Solved

Restrict Telnet Access

Posted on 1997-07-23
12
2,437 Views
Last Modified: 2013-12-27
I am trying to restrict telnet to certian users.  Running Solaris 2.5.1.  How do you do this?  I have tried the following and it did not seem to work.

>add an entry in /etc/group for telnet users called telnet:
>telnet::30:larry,curly,moe
>chgrp telnet /bin/telnet
>chmod 550 /bin/telnet

Thansk,
0
Comment
Question by:1stomni
12 Comments
 

Expert Comment

by:vkg063097
ID: 2006585
One way is to comment in telnet service line in /etc/services.
That way nobody can telnet to your machine untill unless you
specify port number (23) on the telnet command line.
      telnet host_name 23

Other way is play around with .telnetrc file, for more info see
man telnetrc

vinay

0
 
LVL 2

Expert Comment

by:pxh
ID: 2006586
What do you mean, "it did not seem to work" ? Can everybody still use telnet or nobody anymore?

Your method looks perfectly alright to me, by the way.

Peter

0
 
LVL 5

Expert Comment

by:n0thing
ID: 2006587
Hi,

   There insn't really a way to restrict outbound telnet on
your system. The group sheme you use whould work tho, however,
it's very easy to copy the telnet binary from another Solaris
system and run it after you restrict the access. The only way
i could see is to force your users into a "restricted environemnt" using restricted shell. For more information on how
to setup a restricted shell please check

http://www.saberspace.com/howto/rsh/

   With restricted shell, it allows you to chose what command your users may execute.

Good luck,
Minh Lai
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 

Author Comment

by:1stomni
ID: 2006588
I will explain a little better.

I am trying to prevent certain users from accessing my web server via
telnet.  We offer virtual hosting and do not want to allow telnet access
to everyone we host.

When I change the shell in the passwd file to /bin/false it stops telnet
access but the user can no longer get their e-mail. Sendmail doesn't
seem to be able to find the user.

I have tried changing the group of /bin/telnet with no luck.  I even
changed the permissions for /bin/telnet to 000 and telnet still works
for all users that have a shell specified in the passwd file.  Shouldn't
this disable telnet completely?

My main goals are:
1) Create user accounts that are e-mail only. No telnet, no ftp, not access except to get their mail.
2) Create user accounts that are FTP only.  No telnet and no e-mail.

Any help would be appreciated.

Thanks,
0
 

Expert Comment

by:sdwix
ID: 2006589
For your email account only, start a popper service and disable the telnet service in the inetd.conf or /etc/services file.  The pop service can be downloaded from qualcomm.  

For no mail, you need to fiddle with the aliases file.  Alias user name to dev/null possibly.  

Two other alternatives are to

1) get an hp box.  They have a security feature in the inetd daemon that allows user restrictions on all the services, including telnet and ftp.

2) Check out the inetd daemon from the washington university ftp site.  It's the large software repository in. I belive, St. Louis. It's supposed to have improved security features.

Regards,
SDW

0
 

Author Comment

by:1stomni
ID: 2006590
I don't want to disable telnet altogether.

I have solved the FTP issue only with ncftpd ftp software.

Like I said earlier I can disable it by just setting the shell to /bin/false. But when I do this it disables the user from getting his e-mail.  I feel it has something to do with the /etc/shells file.  I have the shell /bin/false in the shells file but it doesn't seem to help.  I'm thinking that it has to do with sendmail looking for a valid shell.

Any ideas?
0
 

Author Comment

by:1stomni
ID: 2006591
Adjusted points to 250
0
 

Expert Comment

by:psmith
ID: 2006592
I may be stating the obvious, but are you sure you are setting permissions on the correct telnet executable, (is there more than one on the system)?
0
 
LVL 1

Expert Comment

by:sherwood
ID: 2006593
If you want to restrict telnet as telnet, then turn off port 23
in /etc/services.  This would still allow telnet connections to
the mail server.

If you want to restrict telnet to certain users, then get
tcpwrappers.  This package allows you to restrict access by
port and ip address.  E.g. you can allow telnet's from
certain hosts.

If you want to allow restricted actions, look at some form
of restricted shell.


0
 

Author Comment

by:1stomni
ID: 2006594
Response to sherwood:

1) I don't want to restrict telnet completely.  Some hosting accounts have access. So turning off the port for telnet is not an option.  However I am going to change the port number.

2) If I understand TCPwrappers, I would have to know the IP address of users that I want to allow in.  This does not work either because most of my customers use dial up accounts with their ISP's and the IP's are dynamic.

Doesn't anyone have a server that has e-mail accounts only on a Solaris server?  How do I shut the shell off and still allow users to retrieve their mail?
0
 

Expert Comment

by:rjalex
ID: 2006595
would hosts.allow (inetd.sec in case of HPUX) work for your purposes?  it only secures down to incoming system name, but it's possible that this would work if there is a one to one incoming system/user ratio.
0
 

Accepted Solution

by:
sdwix earned 250 total points
ID: 2006596
Have you tried writing a shell script that throws the user into elm or pine or the email reader of your choice and using the script name as the shell variable in /etc/passwd? After the user exits the mail package, just include the logoff command.
0

Featured Post

ScreenConnect 6.0 Free Trial

Explore all the enhancements in one game-changing release, ScreenConnect 6.0, based on partner feedback. New features include a redesigned UI, app configurations and chat acknowledgement to improve customer engagement!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Virtualizing TAPE on dual VIOS 3 87
Parsing a file using ksh 10 65
help pulling data string using Awk 9 70
Linux "time" command output redirection 16 146
When you do backups in the Solaris Operating System, the file system must be inactive. Otherwise, the output may be inconsistent. A file system is inactive when it's unmounted or it's write-locked by the operating system. Although the fssnap utility…
Every server (virtual or physical) needs a console: and the console can be provided through hardware directly connected, software for remote connections, local connections, through a KVM, etc. This document explains the different types of consol…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

778 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question