Home IT Linux Windows Database Network Programming Server Mobile  
           
  Home \ Linux \ UNIX how to restrict users by IP Telnet     - SaltStack installation and testing (Server)

- JDK installation notes under CentOS (Linux)

- Detailed driver compiled into the Linux kernel (Programming)

- ARM platform compiler installation Golang (Linux)

- CentOS 5.x install Lua 5.2.3 error (LIBS = -lncurses) (Linux)

- grub boot error resolution examples (Linux)

- Turning off the interface eth0: error: Disconnect the device 'eth0' (Linux)

- Oracle 11g + RAC + RHEL6.5 + udev + ASM + PSU installation summary (Database)

- How to Set Free SSH password on CentOS / RHEL (Linux)

- How to understand Python yield keyword (Programming)

- Build Docker based MongoDB replication cluster environment (Database)

- Ubuntu and derivative system users how to install Pinta 1.5 (Linux)

- Lucene Getting Started Tutorial (Server)

- Iptables use examples (Linux)

- Linux disk partition batch format mount script (Linux)

- IBM Data Studio to create objects using ---- double quotes / sensitive issues and the table / column renaming (Database)

- Struts2 dynamic call DMI and error Solution (Programming)

- Linux installation and error under codeblocks exclude [Ubuntu 10.04] (Linux)

- Linux Routine Task Scheduler (Linux)

- How MAT Android application memory leak analysis (Programming)

 
         
  UNIX how to restrict users by IP Telnet
     
  Add Date : 2017-04-13      
         
       
         
  During routine maintenance or security hardening behavior, we often need to access the client's IP address restrictions to achieve the operating system can be mapped to perform operations staff, the paper summarizes the IBM AIX, HP UX and SUN SOLARIS three operating systems methods on how to restrict a user's remote login through IP.

A, HP-UX

1.1 /var/adm/inetd.sec

In the HP UX, it is possible for the IP address and the IP address of the access by service restrictions. There is a profile inetd.sec in the HP system, used to set each service to allow or forbid the use of certain network address. In the default installation, this file is empty or does not exist, the system default to allow any address to use any of the services of this machine.

Setting method:

1. Check /var/adm/inetd.sec exists, there is no Zeyi root user to create:

# Touch /var/adm/inetd.sec

2. Edit /var/adm/inetd.sec file, which contains the following lines to ensure, for example:

shell allow 139.104.8.21 139.104.8.22

login allow 139.104.8.1-64 139.104.4.1-64

telnet allow 139.104.8.1-128 139.104.4.1-128

ftp allow 139.104.8.1-128 139.104.4.1-128

First, explain the meaning of each field in each row, first column is the service name, corresponds to / etc / services in the first column. The second column is the permissions can allow or deny, allow if it is, it means that only the address in the address list in the back to allow access. The third as the address list, multiple addresses separated by spaces, can be a full IP address or network address, network name can also be used to represent. Wildcard (*) and range characters (-) are allowed to use in the address list.

The above example is a limitation of typical mobile intelligent network SCP configuration, the first line shell to configure rsh allows the address, due to the need to use two-plane between two hosts rsh, we must ensure that two-machine two hosts /var/adm/inetd.sec mutually contain each other's IP

The second line is used to configure login rlogin permitted address, the need for dual-use rlogin between two hosts, it is necessary to ensure the two hosts two-machine /var/adm/inetd.sec mutually contain each other's IP

The third line is used to configure telnet to allow the address, this is the Council allowed to log the IP address of the remote terminal can be configured as needed.

Two, IBM AIX

2.1 / etc / security / user

/ Etc / security / user configuration file contains extended user attributes for AIX system security considerations, some users only need to log in using the console, but does not allow remote login to use. Treatment: Change / etc users rlogin property / security / user files need to limit (rlogin = false). When trying to remote login again, the system error: Remote logins are not allowed for this account, showing modified successfully.

AIX system can be carried out for the device port (/ dev / pts) limit, but in terms of our needs, does not seem to use here only to do introduction. You can edit the / etc / security / user file, for example:

test:

admin = false

admgroups = system

ttys =! / dev / pts / 0, ALL

Result is that users can test all the ports you sign in pts / 0 other than when the test log on pts / 0, the system error: You are not allowed to access the system via this terminal.

AIX operating system supports static IP packet filtering function, you can use this feature to protect the server connected to the network. But with different HP-UX, the default installation does not have this feature before using this feature, you need to install the following file sets (filesets), if the file set does not exist, please install these file set, and then restart the machine.

# Lslpp -l bos.net.ipsec.rte

Fileset Level State Description

-------------------------------------------------- --------------------------

Path: / usr / lib / objrepos

bos.net.ipsec.rte 5.3.0.20 COMMITTED IP Security

# Lslpp -l bos.net.ipsec.keymgt

Fileset Level State Description

-------------------------------------------------- --------------------------

Path: / usr / lib / objrepos

bos.net.ipsec.keymgt 5.3.0.20 COMMITTED IP Security Key Management

The following began to configure IP security (in FTP service as an example, a similar service to other ports such as TELNET)

1. Start IP Security (IPSec):

# Smitty ipsec4-> Start / Stop IP Security ----> Start IP Security -> Start IP Security

The above two settings are the default values

2. Check ipsec is available:

# Lsdev -Cc ipsec

ipsec_v4 Available IP Version 4 Security Extension

3. Now the system should create two filter rules. Use the following commands to check the two filter rules:

# Lsfilt -v4

Under normal circumstances you can see two rules, if not prompted any default rules, please refer to the section of the notes.

4. Add a filter rule to allow acceptance from 10.152.129.49 sent ftp request:

# Smitty ipsec4 ---> Advanced IP Security Configuration ------> Configure IP Security Filter Rules ---------> Add an IP Security Filter Rule -> Add an IP Security Filter Rule

* Rule Action ----------------------------------- [permit] +

* IP Source Address ----------------------------- [10.152.129.49]

* IP Source Mask -------------------------------- [255.255.255.255]

IP Destination Address -------------------------- []

IP Destination Mask ---------------------------- []

* Apply to Source Routing? (PERMIT / inbound only) [yes] +

* Protocol -------------------------------------- [all] +

* Source Port / ICMP Type Operation ------------- [any] +

* Source Port Number / ICMP Type ---------------- [0] #

* Destination Port / ICMP Code Operation -------- [eq] +

* Destination Port Number / ICMP Type ----------- [21] #

* Routing --------------------------------------- [both] +

* Direction ------------------------------------- [both] +

* Log Control ----------------------------------- [no] +

* Fragmentation Control ------------------------- [0] +

* Interface ------------------------------------- [all] +

Other defaults

5. Add another filter rule to reject all other ftp requests to 10.110.157.151:

Add an IP Security Filter Rule

* Rule Action ----------------------------------- [deny] +

* IP Source Address ----------------------------- [0.0.0.0]

* IP Source Mask -------------------------------- [0.0.0.0] -

IP Destination Address ------------------------ [10.110.157.151] -

IP Destination Mask --------------------------- [255.255.255.255] *

Apply to Source Routing? (PERMIT / inbound only) [yes] +

* Protocol -------------------------------------- [all] +

* Source Port / ICMP Type Operation ------------- [any] +

* Source Port Number / ICMP Type ---------------- [0] #

* Destination Port / ICMP Code Operation -------- [eq] +

* Destination Port Number / ICMP Type ----------- [21] #

* Routing --------------------------------------- [both] +

* Direction ------------------------------------- [both] +

* Log Control ----------------------------------- [no] +

* Fragmentation Control ------------------------ [all packets] +

* Interface ------------------------------------ [all] +

6. Activate filter rules settings:

# Smitty ipsec4 ---> Advanced IP Security Configuration ----> Activate / Update / Deactivate IP ----> Security Filter Rule ---------> Activate / Update

7. The above operation is complete, the user will only be from 10.152.129.49 ftp to 10.110.157.151, any other machine trying to ftp to 10.110.157.151 operation will fail.

NOTE: Step 3 involved in any machine has two default rules it. Rule 1 is to allow IPSec communications with other devices of a rule. NewOak company developed a IPSec rules, use 4001 port, and other communication devices use IPSec, and now keep the communication information, for historical compatibility. Rule 2 ensures that by default, all network traffic can be carried out normally. After installing the operating system is certainly present. But part of the game point execution lsdev-Cc ipsec found

ipsec_v4 Available

Can not get IPv4 default filter rule.

Can not change default rule for IPv4 in ODM.

Can not get IPv4 default filter rule

Probably because the menu in smitty ipsec4 them, these two rules are treated as ordinary rules after installation may believe deleted. When this happens, you can not make any new rules set. If you want to repair the rule and return to the default state, use the smitty remove delete the corresponding packages, and then install the package from the installation CD. And to the latest patch can be solved

2.2 FTP Service

You may be limited by the following two methods:

1, directly edit / etc / ftpusers file, it will be prohibited ftp to AIX server user operating ranked in the file, each user among the line.

# Vi / etc / ftpusers

2, through the SMIT menu settings:

smitty ---> Communications Applications and Services ---> TCP / IP ---> Further Configuration ---> Server Network Services ---> Remote Access --->

Restrict File Transfer Program Users (/ etc / ftpusers) ---> Add a Restricted User

* Name of Local USER ID [tstusr] < - enter here the user name you want to limit

Three, SUN SOLARIS

3.1 /etc/inet/inetd.conf

By default, Solaris allows all service requests. Solari itself does not have the ability to restrict access to IP, but you can install this freeware software similar Tcp_Wrappers to enhance the function of this part. Tcp_Wrappers is controlled by two files, which are /etc/hosts.allow and /etc/hosts.deny. Joined ALL in /etc/hosts.deny file: ALL you can ban all computers access the server, and then added to allow access to the server computer in /etc/hosts.allow file, this is the safest approach. The result is: all the services, access location, if not explicit permission, which is not found in /etc/hosts.allow matching items is prohibited.

1, to create hosts.allow and hosts.deny files in etc, the file is complete host access control.

hosts.deny file to set the ip address and workstation refuse services.

hosts.allow file to set the workstation to allow the ip address and services.

If the client ip address is not in hosts.allow and hosts.deny two inside, to allow access.

Note: host.allow priority higher than host.deny

Two files with the same format, there are two setting methods, network segment and host, are as follows:

# Ip address network allows 10.152.129.x

in.telnetd:.. 10.152.129 =====> If the prefix ip address is 10.11.147 allows network segment

in.telnetd: 10.152.129.0/255.255.255.0 ====> segment and mask defined way, allowing the host range.

For example:

Only allow 10.152.129.x network segment ip address telnet workstation:

# Hosts.deny:

in.telnetd: ALL =====> ban on all IP address telnet access

# Hosts.allow:

in.telnetd:. 10.152.129.0/255.255.255.0 =====> If the prefix ip address range allows for the 10.152.129

Allow all segments except 10.152.129.x ip address telnet workstation:

# Host.deny

in.telnetd: 10.152.129.

Only allow local ip address telnet workstation :( present only in the workstation / etc / hosts ip address inside can telnet)

# Hosts.deny

in.telnetd: ALL =====> ban on all IP address telnet access

# Hosts.allow

in.telnetd: LOCAL =====> only in the workstation of the / etc / hosts ip address inside can telnet

Finally, the implementation of 'kill -HUP inetd process ID' such effect.

FTP services and other similar operations can be.

The fourth line to allow for configuration ftp address, according to the demand configuration. Note SCP SMP needs to access the FTP service, SMAP also need access to SMP's FTP service, RBI SCP to access the FTP service, and therefore need to add the address of SMP on SCP, SMP need to add the address list SMAP

3. Modify the properties /var/adm/inetd.sec file to ensure that others can not write:

# Chmod 444 /var/adm/inetd.sec

It should be noted that the purpose of our use of this feature is to limit access to certain clients, allow or deny add sure that the host needs access to the original contained in or not deny allow in. UNIX host after receiving the user's registration application, will be based on the service name check, such as telnet (23) service, if found to have telnet service configuration file, and configure the allow key, then access the IP address allow entry list, the system allowed this IP log in, otherwise the system will not allow this IP connection; If you are configuring deny entry, IP address of the access must not deny the list, the system allowed this IP to connect.

1.2 FTP Service,

FTP services can be set up for the user, the HP-UX system, add a username to configure / etc / ftpd / fpaccess file per line, the system will only allow the user to configure this file in the FTP operation. Note that the name must include the required FTP account when implemented on a production system.
     
         
       
         
  More:      
 
- Modular JavaScript (Programming)
- How to choose the first programming language based on the life you want (Programming)
- On event processing browser compatibility notes (Programming)
- Linux NFS FTP use (Server)
- Java eight new features 8 (Programming)
- C ++ CBitmap, HBitmap, Bitmap difference and contact (Programming)
- Function Getting the Linux shell (Programming)
- Why not use the ifconfig command under RedHat Linux 5 (Linux)
- Kafka cluster deployment (Server)
- Docker - for the development and deployment of unified lightweight Linux containers (Linux)
- Linux virtual memory and physical memory (Linux)
- Linux some lessons learned about network security (Linux)
- Linux system security audit tools scan nessus installation tutorial (Linux)
- SteamOS installation under Ubuntu 14.04 (Linux)
- Linux operating system security can not be ignored (Linux)
- Debian GNU / Linux service list acquisition, shutting down services or run (Linux)
- Service Discovery: Zookeeper vs etcd vs Consul (Server)
- How to upgrade to Oracle 11g Oracle 12c (Database)
- Red Hat Enterprise Linux 6.4 Configuring VNC Remote Desktop login access (Linux)
- Linux directory structure (Linux)
     
           
     
  CopyRight 2002-2016 newfreesoft.com, All Rights Reserved.