Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Westi on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

How to prevent remote user from hopping to another system?

Status
Not open for further replies.
TSch

TSch

Technical User
Jul 12, 2001
557
DE
Hi folks,

is it possible (without using a firewall within the network) to prevent a user that dials in to a certain machine via modem from connecting to another machine in our LAN (e.g. via telnet) ?

All our company users who connect to that machine via LAN still have to be able to connect to all the machines within our network from that machine via telnet and so ... We only want to restrict remote users ...

Is there any way to tell the machine not to let the certain user do anything like telnet and such things ?

Problem is, that the remote users sometimes have to be root, so we cannot create a user for remote users and restrict the commands. It has to be root with all the rights to the system files ...

Any ideas ?

Thanks in advance !

Regards
Thomas
 
Sort by date Sort by votes
hi,
something isn't clear, or better I have understood a little.

You have a network, almost a RISC machine,
1 or more modem (where), ... .

Those you call "remote" user are local: are root of your machine.

For telnet is not possible limit IP address,
you can implemet IP filtering ( a sort of firewall
internal to AIX )

could you explain the architecture ?


bye
 
Upvote 0 Downvote
If I understand your problem correctly, it's not possible.

Outgoing commands don't, and shouldn't, have any concept of an "originating connection". The best you can hope for it to put userids that use that remote login facility into a specific group, and use ACLs to deny that group the ability to run telnet, ftp, or whatever else you want to restrict. That's easily circumvented however.

And, if they have root access, it's over anyway.

Another suggestion, assuming it's even possible for your situation: confine them to a menu system and use sudo.
 
Upvote 0 Downvote
I belive you should be able to try this !!! - I am not sure if I understand your setup -but you could have externel users into your system via a specific adapter (IP / Address) now on the Systems -- remove any route to the other adapters in the Systems --

That is - the external adapter does not have any route to the internal network!!! even though it is on the same system -- since the external users require access to the systems that has the external interface only -- then request that they use IP se connection or make the external route to that System accessible only via a specific adapter!! then delete any route from that adapter to the internel network!!! Try that!! OK Bye!!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

A
  • Locked
  • Question
Adding Existing LUN to New LPAR AIX
Replies
0
Views
443
Alvinghost
A
E
  • Locked
  • Question
What are reservations and how do you set them?
Replies
0
Views
389
emze
E
sheilar32
  • Locked
  • Question
Migrating from AIX to anything else
Replies
0
Views
398
sheilar32
sheilar32
noobAIX
  • Locked
  • Question
How to extend PP on VG ( FREE PPs: 0 (0 megabytes))
Replies
1
Views
299
chgwhat
chgwhat
Prince26
  • Locked
  • Question
Not able to send mail from AIX server 1
Replies
1
Views
317
iggsterman
iggsterman

Part and Inventory Search

Sponsor

Back
Top