Solved

Restrict Telnet Access

Posted on 1997-07-23
12
2,429 Views
Last Modified: 2013-12-27
I am trying to restrict telnet to certian users.  Running Solaris 2.5.1.  How do you do this?  I have tried the following and it did not seem to work.

>add an entry in /etc/group for telnet users called telnet:
>telnet::30:larry,curly,moe
>chgrp telnet /bin/telnet
>chmod 550 /bin/telnet

Thansk,
0
Comment
Question by:1stomni
12 Comments
 

Expert Comment

by:vkg063097
Comment Utility
One way is to comment in telnet service line in /etc/services.
That way nobody can telnet to your machine untill unless you
specify port number (23) on the telnet command line.
      telnet host_name 23

Other way is play around with .telnetrc file, for more info see
man telnetrc

vinay

0
 
LVL 2

Expert Comment

by:pxh
Comment Utility
What do you mean, "it did not seem to work" ? Can everybody still use telnet or nobody anymore?

Your method looks perfectly alright to me, by the way.

Peter

0
 
LVL 5

Expert Comment

by:n0thing
Comment Utility
Hi,

   There insn't really a way to restrict outbound telnet on
your system. The group sheme you use whould work tho, however,
it's very easy to copy the telnet binary from another Solaris
system and run it after you restrict the access. The only way
i could see is to force your users into a "restricted environemnt" using restricted shell. For more information on how
to setup a restricted shell please check

http://www.saberspace.com/howto/rsh/

   With restricted shell, it allows you to chose what command your users may execute.

Good luck,
Minh Lai
0
 

Author Comment

by:1stomni
Comment Utility
I will explain a little better.

I am trying to prevent certain users from accessing my web server via
telnet.  We offer virtual hosting and do not want to allow telnet access
to everyone we host.

When I change the shell in the passwd file to /bin/false it stops telnet
access but the user can no longer get their e-mail. Sendmail doesn't
seem to be able to find the user.

I have tried changing the group of /bin/telnet with no luck.  I even
changed the permissions for /bin/telnet to 000 and telnet still works
for all users that have a shell specified in the passwd file.  Shouldn't
this disable telnet completely?

My main goals are:
1) Create user accounts that are e-mail only. No telnet, no ftp, not access except to get their mail.
2) Create user accounts that are FTP only.  No telnet and no e-mail.

Any help would be appreciated.

Thanks,
0
 

Expert Comment

by:sdwix
Comment Utility
For your email account only, start a popper service and disable the telnet service in the inetd.conf or /etc/services file.  The pop service can be downloaded from qualcomm.  

For no mail, you need to fiddle with the aliases file.  Alias user name to dev/null possibly.  

Two other alternatives are to

1) get an hp box.  They have a security feature in the inetd daemon that allows user restrictions on all the services, including telnet and ftp.

2) Check out the inetd daemon from the washington university ftp site.  It's the large software repository in. I belive, St. Louis. It's supposed to have improved security features.

Regards,
SDW

0
 

Author Comment

by:1stomni
Comment Utility
I don't want to disable telnet altogether.

I have solved the FTP issue only with ncftpd ftp software.

Like I said earlier I can disable it by just setting the shell to /bin/false. But when I do this it disables the user from getting his e-mail.  I feel it has something to do with the /etc/shells file.  I have the shell /bin/false in the shells file but it doesn't seem to help.  I'm thinking that it has to do with sendmail looking for a valid shell.

Any ideas?
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:1stomni
Comment Utility
Adjusted points to 250
0
 

Expert Comment

by:psmith
Comment Utility
I may be stating the obvious, but are you sure you are setting permissions on the correct telnet executable, (is there more than one on the system)?
0
 
LVL 1

Expert Comment

by:sherwood
Comment Utility
If you want to restrict telnet as telnet, then turn off port 23
in /etc/services.  This would still allow telnet connections to
the mail server.

If you want to restrict telnet to certain users, then get
tcpwrappers.  This package allows you to restrict access by
port and ip address.  E.g. you can allow telnet's from
certain hosts.

If you want to allow restricted actions, look at some form
of restricted shell.


0
 

Author Comment

by:1stomni
Comment Utility
Response to sherwood:

1) I don't want to restrict telnet completely.  Some hosting accounts have access. So turning off the port for telnet is not an option.  However I am going to change the port number.

2) If I understand TCPwrappers, I would have to know the IP address of users that I want to allow in.  This does not work either because most of my customers use dial up accounts with their ISP's and the IP's are dynamic.

Doesn't anyone have a server that has e-mail accounts only on a Solaris server?  How do I shut the shell off and still allow users to retrieve their mail?
0
 

Expert Comment

by:rjalex
Comment Utility
would hosts.allow (inetd.sec in case of HPUX) work for your purposes?  it only secures down to incoming system name, but it's possible that this would work if there is a one to one incoming system/user ratio.
0
 

Accepted Solution

by:
sdwix earned 250 total points
Comment Utility
Have you tried writing a shell script that throws the user into elm or pine or the email reader of your choice and using the script name as the shell variable in /etc/passwd? After the user exits the mail package, just include the logoff command.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Let's say you need to move the data of a file system from one partition to another. This generally involves dismounting the file system, backing it up to tapes, and restoring it to a new partition. You may also copy the file system from one place to…
This tech tip describes how to install the Solaris Operating System from a tape backup that was created using the Solaris flash archive utility. I have used this procedure on the Solaris 8 and 9 OS, and it shoudl also work well on the Solaris 10 rel…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now