Solved

Restrict Telnet Access

Posted on 1997-07-23
12
2,450 Views
Last Modified: 2013-12-27
I am trying to restrict telnet to certian users.  Running Solaris 2.5.1.  How do you do this?  I have tried the following and it did not seem to work.

>add an entry in /etc/group for telnet users called telnet:
>telnet::30:larry,curly,moe
>chgrp telnet /bin/telnet
>chmod 550 /bin/telnet

Thansk,
0
Comment
Question by:1stomni
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
12 Comments
 

Expert Comment

by:vkg063097
ID: 2006585
One way is to comment in telnet service line in /etc/services.
That way nobody can telnet to your machine untill unless you
specify port number (23) on the telnet command line.
      telnet host_name 23

Other way is play around with .telnetrc file, for more info see
man telnetrc

vinay

0
 
LVL 2

Expert Comment

by:pxh
ID: 2006586
What do you mean, "it did not seem to work" ? Can everybody still use telnet or nobody anymore?

Your method looks perfectly alright to me, by the way.

Peter

0
 
LVL 5

Expert Comment

by:n0thing
ID: 2006587
Hi,

   There insn't really a way to restrict outbound telnet on
your system. The group sheme you use whould work tho, however,
it's very easy to copy the telnet binary from another Solaris
system and run it after you restrict the access. The only way
i could see is to force your users into a "restricted environemnt" using restricted shell. For more information on how
to setup a restricted shell please check

http://www.saberspace.com/howto/rsh/

   With restricted shell, it allows you to chose what command your users may execute.

Good luck,
Minh Lai
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:1stomni
ID: 2006588
I will explain a little better.

I am trying to prevent certain users from accessing my web server via
telnet.  We offer virtual hosting and do not want to allow telnet access
to everyone we host.

When I change the shell in the passwd file to /bin/false it stops telnet
access but the user can no longer get their e-mail. Sendmail doesn't
seem to be able to find the user.

I have tried changing the group of /bin/telnet with no luck.  I even
changed the permissions for /bin/telnet to 000 and telnet still works
for all users that have a shell specified in the passwd file.  Shouldn't
this disable telnet completely?

My main goals are:
1) Create user accounts that are e-mail only. No telnet, no ftp, not access except to get their mail.
2) Create user accounts that are FTP only.  No telnet and no e-mail.

Any help would be appreciated.

Thanks,
0
 

Expert Comment

by:sdwix
ID: 2006589
For your email account only, start a popper service and disable the telnet service in the inetd.conf or /etc/services file.  The pop service can be downloaded from qualcomm.  

For no mail, you need to fiddle with the aliases file.  Alias user name to dev/null possibly.  

Two other alternatives are to

1) get an hp box.  They have a security feature in the inetd daemon that allows user restrictions on all the services, including telnet and ftp.

2) Check out the inetd daemon from the washington university ftp site.  It's the large software repository in. I belive, St. Louis. It's supposed to have improved security features.

Regards,
SDW

0
 

Author Comment

by:1stomni
ID: 2006590
I don't want to disable telnet altogether.

I have solved the FTP issue only with ncftpd ftp software.

Like I said earlier I can disable it by just setting the shell to /bin/false. But when I do this it disables the user from getting his e-mail.  I feel it has something to do with the /etc/shells file.  I have the shell /bin/false in the shells file but it doesn't seem to help.  I'm thinking that it has to do with sendmail looking for a valid shell.

Any ideas?
0
 

Author Comment

by:1stomni
ID: 2006591
Adjusted points to 250
0
 

Expert Comment

by:psmith
ID: 2006592
I may be stating the obvious, but are you sure you are setting permissions on the correct telnet executable, (is there more than one on the system)?
0
 
LVL 1

Expert Comment

by:sherwood
ID: 2006593
If you want to restrict telnet as telnet, then turn off port 23
in /etc/services.  This would still allow telnet connections to
the mail server.

If you want to restrict telnet to certain users, then get
tcpwrappers.  This package allows you to restrict access by
port and ip address.  E.g. you can allow telnet's from
certain hosts.

If you want to allow restricted actions, look at some form
of restricted shell.


0
 

Author Comment

by:1stomni
ID: 2006594
Response to sherwood:

1) I don't want to restrict telnet completely.  Some hosting accounts have access. So turning off the port for telnet is not an option.  However I am going to change the port number.

2) If I understand TCPwrappers, I would have to know the IP address of users that I want to allow in.  This does not work either because most of my customers use dial up accounts with their ISP's and the IP's are dynamic.

Doesn't anyone have a server that has e-mail accounts only on a Solaris server?  How do I shut the shell off and still allow users to retrieve their mail?
0
 

Expert Comment

by:rjalex
ID: 2006595
would hosts.allow (inetd.sec in case of HPUX) work for your purposes?  it only secures down to incoming system name, but it's possible that this would work if there is a one to one incoming system/user ratio.
0
 

Accepted Solution

by:
sdwix earned 250 total points
ID: 2006596
Have you tried writing a shell script that throws the user into elm or pine or the email reader of your choice and using the script name as the shell variable in /etc/passwd? After the user exits the mail package, just include the logoff command.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

My previous tech tip, Installing the Solaris OS From the Flash Archive On a Tape (http://www.experts-exchange.com/articles/OS/Unix/Solaris/Installing-the-Solaris-OS-From-the-Flash-Archive-on-a-Tape.html), discussed installing the Solaris Operating S…
Introduction Regular patching is part of a system administrator's tasks. However, many patches require that the system be in single-user mode before they can be installed. A cluster patch in particular can take quite a while to apply if the machine…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question