Operating System - HP-UX
1825554 Members
3026 Online
109681 Solutions
New Discussion

Re: telnet from other networks, how to monitor / restrict?

 
SOLVED
Go to solution
Fred Martin_1
Valued Contributor

telnet from other networks, how to monitor / restrict?

I'm trying to find a way to restrict, or at least monitor, who logs into our box via telnet from the internet.

The command 'last -R' is difficult because it returns the name and not the address of the originating host. Since hostnames inside the network change and don't follow a pattern, it's difficult to awk/grep my way through a list, to pull out the "non-local" hostnames.

If I can find a way to pick a non-local host out of a 'who' or 'last' command, I could monitor them. And, the next step, via /etc/profile I could then restrict logins to certain users from non-local hosts - which would be better still.

Any good ideas on how to accomplish this? I really want only certain accounts, i.e. outside sales staff and certain tech support staff, to have telnet access from the internet.
fmartin@applicatorssales.com
17 REPLIES 17
Joseph C. Denman
Honored Contributor

Re: telnet from other networks, how to monitor / restrict?

Restrict access by using the /var/adm/inetd.sec file

man inetd

You could also install tcpwrapper.

...jcd...
If I had only read the instructions first??
A. Clay Stephenson
Acclaimed Contributor
Solution

Re: telnet from other networks, how to monitor / restrict?

Hi Fred:

You are a brave soul allowing telnet access from the internet. You really, really need a firewall with authenication but at least a start is to enable logging with inetd -l to enable logging. This is going to generate a lot of data. You could then monitor syslog for telnet connections.

You can also look at /etc/wtmp using fwtmp.


Clay
If it ain't broke, I can fix that.
James R. Ferguson
Acclaimed Contributor

Re: telnet from other networks, how to monitor / restrict?

Hi Fred:

In addition to leveraging 'who -mR' in a user's $HOME/profile or in /etc/profile, you can allow and/or deny telnet by IPaddress or hostname in /var/adm/inetd.sec. See 'man 4 inetd.sec' for more details.

You can toggle logging of connection attemps(successful and failed) into /var/adm/syslog/syslog.log with:

# /usr/sbin/inetd -l

Regards!

...JRF...
Fred Martin_1
Valued Contributor

Re: telnet from other networks, how to monitor / restrict?

The problem with inetd.sec is that it restricts hosts; I want to restrict users. And, since these users also log in locally, I need a method of knowing that their hostname is not local before restricting them.

For example, I could put this logic into /etc/profile:

if hostname not local and user not on list, log him out now.

I guess my only problem is answering the question "is this host local?", as I describe in my first post.

Commands I am familiar with return hostnames, not IP addresses, which I find hard to work with since they change and follow no pattern.
fmartin@applicatorssales.com
Fred Martin_1
Valued Contributor

Re: telnet from other networks, how to monitor / restrict?

Sorry, I wrote my last entry before reading the two that preceeded it.

I agree there is some risk in allowing the access - I do have a firewall box (Livingston Portmaster), and I will look into whether or not I can control access there, but I only want to control telnet, not HTTP packets etc.

The firewall is restricting stuff just fine as far as ports go, i.e. users can ftp out, but not in.
fmartin@applicatorssales.com
A. Clay Stephenson
Acclaimed Contributor

Re: telnet from other networks, how to monitor / restrict?

Hi Fred:

If you want ip addresses and you know the hostname you can use the getip command.

e.g. getip "frodo" will print 10.1.1.45 to stdout
or getip `hostname` will print the current hostname's ip address to stdout.

If it ain't broke, I can fix that.
Fred Martin_1
Valued Contributor

Re: telnet from other networks, how to monitor / restrict?

getip, well there's a new one for me. I was toying with using nslookup, then grep/awk my way to the ip address, but that is more direct.

So, I'm leaning toward this in /etc/profile:

myhost=`who -um|awk '{print $NF}'`
myaddr=`getip $myhost`
locnet="192.10.10."

Then, some logic to decide if $myaddr is on my own network, by comparing the first part of $myaddr with $locnet.

If it is -not-, look up the $LOGNAME in an access list to decide if the user can come in.

Is this really way out there, or too much of a hack?
fmartin@applicatorssales.com
A. Clay Stephenson
Acclaimed Contributor

Re: telnet from other networks, how to monitor / restrict?

HI Fred,

Yes you're on the right track and getip is for some reason a little known command. I would still look into firewall doing user validation.
Most will allow you to configure services on a per-user basis. e.g. anyone can user http but not everyone has access to ftp or telnet.
If it ain't broke, I can fix that.
Fred Martin_1
Valued Contributor

Re: telnet from other networks, how to monitor / restrict?

Yes I'm thinking that would be better.

Already I am not liking what I have done in /etc/profile. For one thing, even users that you 'su -' to, need to be on the access list, since 'su -' also executes /etc/profile. So I log in as myself, then su to root, and get denied because root is not on the access list. (actually root can only login on the console anyway but you see what is happening).

So it works OK but is a bit messy.

One nice thing, I have the script create a log file and send me email on denials. Remember, invalid passwords don't get this far; only a valid login/password that runs /etc/profile, but that is not on my access list gets denied.

So for those interested it works but I'm not sure that I like it.
fmartin@applicatorssales.com
Ralf Hildebrandt
Valued Contributor

Re: telnet from other networks, how to monitor / restrict?

http://www.securityportal.com/cover/coverstory20000814.html
Postfix/BIND/Security/IDS/Scanner, you name it...
Fred Martin_1
Valued Contributor

Re: telnet from other networks, how to monitor / restrict?

As an aside, I was going to have the script check an "access list" to see if the user was allowed remote access. Instead I decided to create a group in /etc/group, and the script checks to see if the user is a member.

None of this addresses the inherent security issues with telnet, but otherwise keeps users logging in from outside the network to a select few; they must have an account and know the password, and it must be an account in a special access group.
fmartin@applicatorssales.com
Bill Thorsteinson
Honored Contributor

Re: telnet from other networks, how to monitor / restrict?

Look into ssh as a replacement for telnet outside the
local network. If price is an issue there are some
decent public domain clients available like Teraterm.
Fred Martin_1
Valued Contributor

Re: telnet from other networks, how to monitor / restrict?

After all this, I've discovered something really ugly about modifying /etc/profile ... if you use utilities in the script like 'getip' or 'sed' then you'll be in trouble when you boot to single-user mode. These programs are not available at boot time in single-user mode and the /etc/profile script will prevent you from logging in.
fmartin@applicatorssales.com
Pete Randall
Outstanding Contributor

Re: telnet from other networks, how to monitor / restrict?

Fred,

I don't believe that's correct - when you go to single user mode you'll just see a lot of "not found" errors generated from /etc/profile. You still get logged in, though.

Pete

Pete
Fred Martin_1
Valued Contributor

Re: telnet from other networks, how to monitor / restrict?

That might be true normslly - but remember the purpose of the script was to deny access unless conditions were met - so if the stuff like 'getip' fails, then (in this case) it won't let you log in :)
fmartin@applicatorssales.com
Pete Randall
Outstanding Contributor

Re: telnet from other networks, how to monitor / restrict?

Fred,

Actually I just tried putting a sed statement on the end my /etc/profile on my C160 11i playpen and booted into single user mode. I didn't see a single error. It doesn't look like it's sourcing /etc/profile at all!?

for what it's worth,
Pete

Pete
Thomas D. Harrison
Frequent Advisor

Re: telnet from other networks, how to monitor / restrict?

Fred,

I know this is an old post but...

I have a getmac script (short but useful) that can only return the MAC Address for our local ip addresses.

The script uses: arp ipaddr

Since the arp cache is only used for local hosts, it might do the trick.

Imbibo ergo sum.