Telnet Security

[djabell]

Does anyone know how I can disable telnet access for some users but allow it for others? I'm considering installing OpenSSH at some stage, but the server is live at the moment (student projects, etc!), so I need to secure it a bit without risking downing the server, etc.

 

[GunJack]

You can disable a user's telnet ability by changing their default shell in the /etc/passwd file to "/bin/false". They can still get mail but can't telnet. Always make a backup of the passwd file before editing it though.

Also, when you add users, you can specify this directly with "useradd -s /bin/false" so that you don't have to edit the passwd file manually.

Hope this helps,
GJ

 

[djabell]

Thanks for the reply.

Changing the passwd file works fine, but when I try and ftp as the user who's entry I've modified, I get 'login incorrect' - any ideas?

 

[ManagerJay]

Depending on the number of people you need to allow telnet access, you mihgt be able to use hosts.allow and hosts.deny to only let certain ip addresses connect via telenet.



Jay

 

[GunJack]

In our environment, ftp is run from NT machines so I've never had to deal with that. Does ftp work when you enable their telnet login back in the passwd file?

GJ

 

[Bangieff]

well /bin/false should be added in the /etc/shells file. Don't forget to press enter ... I mean the last line should be empty...otherwise the name of the shell will become /bin/fals

 

[rninja]

I checked up on this.
I think you can allow telnet access without using the /bin/false entry via hosts.allow.
in /etc/hosts.allow just add a line like "in.telnetd:192.168.1.2", 192.168.1.2 being the ip address of the acceptable host. If all local hosts are allowed to use the telnet daemon, try "in.telnetd:LOCAL".

Hope this helps!

RNinja

 

[tolstoy]

The only problem with using /etc/hosts.allow and deny is that it is host specific (bound to an ip address or subnet) and not user specific. This approach will work, but will allow any user to telnet into the box if they are at the right host and will not let the proper users be mobile (which I would imagine is half the purpose of telnet). Are you trying to deny hosts or users? /bin/false is just another way of saying: this user has no valid shell at all, which may be why ftp is no longer working for those users. Actually I'm not sure if ftp users need a valid shell or not. Question: can your users log in anonymously, or do you need more security than that? Also, find out if ftp users need a valid shell. If not, /bin/false is the way to go. If so, I'm scrathcing my head on this one too.

 

[abovebrd]

I have seen in some cases a shell called badsh (/bin/badsh)
This shell prevents telnet access. I am not sure if this is part of the linux disrto or not. If I can find I will post back.

Another soloution would be to simple edit their .profile file. Write a script that logs them out and generates an e-mail message to notify you of the login attempt. This script would be added to the users .profile. (This would be an easy / fast fix) *******

It simple creates a loop. The user loggs in, the .profile is read, the shell script executes and their either logged out, or their login processes is killed, or something alomg those lines. Simple but effective.






-Danny

 

[djabell]

Doh! Modifying the /etc/shells file and adding false seems to work (I wonder why?).

Thanks for all your help, folks - much appreciated!!