TH |grep $USER |awk '{ print $NF}'|grep -v "COMMENTS" |uniq|xargs`
if [ "$MYIP" != "$VALID_IP" ];
then
echo Sorry, you are not authorized to access this server
sleep 8
exit
fi
done

after this in /etc/profile m still able to login from 10.1.5.29 IP...whose ip i have nt mentioned in my valip ip's list..
Viktor Balogh
Honored Contributor

Re: Script to block any unauthorised user to login in a server..

hi,

then you need to define the allowed users with "AllowUsers". Only the users specified here will get access to the system per ssh. To be sure comment the DenyUsers directive, I'm not sure what's the effect if both are set.
****
Unix operates with beer.
Steven Schweda
Honored Contributor

Re: Script to block any unauthorised user to login in a server..

> i was trying smthg like below;
> [...]

(thread deleted)

 

Some of the complaints and suggestions there
may still be valid here.

chindi
Respected Contributor

Re: Script to block any unauthorised user to login in a server..

Hi guys,

I think i have got the answer.

unhashed
HostbasedAuthAllowUsers
HostbasedAuthDenyUsers from sshd_config file..

created /etc/hosts.deny with entry of ALL:ALL
created /etc/hosts.allow with entry of authorised ip's only.



start stop secureshell ..did it....
Michael Steele_2
Honored Contributor
Solution

Re: Script to block any unauthorised user to login in a server..

You want 'tcp wrappers' which will block ssh before ssh can make a connection. And ssh will have to make a connection in order for the above solutions to work.

tcp wrappers works in a similar way that the above inetd.sec filter works, but it is more complicated to administer but covers exactly what you want it to do.

http://h30499.www3.hp.com/t5/System-Administration/TCP-wrapper-confign-to-limit-access-by-ip-s/m-p/4228858#M328350


http://h30499.www3.hp.com/t5/Security/TCP-Wrapper-installation-procedure-for-HPUX-11/m-p/2991495#M6034


http://h30499.www3.hp.com/t5/General/TCP-Wrappers-7-6-and-HP-UX-11-1/m-p/3166491#M86591

 

http://hpux.connect.org.uk/hppd/hpux/Networking/Admin/tcp_wrappers-7.6/

Support Fatherhood - Stop Family Law
chindi
Respected Contributor

Re: Script to block any unauthorised user to login in a server..

Thanks Michael ...
Will try with that too...
chindi
Respected Contributor

Re: Script to block any unauthorised user to login in a server..

Tcp-wrapper is the way to go.