Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Restrict Telnet Access

Posted on 1997-07-23
12
Medium Priority
?
2,463 Views
Last Modified: 2013-12-27
I am trying to restrict telnet to certian users.  Running Solaris 2.5.1.  How do you do this?  I have tried the following and it did not seem to work.

>add an entry in /etc/group for telnet users called telnet:
>telnet::30:larry,curly,moe
>chgrp telnet /bin/telnet
>chmod 550 /bin/telnet

Thansk,
0
Comment
Question by:1stomni
12 Comments
 

Expert Comment

by:vkg063097
ID: 2006585
One way is to comment in telnet service line in /etc/services.
That way nobody can telnet to your machine untill unless you
specify port number (23) on the telnet command line.
      telnet host_name 23

Other way is play around with .telnetrc file, for more info see
man telnetrc

vinay

0
 
LVL 2

Expert Comment

by:pxh
ID: 2006586
What do you mean, "it did not seem to work" ? Can everybody still use telnet or nobody anymore?

Your method looks perfectly alright to me, by the way.

Peter

0
 
LVL 5

Expert Comment

by:n0thing
ID: 2006587
Hi,

   There insn't really a way to restrict outbound telnet on
your system. The group sheme you use whould work tho, however,
it's very easy to copy the telnet binary from another Solaris
system and run it after you restrict the access. The only way
i could see is to force your users into a "restricted environemnt" using restricted shell. For more information on how
to setup a restricted shell please check

http://www.saberspace.com/howto/rsh/

   With restricted shell, it allows you to chose what command your users may execute.

Good luck,
Minh Lai
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 

Author Comment

by:1stomni
ID: 2006588
I will explain a little better.

I am trying to prevent certain users from accessing my web server via
telnet.  We offer virtual hosting and do not want to allow telnet access
to everyone we host.

When I change the shell in the passwd file to /bin/false it stops telnet
access but the user can no longer get their e-mail. Sendmail doesn't
seem to be able to find the user.

I have tried changing the group of /bin/telnet with no luck.  I even
changed the permissions for /bin/telnet to 000 and telnet still works
for all users that have a shell specified in the passwd file.  Shouldn't
this disable telnet completely?

My main goals are:
1) Create user accounts that are e-mail only. No telnet, no ftp, not access except to get their mail.
2) Create user accounts that are FTP only.  No telnet and no e-mail.

Any help would be appreciated.

Thanks,
0
 

Expert Comment

by:sdwix
ID: 2006589
For your email account only, start a popper service and disable the telnet service in the inetd.conf or /etc/services file.  The pop service can be downloaded from qualcomm.  

For no mail, you need to fiddle with the aliases file.  Alias user name to dev/null possibly.  

Two other alternatives are to

1) get an hp box.  They have a security feature in the inetd daemon that allows user restrictions on all the services, including telnet and ftp.

2) Check out the inetd daemon from the washington university ftp site.  It's the large software repository in. I belive, St. Louis. It's supposed to have improved security features.

Regards,
SDW

0
 

Author Comment

by:1stomni
ID: 2006590
I don't want to disable telnet altogether.

I have solved the FTP issue only with ncftpd ftp software.

Like I said earlier I can disable it by just setting the shell to /bin/false. But when I do this it disables the user from getting his e-mail.  I feel it has something to do with the /etc/shells file.  I have the shell /bin/false in the shells file but it doesn't seem to help.  I'm thinking that it has to do with sendmail looking for a valid shell.

Any ideas?
0
 

Author Comment

by:1stomni
ID: 2006591
Adjusted points to 250
0
 

Expert Comment

by:psmith
ID: 2006592
I may be stating the obvious, but are you sure you are setting permissions on the correct telnet executable, (is there more than one on the system)?
0
 
LVL 1

Expert Comment

by:sherwood
ID: 2006593
If you want to restrict telnet as telnet, then turn off port 23
in /etc/services.  This would still allow telnet connections to
the mail server.

If you want to restrict telnet to certain users, then get
tcpwrappers.  This package allows you to restrict access by
port and ip address.  E.g. you can allow telnet's from
certain hosts.

If you want to allow restricted actions, look at some form
of restricted shell.


0
 

Author Comment

by:1stomni
ID: 2006594
Response to sherwood:

1) I don't want to restrict telnet completely.  Some hosting accounts have access. So turning off the port for telnet is not an option.  However I am going to change the port number.

2) If I understand TCPwrappers, I would have to know the IP address of users that I want to allow in.  This does not work either because most of my customers use dial up accounts with their ISP's and the IP's are dynamic.

Doesn't anyone have a server that has e-mail accounts only on a Solaris server?  How do I shut the shell off and still allow users to retrieve their mail?
0
 

Expert Comment

by:rjalex
ID: 2006595
would hosts.allow (inetd.sec in case of HPUX) work for your purposes?  it only secures down to incoming system name, but it's possible that this would work if there is a one to one incoming system/user ratio.
0
 

Accepted Solution

by:
sdwix earned 500 total points
ID: 2006596
Have you tried writing a shell script that throws the user into elm or pine or the email reader of your choice and using the script name as the shell variable in /etc/passwd? After the user exits the mail package, just include the logoff command.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello fellow BSD lovers, I've created a patch process for patching openjdk6 for BSD (FreeBSD specifically), although I tried to keep all BSD versions in mind when creating my patch. Welcome to OpenJDK6 on BSD First let me start with a little …
Attention: This article will no longer be maintained. If you have any questions, please feel free to mail me. jgh@FreeBSD.org Please see http://www.freebsd.org/doc/en_US.ISO8859-1/articles/freebsd-update-server/ for the updated article. It is avail…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.
Suggested Courses
Course of the Month13 days, 13 hours left to enroll

963 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question