HPE Community
Operating System - HP-UX
1833723 Members
3535 Online
110063 Solutions
New Discussion

Script to block any unauthorised user to login in a server..

 
SOLVED
Go to solution
chindi
Respected Contributor

‎04-19-2011 10:27 PM

‎04-19-2011 10:27 PM

Script to block any unauthorised user to login in a server..

I am looking to write a script which will block/allow any user from gettng in to my server even though he has d password...

I have list of specific ip's from where i need to enable my prodcn access and block from the rest...

I know it can be done through ip filter , but downtime is the concern...and my network team is not that confident to do it on a network level...

root #/ >uname -a
HP-UX cedgedr3 B.11.23 U ia64 2366811051 unlimited-user license
0 Kudos
11 REPLIES 11
Shibin_2
Honored Contributor

‎04-19-2011 10:57 PM

‎04-19-2011 10:57 PM

Re: Script to block any unauthorised user to login in a server..

If you have list of specific IP's you can enable access in your /var/adm/inetd.sec file.

If they use telnet, you need to define there
if they use ssh, define it there.

So, you can block specific IP ranges to access your server, instead of writing script to prevent users.
Regards
Shibin
0 Kudos
chindi
Respected Contributor

‎04-19-2011 11:17 PM

‎04-19-2011 11:17 PM

Re: Script to block any unauthorised user to login in a server..

Hi Shibin,

You mean an entry in /var/adm/inetd.sec will do it ??

for ex :

ssh allow 10.1.5.26
ssh deny 10.1.5.29

its not working for me....shibin ..
0 Kudos
Matti_Kurkela
Honored Contributor

‎04-19-2011 11:18 PM

‎04-19-2011 11:18 PM

Re: Script to block any unauthorised user to login in a server..

/var/adm/inetd.sec only works for those services that are configured to use inetd, i.e. the services defined in /etc/inetd.conf.

Although SSH *can* be configured to run with inetd, that is *not* the default configuration for it. Normally sshd runs as a stand-alone daemon, so /var/adm/inetd.sec has no effect to it. Instead, you can configure access restrictions in sshd configuration file (if you're using HP-UX Secure Shell, the configuration file is at /opt/ssh/etc/sshd_config). See "man sshd_config" for the available options and further instructions.

MK
MK
0 Kudos
chindi
Respected Contributor

‎04-19-2011 11:26 PM

‎04-19-2011 11:26 PM

Re: Script to block any unauthorised user to login in a server..

Hi Shibin ,

i have also tried

SSH - edit sshd_config and add:
DenyUsers user1, user2 ...

but how do i deny all and then allow some specific ..ip's only...
0 Kudos
chindi
Respected Contributor

‎04-19-2011 11:36 PM

‎04-19-2011 11:36 PM

Re: Script to block any unauthorised user to login in a server..

Hi Matti ,

i was trying smthg like below;

VALID_IP="10.1.5.26 10.1.5.32"
for MYIP in $VALID_IP
do
MYIP=`who -TH |grep $USER |awk '{ print $NF}'|grep -v "COMMENTS" |uniq|xargs`
if [ "$MYIP" != "$VALID_IP" ];
then
echo Sorry, you are not authorized to access this server
sleep 8
exit
fi
done

after this in /etc/profile m still able to login from 10.1.5.29 IP...whose ip i have nt mentioned in my valip ip's list..
0 Kudos
Viktor Balogh
Honored Contributor

‎04-19-2011 11:40 PM

‎04-19-2011 11:40 PM

Re: Script to block any unauthorised user to login in a server..

hi,

then you need to define the allowed users with "AllowUsers". Only the users specified here will get access to the system per ssh. To be sure comment the DenyUsers directive, I'm not sure what's the effect if both are set.
****
Unix operates with beer.
0 Kudos
Steven Schweda
Honored Contributor

‎04-20-2011 12:00 AM - last edited on ‎08-02-2011 01:11 PM by

‎04-20-2011 12:00 AM - last edited on ‎08-02-2011 01:11 PM by

Re: Script to block any unauthorised user to login in a server..

> i was trying smthg like below;
> [...]

(thread deleted)

 

Some of the complaints and suggestions there
may still be valid here.

0 Kudos
chindi
Respected Contributor

‎04-20-2011 12:03 AM

‎04-20-2011 12:03 AM

Re: Script to block any unauthorised user to login in a server..

Hi guys,

I think i have got the answer.

unhashed
HostbasedAuthAllowUsers
HostbasedAuthDenyUsers from sshd_config file..

created /etc/hosts.deny with entry of ALL:ALL
created /etc/hosts.allow with entry of authorised ip's only.



start stop secureshell ..did it....
0 Kudos
Michael Steele_2
Honored Contributor

‎04-20-2011 09:23 AM - last edited on ‎08-02-2011 01:13 PM by

‎04-20-2011 09:23 AM - last edited on ‎08-02-2011 01:13 PM by

Solution

Re: Script to block any unauthorised user to login in a server..

You want 'tcp wrappers' which will block ssh before ssh can make a connection. And ssh will have to make a connection in order for the above solutions to work.

tcp wrappers works in a similar way that the above inetd.sec filter works, but it is more complicated to administer but covers exactly what you want it to do.

http://h30499.www3.hp.com/t5/System-Administration/TCP-wrapper-confign-to-limit-access-by-ip-s/m-p/4228858#M328350


http://h30499.www3.hp.com/t5/Security/TCP-Wrapper-installation-procedure-for-HPUX-11/m-p/2991495#M6034


http://h30499.www3.hp.com/t5/General/TCP-Wrappers-7-6-and-HP-UX-11-1/m-p/3166491#M86591

 

http://hpux.connect.org.uk/hppd/hpux/Networking/Admin/tcp_wrappers-7.6/

Support Fatherhood - Stop Family Law
0 Kudos
chindi
Respected Contributor

‎04-26-2011 04:38 AM

‎04-26-2011 04:38 AM

Re: Script to block any unauthorised user to login in a server..

Thanks Michael ...
Will try with that too...
0 Kudos
chindi
Respected Contributor

‎04-26-2011 04:39 AM

‎04-26-2011 04:39 AM

Re: Script to block any unauthorised user to login in a server..

Tcp-wrapper is the way to go.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.