Home IT Linux Windows Database Network Programming Server Mobile  
  Home \ Linux \ UNIX how to restrict users by IP Telnet     - How to run Docker client in Windows operating system (Linux)

- Linux Fundamentals of the text, data flow processing orders (Linux)

- Linux System Getting Started Learning: Change the name of the network interface on CentOS7 (Linux)

- Dual system Linux (Ubuntu) into the Windows NTFS partition's mount error (Linux)

- Lua4.0 interpreter documents (Programming)

- Openfire achieve load balancing cluster by Nginx (Server)

- How to improve the performance of Ruby On Rails (Linux)

- Shell script to delete empty folders recursively (Linux)

- Android will save the picture to see the album and timely (Programming)

- To install Google Chrome browser under Ubuntu 14.04 LTS (Linux)

- MySQL related statements (CRUD) (SQLyog software) (Database)

- Install the latest ATI / Nvidia graphics driver on Ubuntu (Linux)

- Binary Tree Traversal (Linux)

- Writing Better Bash build script 8 (Programming)

- Android media library of analysis: MediaProvider (Programming)

- PSUADE installation under Linux (Linux)

- LAMP and LNMP automated installation scripts (Server)

- Elaborate .NET Multithreading: Using Task (Programming)

- Oracle 11g em start newspaper site's security certificate has a solution to the problem (Database)

- Laravel 4 Expansion Pack (Server)

  UNIX how to restrict users by IP Telnet
  Add Date : 2017-04-13      
  During routine maintenance or security hardening behavior, we often need to access the client's IP address restrictions to achieve the operating system can be mapped to perform operations staff, the paper summarizes the IBM AIX, HP UX and SUN SOLARIS three operating systems methods on how to restrict a user's remote login through IP.


1.1 /var/adm/inetd.sec

In the HP UX, it is possible for the IP address and the IP address of the access by service restrictions. There is a profile inetd.sec in the HP system, used to set each service to allow or forbid the use of certain network address. In the default installation, this file is empty or does not exist, the system default to allow any address to use any of the services of this machine.

Setting method:

1. Check /var/adm/inetd.sec exists, there is no Zeyi root user to create:

# Touch /var/adm/inetd.sec

2. Edit /var/adm/inetd.sec file, which contains the following lines to ensure, for example:

shell allow

login allow

telnet allow

ftp allow

First, explain the meaning of each field in each row, first column is the service name, corresponds to / etc / services in the first column. The second column is the permissions can allow or deny, allow if it is, it means that only the address in the address list in the back to allow access. The third as the address list, multiple addresses separated by spaces, can be a full IP address or network address, network name can also be used to represent. Wildcard (*) and range characters (-) are allowed to use in the address list.

The above example is a limitation of typical mobile intelligent network SCP configuration, the first line shell to configure rsh allows the address, due to the need to use two-plane between two hosts rsh, we must ensure that two-machine two hosts /var/adm/inetd.sec mutually contain each other's IP

The second line is used to configure login rlogin permitted address, the need for dual-use rlogin between two hosts, it is necessary to ensure the two hosts two-machine /var/adm/inetd.sec mutually contain each other's IP

The third line is used to configure telnet to allow the address, this is the Council allowed to log the IP address of the remote terminal can be configured as needed.


2.1 / etc / security / user

/ Etc / security / user configuration file contains extended user attributes for AIX system security considerations, some users only need to log in using the console, but does not allow remote login to use. Treatment: Change / etc users rlogin property / security / user files need to limit (rlogin = false). When trying to remote login again, the system error: Remote logins are not allowed for this account, showing modified successfully.

AIX system can be carried out for the device port (/ dev / pts) limit, but in terms of our needs, does not seem to use here only to do introduction. You can edit the / etc / security / user file, for example:


admin = false

admgroups = system

ttys =! / dev / pts / 0, ALL

Result is that users can test all the ports you sign in pts / 0 other than when the test log on pts / 0, the system error: You are not allowed to access the system via this terminal.

AIX operating system supports static IP packet filtering function, you can use this feature to protect the server connected to the network. But with different HP-UX, the default installation does not have this feature before using this feature, you need to install the following file sets (filesets), if the file set does not exist, please install these file set, and then restart the machine.

# Lslpp -l bos.net.ipsec.rte

Fileset Level State Description

-------------------------------------------------- --------------------------

Path: / usr / lib / objrepos

bos.net.ipsec.rte COMMITTED IP Security

# Lslpp -l bos.net.ipsec.keymgt

Fileset Level State Description

-------------------------------------------------- --------------------------

Path: / usr / lib / objrepos

bos.net.ipsec.keymgt COMMITTED IP Security Key Management

The following began to configure IP security (in FTP service as an example, a similar service to other ports such as TELNET)

1. Start IP Security (IPSec):

# Smitty ipsec4-> Start / Stop IP Security ----> Start IP Security -> Start IP Security

The above two settings are the default values

2. Check ipsec is available:

# Lsdev -Cc ipsec

ipsec_v4 Available IP Version 4 Security Extension

3. Now the system should create two filter rules. Use the following commands to check the two filter rules:

# Lsfilt -v4

Under normal circumstances you can see two rules, if not prompted any default rules, please refer to the section of the notes.

4. Add a filter rule to allow acceptance from sent ftp request:

# Smitty ipsec4 ---> Advanced IP Security Configuration ------> Configure IP Security Filter Rules ---------> Add an IP Security Filter Rule -> Add an IP Security Filter Rule

* Rule Action ----------------------------------- [permit] +

* IP Source Address ----------------------------- []

* IP Source Mask -------------------------------- []

IP Destination Address -------------------------- []

IP Destination Mask ---------------------------- []

* Apply to Source Routing? (PERMIT / inbound only) [yes] +

* Protocol -------------------------------------- [all] +

* Source Port / ICMP Type Operation ------------- [any] +

* Source Port Number / ICMP Type ---------------- [0] #

* Destination Port / ICMP Code Operation -------- [eq] +

* Destination Port Number / ICMP Type ----------- [21] #

* Routing --------------------------------------- [both] +

* Direction ------------------------------------- [both] +

* Log Control ----------------------------------- [no] +

* Fragmentation Control ------------------------- [0] +

* Interface ------------------------------------- [all] +

Other defaults

5. Add another filter rule to reject all other ftp requests to

Add an IP Security Filter Rule

* Rule Action ----------------------------------- [deny] +

* IP Source Address ----------------------------- []

* IP Source Mask -------------------------------- [] -

IP Destination Address ------------------------ [] -

IP Destination Mask --------------------------- [] *

Apply to Source Routing? (PERMIT / inbound only) [yes] +

* Protocol -------------------------------------- [all] +

* Source Port / ICMP Type Operation ------------- [any] +

* Source Port Number / ICMP Type ---------------- [0] #

* Destination Port / ICMP Code Operation -------- [eq] +

* Destination Port Number / ICMP Type ----------- [21] #

* Routing --------------------------------------- [both] +

* Direction ------------------------------------- [both] +

* Log Control ----------------------------------- [no] +

* Fragmentation Control ------------------------ [all packets] +

* Interface ------------------------------------ [all] +

6. Activate filter rules settings:

# Smitty ipsec4 ---> Advanced IP Security Configuration ----> Activate / Update / Deactivate IP ----> Security Filter Rule ---------> Activate / Update

7. The above operation is complete, the user will only be from ftp to, any other machine trying to ftp to operation will fail.

NOTE: Step 3 involved in any machine has two default rules it. Rule 1 is to allow IPSec communications with other devices of a rule. NewOak company developed a IPSec rules, use 4001 port, and other communication devices use IPSec, and now keep the communication information, for historical compatibility. Rule 2 ensures that by default, all network traffic can be carried out normally. After installing the operating system is certainly present. But part of the game point execution lsdev-Cc ipsec found

ipsec_v4 Available

Can not get IPv4 default filter rule.

Can not change default rule for IPv4 in ODM.

Can not get IPv4 default filter rule

Probably because the menu in smitty ipsec4 them, these two rules are treated as ordinary rules after installation may believe deleted. When this happens, you can not make any new rules set. If you want to repair the rule and return to the default state, use the smitty remove delete the corresponding packages, and then install the package from the installation CD. And to the latest patch can be solved

2.2 FTP Service

You may be limited by the following two methods:

1, directly edit / etc / ftpusers file, it will be prohibited ftp to AIX server user operating ranked in the file, each user among the line.

# Vi / etc / ftpusers

2, through the SMIT menu settings:

smitty ---> Communications Applications and Services ---> TCP / IP ---> Further Configuration ---> Server Network Services ---> Remote Access --->

Restrict File Transfer Program Users (/ etc / ftpusers) ---> Add a Restricted User

* Name of Local USER ID [tstusr] < - enter here the user name you want to limit


3.1 /etc/inet/inetd.conf

By default, Solaris allows all service requests. Solari itself does not have the ability to restrict access to IP, but you can install this freeware software similar Tcp_Wrappers to enhance the function of this part. Tcp_Wrappers is controlled by two files, which are /etc/hosts.allow and /etc/hosts.deny. Joined ALL in /etc/hosts.deny file: ALL you can ban all computers access the server, and then added to allow access to the server computer in /etc/hosts.allow file, this is the safest approach. The result is: all the services, access location, if not explicit permission, which is not found in /etc/hosts.allow matching items is prohibited.

1, to create hosts.allow and hosts.deny files in etc, the file is complete host access control.

hosts.deny file to set the ip address and workstation refuse services.

hosts.allow file to set the workstation to allow the ip address and services.

If the client ip address is not in hosts.allow and hosts.deny two inside, to allow access.

Note: host.allow priority higher than host.deny

Two files with the same format, there are two setting methods, network segment and host, are as follows:

# Ip address network allows 10.152.129.x

in.telnetd:.. 10.152.129 =====> If the prefix ip address is 10.11.147 allows network segment

in.telnetd: ====> segment and mask defined way, allowing the host range.

For example:

Only allow 10.152.129.x network segment ip address telnet workstation:

# Hosts.deny:

in.telnetd: ALL =====> ban on all IP address telnet access

# Hosts.allow:

in.telnetd:. =====> If the prefix ip address range allows for the 10.152.129

Allow all segments except 10.152.129.x ip address telnet workstation:

# Host.deny

in.telnetd: 10.152.129.

Only allow local ip address telnet workstation :( present only in the workstation / etc / hosts ip address inside can telnet)

# Hosts.deny

in.telnetd: ALL =====> ban on all IP address telnet access

# Hosts.allow

in.telnetd: LOCAL =====> only in the workstation of the / etc / hosts ip address inside can telnet

Finally, the implementation of 'kill -HUP inetd process ID' such effect.

FTP services and other similar operations can be.

The fourth line to allow for configuration ftp address, according to the demand configuration. Note SCP SMP needs to access the FTP service, SMAP also need access to SMP's FTP service, RBI SCP to access the FTP service, and therefore need to add the address of SMP on SCP, SMP need to add the address list SMAP

3. Modify the properties /var/adm/inetd.sec file to ensure that others can not write:

# Chmod 444 /var/adm/inetd.sec

It should be noted that the purpose of our use of this feature is to limit access to certain clients, allow or deny add sure that the host needs access to the original contained in or not deny allow in. UNIX host after receiving the user's registration application, will be based on the service name check, such as telnet (23) service, if found to have telnet service configuration file, and configure the allow key, then access the IP address allow entry list, the system allowed this IP log in, otherwise the system will not allow this IP connection; If you are configuring deny entry, IP address of the access must not deny the list, the system allowed this IP to connect.

1.2 FTP Service,

FTP services can be set up for the user, the HP-UX system, add a username to configure / etc / ftpd / fpaccess file per line, the system will only allow the user to configure this file in the FTP operation. Note that the name must include the required FTP account when implemented on a production system.
- extundelete: the Linux-based open source data recovery tools (Linux)
- Oracle set and remove columns unavailable (Database)
- expdp / impdp use version parameter data migration across versions (Database)
- Open MySQL slow query log (Database)
- MongoDB 3.0 New Features (Database)
- C data types is how it is supported by most computer systems (Programming)
- shellinabox: one uses AJAX Web-based terminal emulator (Linux)
- Delay for the specified IP port analog network to send and receive packets on Linux (Linux)
- FastDFS installation and deployment (Server)
- To use yum install VLC under CentOS (Linux)
- Simple steps allows you to build a more secure Linux server (Linux)
- Redis configuration file interpretation (Database)
- DRBD-based installation and configuration of CentOS 6.5 (Server)
- Oracle JDK installation under Ubuntu Linux (Linux)
- You may not know the Linux command-line network monitoring tool (Linux)
- Java development environment to build under Ubuntu (Linux)
- After installation of Debian 6.0 do a few things first (Linux)
- Using Vagrant create cross-platform development environment (Linux)
- SSH port forwarding application (Server)
- Android determine the device network connection status, and determine the connection (Programming)
  CopyRight 2002-2016 newfreesoft.com, All Rights Reserved.