HPE Community
Operating System - HP-UX
1835414 Members
2891 Online
110078 Solutions
New Discussion

Re: telnet and ssh

 
Peter Hakesley_2
Advisor

‎07-30-2002 08:10 AM

‎07-30-2002 08:10 AM

telnet and ssh

I have installed ssh 3.4 onto my machine without problems. Generated all my keys and works OK from the clients.
Does anyone know the best way to tie down rlogin and telnet so that users can only use ssh.

Thanks in advance.
The light at the end of tunnel has been switched off until further notice!
0 Kudos
Reply
7 REPLIES 7
Christopher McCray_1
Honored Contributor

‎07-30-2002 08:15 AM

‎07-30-2002 08:15 AM

Re: telnet and ssh

Hello,

You can use /var/adm/inet.sec as a starter and put in

telnet deny *
login deny *

Hope this helps

Chris
It wasn't me!!!!
0 Kudos
Reply
Christopher McCray_1
Honored Contributor

‎07-30-2002 08:16 AM

‎07-30-2002 08:16 AM

Re: telnet and ssh

Hello again,

sorry, omit the * and you'll be fine.

Chris
It wasn't me!!!!
0 Kudos
Reply
James Beamish-White
Trusted Contributor

‎07-30-2002 08:18 AM

‎07-30-2002 08:18 AM

Re: telnet and ssh

The best way is to remove them from /etc/inetd.conf, and then restart inetd. Then you can make sure they aren't running by doing a netstat -an and making sure port 23 isn't listening.

Otherwise, inetd.sec is a great option if you want to allow yourself (admins) access only.

And if you want things really secure, search these forums for Bastion Host and follow the process there.

Cheers!
James
GARDENOFEDEN> create light
0 Kudos
Reply
Stefan Farrelly
Honored Contributor

‎07-30-2002 08:21 AM

‎07-30-2002 08:21 AM

Re: telnet and ssh


Remove the telnet and rlogin binaries and replace them with symbolic links to ssh
That will stop them!
Im from Palmerston North, New Zealand, but somehow ended up in London...
0 Kudos
Reply
Christopher McCray_1
Honored Contributor

‎07-30-2002 08:23 AM

‎07-30-2002 08:23 AM

Re: telnet and ssh

Another thought,

You may want to put in a couple of ip addresses that can use telnet, just as a failsafe in case ssh goes hokey:

telnet allow 1.2.3.4

or

telnet allow 1.2.3.4-6

as an example

You never know!!!!

Chris
It wasn't me!!!!
0 Kudos
Reply
Andrew Cowan
Honored Contributor

‎07-30-2002 09:30 PM

‎07-30-2002 09:30 PM

Re: telnet and ssh

Leaving the telnet port open is never a good idea, remember that 80% of attacks originate from within your organisation, and IP addresses are very simple to spoof.
Modify all but your admin accounts so that users login times are limited to normal business hours, then limit any administrative access as much as possible.
You can use GSP and Secure Web Console as backdoors if the machine goes belly-up, and perhaps put these behind a firewall, or onto a VLAN.

As far as SSH is concerned set it up so that users have to login as themselves then su to privelidged accounts, especially when relying on keys. The main problem with keys is that they are stored on your pc which is less secure than the Unix system, and that there is nothing to force users to protect them with adequate challenge-phrases, or to periodically renew phrases.

I hope this helps.
0 Kudos
Reply
Daimian Woznick
Trusted Contributor

‎07-31-2002 04:52 AM

‎07-31-2002 04:52 AM

Re: telnet and ssh

I think the best way to do this would be to stop inetd from starting them. To do this take the entries from the inetd.conf and then run inetd -c to reconfigure the daemon. You should also remove them from the services file.

An important task to do after that is to create a process that will check the file to ensure that it is not opened again without your knowledge. Either a sys admin, malicious user, or an installation of a product may open it up so you should check it on a regular basis.

Another thing to consider is removing ftp and all the other r commands as well.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.