Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

restricting Telnet out from Soalris 8

Posted on 2004-08-23
6
Medium Priority
?
312 Views
Last Modified: 2013-12-27
Hi,
  Although I am a Solaris admin, I sometimes get stuck on something, especially if the answer is easy. I try to make it too complicated.-:) Here's the problem. I appreciate any help.
1. Sun box named:  sunmain, running ssh   (All boxes on one private IP subnet, half of a class C)
2. Programmers must access sunmain through a VPN connection from another Firewall Server pointed to this box.
3. Programmers have been allowed to Telnet and FTP to other boxes with few restrictions because of this being a development platform. This is a complex system and the programmers are writing in Java and have embedded some process in their framework such that I can't always see what they are doing. syslog is sometimes mysteriously stopped especially over the weekend. No one has root access except for me.
4. Other SUN boxes that they Telnet to, face Network elements on a live network.
5. I need to restrict telnet and ftp access out of sunmain to only 3 other SUN boxes out of 14 and restrict telnet/ftp access from those 3 boxes to only between the 3 and abck to sunmain.
6. I must also find a way to prevent them from connecting to network elements once they are in one of the 3 boxes and I need to restrict them to only the sunmain and the 3 other boxes. Network elements are on another IP range than this private one.
7. Would there be a way to restrict by IPs?
8. I don't think that I am going to be able to restrict them as tightly as I would wish. They are pretty good hackers. I have caught them doing things before that they should not do.
9. The critical part is keeping them from trying to connect to network elements in another IP range. Each element has it's own IP address.
10. I also have to let them install simulation software that will replace the function of connecting to network elements.
11. Oracle is also running on 3 of the boxes.
Thanks,
Steve

0
Comment
Question by:SteveDallas
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 10

Accepted Solution

by:
Nukfror earned 1200 total points
ID: 11875496
Welcome to the real world of Admins vs. Smart Users :)

The answer to your questions is a stateful firewall.

Since you didn't really lay out the design of the network in detail, I'll talk to the case of modifying sunmain and nothing else.  In the end of total solution between all the boxes you reference would be the best but more information would be needed for that.

You could install a firewall solution on sunmain.   Be that either Sun's firewall, SunScreen, (which I don't particularly care for) or IPFilter (which I very much care for).  Using either firewall, you can restrict out bound traffic in several ways including IP, Subnet, port, etc etc etc.  IPFilter is very easy to setup and maintain.  The only issue I've seen with IPFilter is patches that update the kernel and/or IP stack.  I sometimes had to recompile and reinstall IPFilter after kernel and/or IP stack patches.

If you have root access on the other machines (and the right to update them), you could take this firewall concept to all the machines and setup a rule set on all of them that meets all (or most) of your requirements.

You can get information on IPFilter at http://cheops.anu.edu.au/~avalon/ip-filter.html
0
 
LVL 34

Assisted Solution

by:PsiCop
PsiCop earned 800 total points
ID: 11876323
Hey, Steve Dallas. Law career didn't work out, hmm? :-)

Nukfror has given you one way to do this. Its perfectly valid. But, as Spock once observed, there are always alternatives.

You could write a wrapper script that would disallow blank telnet command-line parameters and only permit certain command-line parameter strings. This is not foolproof, tho, as the user can always escape to the telnet command prompt, close the existing session and then open a new one to wherever they want.

Another way to attack this would be TCP Wrappers. You could restrict the ability of telnet sessions on sunmain to get to other than selected hosts. ftp://ftp.porcupine.org/pub/security/tcp_wrappers_7.6.tar.gz

Good luck trying to corral a buncha UNIX programmers - sounds like herding cats.
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 11876409
Of course, if you're cruel, you do BOTH the shell script AND one of the other methods. Some programmer will think he sees a way around your restriction and will call his buddies over to show them his prowness. And if you have the requisite logging turned on, you'll know who did it, and can then go visit them a day or so later (wait so they think that one of their buddies turned them in).

Gads, I used to love being THE sysadmin. Making users paranoid was always such sport..... :-)
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 10

Expert Comment

by:Nukfror
ID: 11877504
Oh ... one more thing ... if ssh is allowed out of sunmain and ssh forwarding is allowed to/from all hosts ... then all bets are off.  Assuming sshis allowed out of a server and a remote host allows ssh in *and* forwarding is left on, its very difficult to block a user from creating a ssh tunnel to do various TCP protocols without your knowledge and right through your existing controls.
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 11877744
Ah, good point. Definitely turn off port fowarding in the sshd configuration.
0
 
LVL 2

Author Comment

by:SteveDallas
ID: 11887200
Hi, Thanks for the valuable feedback. My kernel was in "panic" state. -:) I had this dumped on me and they wanted it yesterday. I have opted to go with the ipfilter. I had a copy of Sunscreen here but it is such a mess to set up. I had been down that road before on another project. I have installed ipfilter on an indentical test machine. I was concerned about just putting on the main boxes without a thorough test. I already have TCPWrappers installed on sunmain, the programmers access point. I am also going to do the Shell script! -:) This programming group has been caught trying to hack the boxes several times, so I am paranoid about security as the company is too. The company runs scans, password crackers and tries to break into all of the boxes every quarter, so I have them locked down as tight as possible. I am going to implement what you mentioned but I now have time to play with ipfilter on the test box a while first. The decision has been made Not to let the programmers back in for now. This is all stuff I should have thought about but I was side tracked writing code lately.
Thanks,
Steve
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello fellow BSD lovers, I've created a patch process for patching openjdk6 for BSD (FreeBSD specifically), although I tried to keep all BSD versions in mind when creating my patch. Welcome to OpenJDK6 on BSD First let me start with a little …
FreeBSD on EC2 FreeBSD (https://www.freebsd.org) is a robust Unix-like operating system that has been around for many years. FreeBSD is available on Amazon EC2 through Amazon Machine Images (AMIs) provided by FreeBSD developer and security office…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
Suggested Courses

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question