SUMMARY: limiting 'telnet' access to a station

From: Joel L. Seber ... CH210 (JLS2013@TNTECH.BITNET)
Date: Sat Oct 24 1992 - 05:34:08 CDT


Thanks for all the great help! My original query:
 
 
*******************************
 
Setup: Sparcstation 1+, SUNOS 4.1.1, no patches, two ethernet interfaces,
        NIS on my local network
 
I have a SS 1+ acting as a router to our campus network from my network. I
urgently need to limit external 'telnet' access from the campus network into
my network to authorized personnel. I RTFM and did not discover a file like
'/etc/ftpusers' for 'telnet'. That would have been the best solution. I
also realize I could put local '/etc/passwd' entries in for the authorized
people, but I have two classes of people using that station: people who use
it locally in a lab and those who should be able to get in from outside, so
the password file will be my last resort. (I do realize that having a
system used as a router and a local station is not the best situation, but I
have limited resources and must use it this way.)
 
My question then: Is there a way to restrict external 'telnet' access to
a list of authorized users? The solution does not have to be limited to
existing components in SUNOS.
 
Please reply to me directly and I will summarize.
 
*************************************
 
The summary:
 
Almost all 10 responses to date pointed me in the direction of the 'log_tcp'
TCP/IP wrapper package. I had in fact gotten it from a respondant (Gene
Rackow, rackow@antares.mcs.anl.gov) from my last question, the infamous
'execl' question... I didn't think about it much at the time, because my
problem was solved rather quickly by him and others. When I posted this
problem and got a few replies about this package, I tried it. As things
turned out, it didn't quite fix everything...
 
We are not running Domain Name Services (DNS) yet, but will be in the
future. Till we do, the 'log_tcp' program could only receive the numeric IP
address of the sender, which did not give me the username of the person
attempting to log in. As 'log_tcp' allows a compiler option to allow/deny
access to a user and optionally execute a shell script before the daemon is
activated, I then wrote a shell script (with privs 700) to check who logged
in and kill his/her processes within 1 second of successful login. I know
this is crude, but it does just what we need. Here is the script (it most
likely could be written better):
 
#!/bin/csh -b
#
@ mytimer = 0
while ( $mytimer < 60 ) # try this for a minute...
        sleep 1
        set remusers = ( `/bin/who | /bin/awk 'NF == 6 && /\([0-9]*\./ {print $1
   }' ` )
        foreach curruser ( $remusers )
                if ( `/bin/grep -i $remusers /etc/people.allow` != $curruser ) t
   hen
                        if ( ( $curruser != root ) && ( $curruser != bin ) ) the
   n
                                # 'zap' is local; just pulls all PIDs for the
                                # user with grep & kill -9's them
                                /usr/local/bin/zap $curruser
                        endif
                endif
        end
@ mytimer += 1
end
 
# the end...
 
The software is available from ftp.win.tue.nl:/pub/security/log_tcp.shar.Z or
cert.sei.cmu.edu:/pub/network_tools/tcp_wrapper.shar (PLEASE NOTE: I got
these addresses from one of the posts... it was sent to me by Mr. Rackow).
 
Much thanks and special kudos to:
 
rrussell@ag.auburn.edu Ronald C. Russell
jdavis@noao.edu Jim Davis
higgins@math.niu.edu E. Gregory Higgins
john.barlow@anu.edu.au John Barlow
frankm@shadow.cna.tek.com Frank 'Scruff' Miller
petter@teleserve.no Petter Moe (THANKS for the alt.security
                                        FAQ!!!)
antonson@software.org Todd S. Antonson
fritchie@stolaf.edu Scott Fritchie
grimm@urz.unibas.ch Stefan Grimm
katzung@lisle.swissbank.com Brian Katzung
 
 
Joel L. Seber | Dry humor is wasted around here.
SUN Workstation Laboratory Manager |
Center for Manufacturing Research | -Joel L. Seber
      and Technology Utilization |
Tennessee Technological University | recursive, adj.
Cookeville, TN 38505 | See 'recursive'
                                        |
jls2013@tntech.edu |
 



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:06:51 CDT