Solved

restricting Telnet out from Soalris 8

Posted on 2004-08-23
6
290 Views
Last Modified: 2013-12-27
Hi,
  Although I am a Solaris admin, I sometimes get stuck on something, especially if the answer is easy. I try to make it too complicated.-:) Here's the problem. I appreciate any help.
1. Sun box named:  sunmain, running ssh   (All boxes on one private IP subnet, half of a class C)
2. Programmers must access sunmain through a VPN connection from another Firewall Server pointed to this box.
3. Programmers have been allowed to Telnet and FTP to other boxes with few restrictions because of this being a development platform. This is a complex system and the programmers are writing in Java and have embedded some process in their framework such that I can't always see what they are doing. syslog is sometimes mysteriously stopped especially over the weekend. No one has root access except for me.
4. Other SUN boxes that they Telnet to, face Network elements on a live network.
5. I need to restrict telnet and ftp access out of sunmain to only 3 other SUN boxes out of 14 and restrict telnet/ftp access from those 3 boxes to only between the 3 and abck to sunmain.
6. I must also find a way to prevent them from connecting to network elements once they are in one of the 3 boxes and I need to restrict them to only the sunmain and the 3 other boxes. Network elements are on another IP range than this private one.
7. Would there be a way to restrict by IPs?
8. I don't think that I am going to be able to restrict them as tightly as I would wish. They are pretty good hackers. I have caught them doing things before that they should not do.
9. The critical part is keeping them from trying to connect to network elements in another IP range. Each element has it's own IP address.
10. I also have to let them install simulation software that will replace the function of connecting to network elements.
11. Oracle is also running on 3 of the boxes.
Thanks,
Steve

0
Comment
Question by:SteveDallas
  • 3
  • 2
6 Comments
 
LVL 10

Accepted Solution

by:
Nukfror earned 300 total points
Comment Utility
Welcome to the real world of Admins vs. Smart Users :)

The answer to your questions is a stateful firewall.

Since you didn't really lay out the design of the network in detail, I'll talk to the case of modifying sunmain and nothing else.  In the end of total solution between all the boxes you reference would be the best but more information would be needed for that.

You could install a firewall solution on sunmain.   Be that either Sun's firewall, SunScreen, (which I don't particularly care for) or IPFilter (which I very much care for).  Using either firewall, you can restrict out bound traffic in several ways including IP, Subnet, port, etc etc etc.  IPFilter is very easy to setup and maintain.  The only issue I've seen with IPFilter is patches that update the kernel and/or IP stack.  I sometimes had to recompile and reinstall IPFilter after kernel and/or IP stack patches.

If you have root access on the other machines (and the right to update them), you could take this firewall concept to all the machines and setup a rule set on all of them that meets all (or most) of your requirements.

You can get information on IPFilter at http://cheops.anu.edu.au/~avalon/ip-filter.html
0
 
LVL 34

Assisted Solution

by:PsiCop
PsiCop earned 200 total points
Comment Utility
Hey, Steve Dallas. Law career didn't work out, hmm? :-)

Nukfror has given you one way to do this. Its perfectly valid. But, as Spock once observed, there are always alternatives.

You could write a wrapper script that would disallow blank telnet command-line parameters and only permit certain command-line parameter strings. This is not foolproof, tho, as the user can always escape to the telnet command prompt, close the existing session and then open a new one to wherever they want.

Another way to attack this would be TCP Wrappers. You could restrict the ability of telnet sessions on sunmain to get to other than selected hosts. ftp://ftp.porcupine.org/pub/security/tcp_wrappers_7.6.tar.gz

Good luck trying to corral a buncha UNIX programmers - sounds like herding cats.
0
 
LVL 34

Expert Comment

by:PsiCop
Comment Utility
Of course, if you're cruel, you do BOTH the shell script AND one of the other methods. Some programmer will think he sees a way around your restriction and will call his buddies over to show them his prowness. And if you have the requisite logging turned on, you'll know who did it, and can then go visit them a day or so later (wait so they think that one of their buddies turned them in).

Gads, I used to love being THE sysadmin. Making users paranoid was always such sport..... :-)
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 10

Expert Comment

by:Nukfror
Comment Utility
Oh ... one more thing ... if ssh is allowed out of sunmain and ssh forwarding is allowed to/from all hosts ... then all bets are off.  Assuming sshis allowed out of a server and a remote host allows ssh in *and* forwarding is left on, its very difficult to block a user from creating a ssh tunnel to do various TCP protocols without your knowledge and right through your existing controls.
0
 
LVL 34

Expert Comment

by:PsiCop
Comment Utility
Ah, good point. Definitely turn off port fowarding in the sshd configuration.
0
 
LVL 2

Author Comment

by:SteveDallas
Comment Utility
Hi, Thanks for the valuable feedback. My kernel was in "panic" state. -:) I had this dumped on me and they wanted it yesterday. I have opted to go with the ipfilter. I had a copy of Sunscreen here but it is such a mess to set up. I had been down that road before on another project. I have installed ipfilter on an indentical test machine. I was concerned about just putting on the main boxes without a thorough test. I already have TCPWrappers installed on sunmain, the programmers access point. I am also going to do the Shell script! -:) This programming group has been caught trying to hack the boxes several times, so I am paranoid about security as the company is too. The company runs scans, password crackers and tries to break into all of the boxes every quarter, so I have them locked down as tight as possible. I am going to implement what you mentioned but I now have time to play with ipfilter on the test box a while first. The decision has been made Not to let the programmers back in for now. This is all stuff I should have thought about but I was side tracked writing code lately.
Thanks,
Steve
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

A metadevice consists of one or more devices (slices). It can be expanded by adding slices. Then, it can be grown to fill a larger space while the file system is in use. However, not all UNIX file systems (UFS) can be expanded this way. The conca…
Installing FreeBSD… FreeBSD is a darling of an operating system. The stability and usability make it a clear choice for servers and desktops (for the cunning). Savvy?  The Ports collection makes available every popular FOSS application and packag…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now