restricting Telnet out from Soalris 8

Posted on 2004-08-23
Last Modified: 2013-12-27
  Although I am a Solaris admin, I sometimes get stuck on something, especially if the answer is easy. I try to make it too complicated.-:) Here's the problem. I appreciate any help.
1. Sun box named:  sunmain, running ssh   (All boxes on one private IP subnet, half of a class C)
2. Programmers must access sunmain through a VPN connection from another Firewall Server pointed to this box.
3. Programmers have been allowed to Telnet and FTP to other boxes with few restrictions because of this being a development platform. This is a complex system and the programmers are writing in Java and have embedded some process in their framework such that I can't always see what they are doing. syslog is sometimes mysteriously stopped especially over the weekend. No one has root access except for me.
4. Other SUN boxes that they Telnet to, face Network elements on a live network.
5. I need to restrict telnet and ftp access out of sunmain to only 3 other SUN boxes out of 14 and restrict telnet/ftp access from those 3 boxes to only between the 3 and abck to sunmain.
6. I must also find a way to prevent them from connecting to network elements once they are in one of the 3 boxes and I need to restrict them to only the sunmain and the 3 other boxes. Network elements are on another IP range than this private one.
7. Would there be a way to restrict by IPs?
8. I don't think that I am going to be able to restrict them as tightly as I would wish. They are pretty good hackers. I have caught them doing things before that they should not do.
9. The critical part is keeping them from trying to connect to network elements in another IP range. Each element has it's own IP address.
10. I also have to let them install simulation software that will replace the function of connecting to network elements.
11. Oracle is also running on 3 of the boxes.

Question by:SteveDallas
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
LVL 10

Accepted Solution

Nukfror earned 300 total points
ID: 11875496
Welcome to the real world of Admins vs. Smart Users :)

The answer to your questions is a stateful firewall.

Since you didn't really lay out the design of the network in detail, I'll talk to the case of modifying sunmain and nothing else.  In the end of total solution between all the boxes you reference would be the best but more information would be needed for that.

You could install a firewall solution on sunmain.   Be that either Sun's firewall, SunScreen, (which I don't particularly care for) or IPFilter (which I very much care for).  Using either firewall, you can restrict out bound traffic in several ways including IP, Subnet, port, etc etc etc.  IPFilter is very easy to setup and maintain.  The only issue I've seen with IPFilter is patches that update the kernel and/or IP stack.  I sometimes had to recompile and reinstall IPFilter after kernel and/or IP stack patches.

If you have root access on the other machines (and the right to update them), you could take this firewall concept to all the machines and setup a rule set on all of them that meets all (or most) of your requirements.

You can get information on IPFilter at
LVL 34

Assisted Solution

PsiCop earned 200 total points
ID: 11876323
Hey, Steve Dallas. Law career didn't work out, hmm? :-)

Nukfror has given you one way to do this. Its perfectly valid. But, as Spock once observed, there are always alternatives.

You could write a wrapper script that would disallow blank telnet command-line parameters and only permit certain command-line parameter strings. This is not foolproof, tho, as the user can always escape to the telnet command prompt, close the existing session and then open a new one to wherever they want.

Another way to attack this would be TCP Wrappers. You could restrict the ability of telnet sessions on sunmain to get to other than selected hosts.

Good luck trying to corral a buncha UNIX programmers - sounds like herding cats.
LVL 34

Expert Comment

ID: 11876409
Of course, if you're cruel, you do BOTH the shell script AND one of the other methods. Some programmer will think he sees a way around your restriction and will call his buddies over to show them his prowness. And if you have the requisite logging turned on, you'll know who did it, and can then go visit them a day or so later (wait so they think that one of their buddies turned them in).

Gads, I used to love being THE sysadmin. Making users paranoid was always such sport..... :-)
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

LVL 10

Expert Comment

ID: 11877504
Oh ... one more thing ... if ssh is allowed out of sunmain and ssh forwarding is allowed to/from all hosts ... then all bets are off.  Assuming sshis allowed out of a server and a remote host allows ssh in *and* forwarding is left on, its very difficult to block a user from creating a ssh tunnel to do various TCP protocols without your knowledge and right through your existing controls.
LVL 34

Expert Comment

ID: 11877744
Ah, good point. Definitely turn off port fowarding in the sshd configuration.

Author Comment

ID: 11887200
Hi, Thanks for the valuable feedback. My kernel was in "panic" state. -:) I had this dumped on me and they wanted it yesterday. I have opted to go with the ipfilter. I had a copy of Sunscreen here but it is such a mess to set up. I had been down that road before on another project. I have installed ipfilter on an indentical test machine. I was concerned about just putting on the main boxes without a thorough test. I already have TCPWrappers installed on sunmain, the programmers access point. I am also going to do the Shell script! -:) This programming group has been caught trying to hack the boxes several times, so I am paranoid about security as the company is too. The company runs scans, password crackers and tries to break into all of the boxes every quarter, so I have them locked down as tight as possible. I am going to implement what you mentioned but I now have time to play with ipfilter on the test box a while first. The decision has been made Not to let the programmers back in for now. This is all stuff I should have thought about but I was side tracked writing code lately.

Featured Post

[Webinar] Learn How Hackers Steal Your Credentials

Do You Know How Hackers Steal Your Credentials? Join us and Skyport Systems to learn how hackers steal your credentials and why Active Directory must be secure to stop them. Thursday, July 13, 2017 10:00 A.M. PDT

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

My previous tech tip, Installing the Solaris OS From the Flash Archive On a Tape (, discussed installing the Solaris Operating S…
Using libpcap/Jpcap to capture and send packets on Solaris version (10/11) Library used: 1.      Libpcap ( Version 1.2 2.      Jpcap( Version 0.6 Prerequisite: 1.      GCC …
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question