Solved

restricting Telnet out from Soalris 8

Posted on 2004-08-23
6
294 Views
Last Modified: 2013-12-27
Hi,
  Although I am a Solaris admin, I sometimes get stuck on something, especially if the answer is easy. I try to make it too complicated.-:) Here's the problem. I appreciate any help.
1. Sun box named:  sunmain, running ssh   (All boxes on one private IP subnet, half of a class C)
2. Programmers must access sunmain through a VPN connection from another Firewall Server pointed to this box.
3. Programmers have been allowed to Telnet and FTP to other boxes with few restrictions because of this being a development platform. This is a complex system and the programmers are writing in Java and have embedded some process in their framework such that I can't always see what they are doing. syslog is sometimes mysteriously stopped especially over the weekend. No one has root access except for me.
4. Other SUN boxes that they Telnet to, face Network elements on a live network.
5. I need to restrict telnet and ftp access out of sunmain to only 3 other SUN boxes out of 14 and restrict telnet/ftp access from those 3 boxes to only between the 3 and abck to sunmain.
6. I must also find a way to prevent them from connecting to network elements once they are in one of the 3 boxes and I need to restrict them to only the sunmain and the 3 other boxes. Network elements are on another IP range than this private one.
7. Would there be a way to restrict by IPs?
8. I don't think that I am going to be able to restrict them as tightly as I would wish. They are pretty good hackers. I have caught them doing things before that they should not do.
9. The critical part is keeping them from trying to connect to network elements in another IP range. Each element has it's own IP address.
10. I also have to let them install simulation software that will replace the function of connecting to network elements.
11. Oracle is also running on 3 of the boxes.
Thanks,
Steve

0
Comment
Question by:SteveDallas
  • 3
  • 2
6 Comments
 
LVL 10

Accepted Solution

by:
Nukfror earned 300 total points
ID: 11875496
Welcome to the real world of Admins vs. Smart Users :)

The answer to your questions is a stateful firewall.

Since you didn't really lay out the design of the network in detail, I'll talk to the case of modifying sunmain and nothing else.  In the end of total solution between all the boxes you reference would be the best but more information would be needed for that.

You could install a firewall solution on sunmain.   Be that either Sun's firewall, SunScreen, (which I don't particularly care for) or IPFilter (which I very much care for).  Using either firewall, you can restrict out bound traffic in several ways including IP, Subnet, port, etc etc etc.  IPFilter is very easy to setup and maintain.  The only issue I've seen with IPFilter is patches that update the kernel and/or IP stack.  I sometimes had to recompile and reinstall IPFilter after kernel and/or IP stack patches.

If you have root access on the other machines (and the right to update them), you could take this firewall concept to all the machines and setup a rule set on all of them that meets all (or most) of your requirements.

You can get information on IPFilter at http://cheops.anu.edu.au/~avalon/ip-filter.html
0
 
LVL 34

Assisted Solution

by:PsiCop
PsiCop earned 200 total points
ID: 11876323
Hey, Steve Dallas. Law career didn't work out, hmm? :-)

Nukfror has given you one way to do this. Its perfectly valid. But, as Spock once observed, there are always alternatives.

You could write a wrapper script that would disallow blank telnet command-line parameters and only permit certain command-line parameter strings. This is not foolproof, tho, as the user can always escape to the telnet command prompt, close the existing session and then open a new one to wherever they want.

Another way to attack this would be TCP Wrappers. You could restrict the ability of telnet sessions on sunmain to get to other than selected hosts. ftp://ftp.porcupine.org/pub/security/tcp_wrappers_7.6.tar.gz

Good luck trying to corral a buncha UNIX programmers - sounds like herding cats.
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 11876409
Of course, if you're cruel, you do BOTH the shell script AND one of the other methods. Some programmer will think he sees a way around your restriction and will call his buddies over to show them his prowness. And if you have the requisite logging turned on, you'll know who did it, and can then go visit them a day or so later (wait so they think that one of their buddies turned them in).

Gads, I used to love being THE sysadmin. Making users paranoid was always such sport..... :-)
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 10

Expert Comment

by:Nukfror
ID: 11877504
Oh ... one more thing ... if ssh is allowed out of sunmain and ssh forwarding is allowed to/from all hosts ... then all bets are off.  Assuming sshis allowed out of a server and a remote host allows ssh in *and* forwarding is left on, its very difficult to block a user from creating a ssh tunnel to do various TCP protocols without your knowledge and right through your existing controls.
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 11877744
Ah, good point. Definitely turn off port fowarding in the sshd configuration.
0
 
LVL 2

Author Comment

by:SteveDallas
ID: 11887200
Hi, Thanks for the valuable feedback. My kernel was in "panic" state. -:) I had this dumped on me and they wanted it yesterday. I have opted to go with the ipfilter. I had a copy of Sunscreen here but it is such a mess to set up. I had been down that road before on another project. I have installed ipfilter on an indentical test machine. I was concerned about just putting on the main boxes without a thorough test. I already have TCPWrappers installed on sunmain, the programmers access point. I am also going to do the Shell script! -:) This programming group has been caught trying to hack the boxes several times, so I am paranoid about security as the company is too. The company runs scans, password crackers and tries to break into all of the boxes every quarter, so I have them locked down as tight as possible. I am going to implement what you mentioned but I now have time to play with ipfilter on the test box a while first. The decision has been made Not to let the programmers back in for now. This is all stuff I should have thought about but I was side tracked writing code lately.
Thanks,
Steve
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you do backups in the Solaris Operating System, the file system must be inactive. Otherwise, the output may be inconsistent. A file system is inactive when it's unmounted or it's write-locked by the operating system. Although the fssnap utility…
I promised to write further about my project, and here I am.  First, I needed to setup the Primary Server.  You can read how in this article: Setup FreeBSD Server with full HDD encryption (http://www.experts-exchange.com/OS/Unix/BSD/FreeBSD/A_3660-S…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now