Operating System - Linux
1827791 Members
2618 Online
109969 Solutions
New Discussion

Securing Telnet/Ftp commands in Linux

 
Gopinath B
Occasional Contributor

Securing Telnet/Ftp commands in Linux

Hi ,

I have a redhat linux box which is serving as a server in our office network. What i want is that , i want to protect commands such as ftp and telnet from normal users and can only be executed by root user. That is , i dont want any of the normal user logs into this system can telnet or ftp from this linux box to other systems in the same network.At the same time , i need ftp and telnet servers running on this linux box.Simply, i dont want ftp and telnet clients can be used from this linux box by normal users.

Moreover, i dont want to use chmod 700 for these commands since there is a possibility that users can copy these commands from other linux systems to this and start using ftp and telnet clients, since the linux box is running ftp and telnet servers.

If anyone can help me on this i will be really greatfull and thanks in advance ..

Gopinath
5 REPLIES 5
Paulo A G Fessel
Trusted Contributor

Re: Securing Telnet/Ftp commands in Linux

Take a look on sudo, that is probably included with RH (http://www.courtesan.com/sudo/). It can limit what users can do and where. We use it here to limit the group of people that are able to update our DNS's servers data.

TIA

Paulo Fessel
L'employé propose, le boss dispose.
Bernie Vande Griend
Respected Contributor

Re: Securing Telnet/Ftp commands in Linux

I don't think you have many options if you still want to allow root to ftp/telnet. There are options for preventing any ftp/telnets from your server such as the firewall software or possibily TCP/wrapper. There are also options you could use to prevent users from running telnet/ftp commands such as the one you mentioned or even use sudo or a wrapper script. But none of these solve the issue of a user putting his own ftp/telnet command in his home directory and using that instead. However, if you lock down incoming ftp's then it will be more difficult for them to do so.
Ye who thinks he has a lot to say, probably shouldn't.
Marco Paganini
Respected Contributor

Re: Securing Telnet/Ftp commands in Linux

Hello,

It's fairly easy if you want to block ALL outgoing telnet and ftp. You just need to add some rules to your iptables. However, blocking connections on a 'per user' basis would be difficult.

You can try the 'owner' iptables module. This module allows you to block outgoing packets generated by a specific user. I've personally never used it but it may be worth a try in your case.

Regards,
Paga
Keeping alive, until I die.
Marco Paganini
Respected Contributor

Re: Securing Telnet/Ftp commands in Linux

Hello again,

I've done some tests here. There iptables rules should work for you:

iptables -A OUTPUT -p tcp --dport telnet -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT -p tcp --dport ftp -m owner --uid-owner 0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT -p tcp --dport ftp -m state --state NEW,ESTABLISHED,RELATED -j REJECT
iptables -A OUTPUT -p tcp --dport ftp -m state --state NEW,ESTABLISHED,RELATED -j REJECT


These rules should allow incoming telnet/ftp connections from any user and block outgoing connections to telnet and ftp that do not come from user root. I believe that kills your problem.

Note: If you see an error on redhat when you run iptables, try to remove the 'ipchains' module (I'm supposing here you have kernel 2.4). You can remove the ipchains module with:

rmmod ipchains

And try the commands above again. If that works, you may consider removing ipchains permanently from your system and using iptables only.

Regards,
Paga
Keeping alive, until I die.
Marco Paganini
Respected Contributor

Re: Securing Telnet/Ftp commands in Linux

Hello again and again. :)

Oh boy... The cut & paste operation mangled my script. Please disconsider the script in the message above. Use the one attached on this message.

Regards,
Paga
Keeping alive, until I die.