Restrict Telnet Access

I am trying to restrict telnet to certian users.  Running Solaris 2.5.1.  How do you do this?  I have tried the following and it did not seem to work.

>add an entry in /etc/group for telnet users called telnet:
>telnet::30:larry,curly,moe
>chgrp telnet /bin/telnet
>chmod 550 /bin/telnet

Thansk,
1stomniAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

vkg063097Commented:
One way is to comment in telnet service line in /etc/services.
That way nobody can telnet to your machine untill unless you
specify port number (23) on the telnet command line.
      telnet host_name 23

Other way is play around with .telnetrc file, for more info see
man telnetrc

vinay

0
pxhCommented:
What do you mean, "it did not seem to work" ? Can everybody still use telnet or nobody anymore?

Your method looks perfectly alright to me, by the way.

Peter

0
n0thingCommented:
Hi,

   There insn't really a way to restrict outbound telnet on
your system. The group sheme you use whould work tho, however,
it's very easy to copy the telnet binary from another Solaris
system and run it after you restrict the access. The only way
i could see is to force your users into a "restricted environemnt" using restricted shell. For more information on how
to setup a restricted shell please check

http://www.saberspace.com/howto/rsh/

   With restricted shell, it allows you to chose what command your users may execute.

Good luck,
Minh Lai
0
Cloud Class® Course: Microsoft Windows 7 Basic

This introductory course to Windows 7 environment will teach you about working with the Windows operating system. You will learn about basic functions including start menu; the desktop; managing files, folders, and libraries.

1stomniAuthor Commented:
I will explain a little better.

I am trying to prevent certain users from accessing my web server via
telnet.  We offer virtual hosting and do not want to allow telnet access
to everyone we host.

When I change the shell in the passwd file to /bin/false it stops telnet
access but the user can no longer get their e-mail. Sendmail doesn't
seem to be able to find the user.

I have tried changing the group of /bin/telnet with no luck.  I even
changed the permissions for /bin/telnet to 000 and telnet still works
for all users that have a shell specified in the passwd file.  Shouldn't
this disable telnet completely?

My main goals are:
1) Create user accounts that are e-mail only. No telnet, no ftp, not access except to get their mail.
2) Create user accounts that are FTP only.  No telnet and no e-mail.

Any help would be appreciated.

Thanks,
0
sdwixCommented:
For your email account only, start a popper service and disable the telnet service in the inetd.conf or /etc/services file.  The pop service can be downloaded from qualcomm.  

For no mail, you need to fiddle with the aliases file.  Alias user name to dev/null possibly.  

Two other alternatives are to

1) get an hp box.  They have a security feature in the inetd daemon that allows user restrictions on all the services, including telnet and ftp.

2) Check out the inetd daemon from the washington university ftp site.  It's the large software repository in. I belive, St. Louis. It's supposed to have improved security features.

Regards,
SDW

0
1stomniAuthor Commented:
I don't want to disable telnet altogether.

I have solved the FTP issue only with ncftpd ftp software.

Like I said earlier I can disable it by just setting the shell to /bin/false. But when I do this it disables the user from getting his e-mail.  I feel it has something to do with the /etc/shells file.  I have the shell /bin/false in the shells file but it doesn't seem to help.  I'm thinking that it has to do with sendmail looking for a valid shell.

Any ideas?
0
1stomniAuthor Commented:
Adjusted points to 250
0
psmithCommented:
I may be stating the obvious, but are you sure you are setting permissions on the correct telnet executable, (is there more than one on the system)?
0
sherwoodCommented:
If you want to restrict telnet as telnet, then turn off port 23
in /etc/services.  This would still allow telnet connections to
the mail server.

If you want to restrict telnet to certain users, then get
tcpwrappers.  This package allows you to restrict access by
port and ip address.  E.g. you can allow telnet's from
certain hosts.

If you want to allow restricted actions, look at some form
of restricted shell.


0
1stomniAuthor Commented:
Response to sherwood:

1) I don't want to restrict telnet completely.  Some hosting accounts have access. So turning off the port for telnet is not an option.  However I am going to change the port number.

2) If I understand TCPwrappers, I would have to know the IP address of users that I want to allow in.  This does not work either because most of my customers use dial up accounts with their ISP's and the IP's are dynamic.

Doesn't anyone have a server that has e-mail accounts only on a Solaris server?  How do I shut the shell off and still allow users to retrieve their mail?
0
rjalexCommented:
would hosts.allow (inetd.sec in case of HPUX) work for your purposes?  it only secures down to incoming system name, but it's possible that this would work if there is a one to one incoming system/user ratio.
0
sdwixCommented:
Have you tried writing a shell script that throws the user into elm or pine or the email reader of your choice and using the script name as the shell variable in /etc/passwd? After the user exits the mail package, just include the logoff command.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Unix OS

From novice to tech pro — start learning today.