Solved

restricting Telnet out from Soalris 8

Posted on 2004-08-23
6
305 Views
Last Modified: 2013-12-27
Hi,
  Although I am a Solaris admin, I sometimes get stuck on something, especially if the answer is easy. I try to make it too complicated.-:) Here's the problem. I appreciate any help.
1. Sun box named:  sunmain, running ssh   (All boxes on one private IP subnet, half of a class C)
2. Programmers must access sunmain through a VPN connection from another Firewall Server pointed to this box.
3. Programmers have been allowed to Telnet and FTP to other boxes with few restrictions because of this being a development platform. This is a complex system and the programmers are writing in Java and have embedded some process in their framework such that I can't always see what they are doing. syslog is sometimes mysteriously stopped especially over the weekend. No one has root access except for me.
4. Other SUN boxes that they Telnet to, face Network elements on a live network.
5. I need to restrict telnet and ftp access out of sunmain to only 3 other SUN boxes out of 14 and restrict telnet/ftp access from those 3 boxes to only between the 3 and abck to sunmain.
6. I must also find a way to prevent them from connecting to network elements once they are in one of the 3 boxes and I need to restrict them to only the sunmain and the 3 other boxes. Network elements are on another IP range than this private one.
7. Would there be a way to restrict by IPs?
8. I don't think that I am going to be able to restrict them as tightly as I would wish. They are pretty good hackers. I have caught them doing things before that they should not do.
9. The critical part is keeping them from trying to connect to network elements in another IP range. Each element has it's own IP address.
10. I also have to let them install simulation software that will replace the function of connecting to network elements.
11. Oracle is also running on 3 of the boxes.
Thanks,
Steve

0
Comment
Question by:SteveDallas
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 10

Accepted Solution

by:
Nukfror earned 300 total points
ID: 11875496
Welcome to the real world of Admins vs. Smart Users :)

The answer to your questions is a stateful firewall.

Since you didn't really lay out the design of the network in detail, I'll talk to the case of modifying sunmain and nothing else.  In the end of total solution between all the boxes you reference would be the best but more information would be needed for that.

You could install a firewall solution on sunmain.   Be that either Sun's firewall, SunScreen, (which I don't particularly care for) or IPFilter (which I very much care for).  Using either firewall, you can restrict out bound traffic in several ways including IP, Subnet, port, etc etc etc.  IPFilter is very easy to setup and maintain.  The only issue I've seen with IPFilter is patches that update the kernel and/or IP stack.  I sometimes had to recompile and reinstall IPFilter after kernel and/or IP stack patches.

If you have root access on the other machines (and the right to update them), you could take this firewall concept to all the machines and setup a rule set on all of them that meets all (or most) of your requirements.

You can get information on IPFilter at http://cheops.anu.edu.au/~avalon/ip-filter.html
0
 
LVL 34

Assisted Solution

by:PsiCop
PsiCop earned 200 total points
ID: 11876323
Hey, Steve Dallas. Law career didn't work out, hmm? :-)

Nukfror has given you one way to do this. Its perfectly valid. But, as Spock once observed, there are always alternatives.

You could write a wrapper script that would disallow blank telnet command-line parameters and only permit certain command-line parameter strings. This is not foolproof, tho, as the user can always escape to the telnet command prompt, close the existing session and then open a new one to wherever they want.

Another way to attack this would be TCP Wrappers. You could restrict the ability of telnet sessions on sunmain to get to other than selected hosts. ftp://ftp.porcupine.org/pub/security/tcp_wrappers_7.6.tar.gz

Good luck trying to corral a buncha UNIX programmers - sounds like herding cats.
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 11876409
Of course, if you're cruel, you do BOTH the shell script AND one of the other methods. Some programmer will think he sees a way around your restriction and will call his buddies over to show them his prowness. And if you have the requisite logging turned on, you'll know who did it, and can then go visit them a day or so later (wait so they think that one of their buddies turned them in).

Gads, I used to love being THE sysadmin. Making users paranoid was always such sport..... :-)
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 10

Expert Comment

by:Nukfror
ID: 11877504
Oh ... one more thing ... if ssh is allowed out of sunmain and ssh forwarding is allowed to/from all hosts ... then all bets are off.  Assuming sshis allowed out of a server and a remote host allows ssh in *and* forwarding is left on, its very difficult to block a user from creating a ssh tunnel to do various TCP protocols without your knowledge and right through your existing controls.
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 11877744
Ah, good point. Definitely turn off port fowarding in the sshd configuration.
0
 
LVL 2

Author Comment

by:SteveDallas
ID: 11887200
Hi, Thanks for the valuable feedback. My kernel was in "panic" state. -:) I had this dumped on me and they wanted it yesterday. I have opted to go with the ipfilter. I had a copy of Sunscreen here but it is such a mess to set up. I had been down that road before on another project. I have installed ipfilter on an indentical test machine. I was concerned about just putting on the main boxes without a thorough test. I already have TCPWrappers installed on sunmain, the programmers access point. I am also going to do the Shell script! -:) This programming group has been caught trying to hack the boxes several times, so I am paranoid about security as the company is too. The company runs scans, password crackers and tries to break into all of the boxes every quarter, so I have them locked down as tight as possible. I am going to implement what you mentioned but I now have time to play with ipfilter on the test box a while first. The decision has been made Not to let the programmers back in for now. This is all stuff I should have thought about but I was side tracked writing code lately.
Thanks,
Steve
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
llcommand 6 111
Need a version of telnet and/or ssh that supports tcp wrappers on AIX 5.1 16 112
add some character at the end of line in vi 7 136
aix unix tar error 3 89
Let's say you need to move the data of a file system from one partition to another. This generally involves dismounting the file system, backing it up to tapes, and restoring it to a new partition. You may also copy the file system from one place to…
My previous tech tip, Installing the Solaris OS From the Flash Archive On a Tape (http://www.experts-exchange.com/articles/OS/Unix/Solaris/Installing-the-Solaris-OS-From-the-Flash-Archive-on-a-Tape.html), discussed installing the Solaris Operating S…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question