HPE Community
Operating System - HP-UX
1837195 Members
2350 Online
110114 Solutions
New Discussion

telnet deny

 
SOLVED
Go to solution
Chang_6
Regular Advisor

‎09-20-2004 02:53 AM

‎09-20-2004 02:53 AM

telnet deny

Hi,
could someone tell what the syntax for "telnet deny" in /var/adm/inetd.sec is?

Is it just "telnet deny"? If so, what does it stand for.

Please suggest. Thanks
0 Kudos
Reply
25 REPLIES 25
Philip Chase
Occasional Contributor

‎09-20-2004 02:57 AM

‎09-20-2004 02:57 AM

Re: telnet deny

That is your inetd security file that syntax tells the system to refuse telnet calls.

Try "man inetd.sec" for more info.
0 Kudos
Reply
Robert-Jan Goossens
Honored Contributor

‎09-20-2004 03:00 AM

‎09-20-2004 03:00 AM

Re: telnet deny

Hi,

Add the following lines to /var/adm/inetd.sec:



telnet deny

Execute the 'inetd -c' command to re-initialize the inet daemon.

Reagrds,
Robert-Jan
0 Kudos
Reply
Patrick Wallek
Honored Contributor

‎09-20-2004 03:03 AM

‎09-20-2004 03:03 AM

Solution

Re: telnet deny

You must specify a host name or ip address or a portion of an ip address within inetd.sec.

telnet deny 1.2.3.4 5.6.7.8 hosta hostb

The above would deny telnet access from machines with ip addresses of 1.2.3.4 and 5.6.7.8 and hosts named hosta and hostb.

As said the inetd.sec man page has good information and the inetd.sec file is documented very well itself.
Reply
Chang_6
Regular Advisor

‎09-20-2004 03:08 AM

‎09-20-2004 03:08 AM

Re: telnet deny

Hi,

If all the machines should be denied access, is it just plain "telnet deny" or "telnet deny *"?
0 Kudos
Reply
Suresh Pai
Advisor

‎09-20-2004 03:10 AM

‎09-20-2004 03:10 AM

Re: telnet deny

Another way of disabling telnet entirely is to comment it out in the inetd.conf file, and reinitialize the inetd service.
0 Kudos
Reply
Sanjay_6
Honored Contributor

‎09-20-2004 03:11 AM

‎09-20-2004 03:11 AM

Re: telnet deny

Hi,

In such a situation, you can deny the telnet service by commenting out the telnet entry in the /etc/inetd.conf file and making inetd reread the conf file.

Hope this helps.

Regds
0 Kudos
Reply
Chang_6
Regular Advisor

‎09-20-2004 03:58 AM

‎09-20-2004 03:58 AM

Re: telnet deny

Hi,

Commenting out that line has been done too.

However, I would like to know if it is just

"telnet deny" or "telnet deny *"?

Thanks!
0 Kudos
Reply
Jeff_Traigle
Honored Contributor

‎09-20-2004 04:06 AM

‎09-20-2004 04:06 AM

Re: telnet deny

The examples in inetd.sec show no * to specify all hosts, but either way should work, I would think.
--
Jeff Traigle
Reply
Jeff_Traigle
Honored Contributor

‎09-20-2004 04:07 AM

‎09-20-2004 04:07 AM

Re: telnet deny

That should have said inetd.sec(4)... read the man page.
--
Jeff Traigle
Reply
Sanjay_6
Honored Contributor

‎09-20-2004 04:23 AM

‎09-20-2004 04:23 AM

Re: telnet deny

Hi,

The syntax could be

telnet deny

or

telnet deny *

either one works.

Hope this helps.

Regds
Reply
Chang_6
Regular Advisor

‎09-20-2004 09:23 AM

‎09-20-2004 09:23 AM

Re: telnet deny

Hi,

When telnet and ftp are disabled, should tftp be disabled? I know tftp stands for file transfer protocol .. especially in a webserver env where ftp is disabled?


Please suggest
0 Kudos
Reply
Jeff_Traigle
Honored Contributor

‎09-21-2004 01:36 AM

‎09-21-2004 01:36 AM

Re: telnet deny

TFTP (Trivial File Transfer Protocol) should usually be disabled on any server. Just like any other service, if you don't have a legitimate need for it on the system, it shouldn't be running. The only time you really need TFTP enabled is to serve binaries to diskless devices that can't use NFS or other means of retrieving their boot image.
--
Jeff Traigle
Reply
Chang_6
Regular Advisor

‎09-21-2004 01:40 AM

‎09-21-2004 01:40 AM

Re: telnet deny

Hi,

Thanks for the reply. Should I put "tftp deny" just like "telnet deny" in /var/adm/inetd.sec? Also, the following appears in /etc/inetd.conf

# Before uncommenting the "tftp" entry below, please make sure
# that you have a "tftp" user in /etc/passwd. If you don't
# have one, please consult the tftpd(1M) manual entry for
#tftp dgram udp wait root /usr/lbin/tftpd tftpd


I don't have a tftp user in /etc/passwd.

Any ideas?
0 Kudos
Reply
Chang_6
Regular Advisor

‎09-21-2004 01:43 AM

‎09-21-2004 01:43 AM

Re: telnet deny

Hi,

ANother question, what is the quick way to find whether the system has "legitimate need" of it? How to find if the system is already depending on it?

0 Kudos
Reply
Muthukumar_5
Honored Contributor

‎09-21-2004 01:59 AM

‎09-21-2004 01:59 AM

Re: telnet deny

If your tftp service on /etc/inetd.conf file is commented then no need to care tftp service to be blocked on inetd.sec file.

It is not in ready to service the requests there. If you want to start the service and use the one then create user for tftp as in tftpd man page there.

As
tftp:*:510:101:tftp server:/home/tftpdir:/usr/bin/false

If you don't want that service then don't care on inetd.sec file
Easy to suggest when don't know about the problem!
0 Kudos
Reply
Tom Danzig
Honored Contributor

‎09-21-2004 02:08 AM

‎09-21-2004 02:08 AM

Re: telnet deny

Keep in mind that tftp is needed on Ignite network recovery servers. If you are not using network recover, you should not have problems disabling it.
0 Kudos
Reply
Muthukumar_5
Honored Contributor

‎09-21-2004 02:19 AM

‎09-21-2004 02:19 AM

Re: telnet deny

We can find the service (tftp) is being currently used with lsof tool. It is good to know weather particular service running on not. service informations are given in /etc/services file.
tftp 69/udp # Trivial File Transfer Protocol

See
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=650197
for lsof there
Easy to suggest when don't know about the problem!
Reply
Sanjay_6
Honored Contributor

‎09-21-2004 02:29 AM

‎09-21-2004 02:29 AM

Re: telnet deny

Hi,

There is no sure way of knowing whether a service is required or not on the system. The only way to verify whether a service is needed or not is to shutdown / diable the service and see if someone complains. You can also try and see if you want to put a tcp wrapper around the service which will over a period tell you who had been using the service. You can download tcp wrapper from this location,

http://hpux.cs.utah.edu/hppd/hpux/Networking/Admin/tcp_wrappers-7.6/

Hope this helps.

Regds
0 Kudos
Reply
Chang_6
Regular Advisor

‎09-21-2004 02:32 AM

‎09-21-2004 02:32 AM

Re: telnet deny

Hi, Thanks for the responses. tftp is listed in /etc/servcies as "tftp 69/udp"

However, lsof command doesn't work here. I am thinking to leave it commented and not worry about inetd.sec. However, is there any other way to check if it is currently active or supposed to be active?
0 Kudos
Reply
Muthukumar_5
Honored Contributor

‎09-21-2004 02:50 AM

‎09-21-2004 02:50 AM

Re: telnet deny

Yes. With netstat command as,

netstat -na | grep -w '69'
or
netstat -na | grep '69'

If it is having as LISTEN there then it is running.

Else we can know the service startup by syslog file more.

grep tftp /var/adm/syslog/syslog.log

If it is having some entries there, then it is started.

We can know the current usage with ps itself as,

ps -ef | grep -v grep | grep tftpd
Easy to suggest when don't know about the problem!
Reply
Chang_6
Regular Advisor

‎09-21-2004 06:12 AM

‎09-21-2004 06:12 AM

Re: telnet deny

Hi,

netstat -na | grep listen didn't show any tftp entry. similarily, netstat -na | grep 69. However, on the webservers, tftp is enabled.

Syslog has:
Dec 11 12:43:30 do34ty inetd[683]: tftp/udp: Added service, server /usr/lbin/t

/etc/inetd.conf has tftp entry:

tftp dgram udp wait root /usr/lbin/tftpd tftpd\

The system is a webserver. Please confirm if this has to be removed.

Why is tftp enabled here? Could you tell what could be the possible reason?

Also, please suggest if there are any things that i need to care for (other than tftp, ftp, telnet)

Many thanks for all the help so far.
0 Kudos
Reply
Sanjay_6
Honored Contributor

‎09-21-2004 06:21 AM

‎09-21-2004 06:21 AM

Re: telnet deny

Hi,

tftp is a service which is not used except by ignite servers. If this is not an ignite server you can comment out tftp in /etc/inetd.conf or deny access to tftp using the inetd.sec file.

You can also look into the Bastille software available from hp software site.

http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=B6849AA

Take a look at this thread too,

http://docs.hp.com/cgi-bin/fsearch/framedisplay?top=/hpux/onlinedocs/5187-2216/5187-2216_top.html&con=/hpux/onlinedocs/5187-2216/00/01/113-con.html&toc=/hpux/onlinedocs/5187-2216/00/01/113-toc.html&searchterms=bastille&queryid=20040921-122040

Hope this helps.

regds

Reply
Chang_6
Regular Advisor

‎09-21-2004 06:38 AM

‎09-21-2004 06:38 AM

Re: telnet deny

Hin

Thanks, could you please tell what "ignite servers" are? Ours is 11.00.

Also, any other things that I have to check on a machine or web server?

I've already looked into telnet, ftp, tftp.
0 Kudos
Reply
Chang_6
Regular Advisor

‎09-21-2004 06:38 AM

‎09-21-2004 06:38 AM

Re: telnet deny

Hi

Thanks, could you please tell what "ignite servers" are? Ours is 11.00.

Also, any other things that I have to check on a machine or web server?

I've already looked into telnet, ftp, tftp.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.