Disabling telnet access to wheel group.

Disabling telnet access to wheel group.

Post by R Pradeep Chandr » Thu, 03 Jan 2002 20:50:16



Hi All,
        I want to make sure that no user who is logged in via an unencrypted
connection is able to become root. I have used /etc/securetty to prevent
root from logging in remotely. I have also created a user su-user and
added this user to group wheel. I have disabled ftp access to this user
and used PAM to configure su to reject users who are not in group wheel.
Now, how do I prevent su-user from logging in via telnet?

Have a nice day,
Pradeep

 
 
 

Disabling telnet access to wheel group.

Post by Luke Voge » Thu, 03 Jan 2002 21:17:47



> Hi All,
>         I want to make sure that no user who is logged in via an unencrypted
> connection is able to become root. I have used /etc/securetty to prevent
> root from logging in remotely. I have also created a user su-user and
> added this user to group wheel. I have disabled ftp access to this user
> and used PAM to configure su to reject users who are not in group wheel.
> Now, how do I prevent su-user from logging in via telnet?

> Have a nice day,
> Pradeep

Delete telnet from your machine

use ssh instead (protocol 2)
--
Regards
Luke
------
Q:  What does FAQ stand for?
A:  We are Frequently Asked this Question, and we have no idea.
------
C.O.L.S FAQ - http://www.linuxsecurity.com/docs/colsfaq.html
------

 
 
 

Disabling telnet access to wheel group.

Post by R Pradeep Chandr » Fri, 04 Jan 2002 15:31:04


On Wed, 02 Jan 2002 22:17:47 +1000, in comp.os.linux.security, Luke
:>
:> Hi All,
:>         I want to make sure that no user who is logged in via an unencrypted
:> connection is able to become root. I have used /etc/securetty to prevent
<snip>
:> Now, how do I prevent su-user from logging in via telnet?
:>
:> Have a nice day,
:> Pradeep
:
:Delete telnet from your machine

Unfortunately, it is not an option. :-(

:use ssh instead (protocol 2)

I and most of the users already use SSH.

Have a nice day,
Pradeep

 
 
 

Disabling telnet access to wheel group.

Post by Luke Voge » Fri, 04 Jan 2002 15:39:41



> :Delete telnet from your machine

> Unfortunately, it is not an option. :-(

I find it hard to understand why ...

Quote:> :use ssh instead (protocol 2)

> I and most of the users already use SSH.

If you and most of the users already use ssh, why is it not an option to
upgrade the minority to using ssh as well?

--
Regards
Luke
------
Q:  What does FAQ stand for?
A:  We are Frequently Asked this Question, and we have no idea.
------
C.O.L.S FAQ - http://www.linuxsecurity.com/docs/colsfaq.html
------

 
 
 

Disabling telnet access to wheel group.

Post by R Pradeep Chandr » Fri, 04 Jan 2002 21:15:51


On Thu, 03 Jan 2002 16:39:41 +1000, in comp.os.linux.security, Luke

:
:> :Delete telnet from your machine
:>
:> Unfortunately, it is not an option. :-(
:
:I find it hard to understand why ...
:
:> :use ssh instead (protocol 2)
:>
:> I and most of the users already use SSH.
:
:If you and most of the users already use ssh, why is it not an option to
:upgrade the minority to using ssh as well?

Well, Telnet is available on all the machines whereas ssh has to be
installed seperately (Windows clients). :-)

If there is a way to block wheel users from connecting via telnet, I
would like to use that.

The alternative I am considering is to put the installables for ssh in
an easily accessilbe place and request other users to install it from
there.

Have a nice day,
Pradeep

 
 
 

Disabling telnet access to wheel group.

Post by Kasper Dupon » Fri, 04 Jan 2002 21:48:07



> The alternative I am considering is to put the installables for ssh in
> an easily accessilbe place and request other users to install it from
> there.

One option would be MindTerm. It is a ssh client as a java applet.
You can just place it on a page on a webserver. Webserver and ssh
server must run on same computer due to the java security model.

But this doesn't protect you against a trojaned client, and it
will be difficult to get it verify the hostkey.

--
Kasper Dupont

 Notice: By sending SPAM (UCE/BCE) to this address, you are
accepting and agreeing to our charging a $1000 fee, per
email, for handling and processing, and you agree to pay any
and all costs for collecting this fee.

 
 
 

Disabling telnet access to wheel group.

Post by R Pradeep Chandr » Sat, 05 Jan 2002 17:36:07


On Thu, 03 Jan 2002 13:48:07 +0100, in comp.os.linux.security, Kasper
:>
:> The alternative I am considering is to put the installables for ssh in
:> an easily accessilbe place and request other users to install it from
:> there.
:
:One option would be MindTerm. It is a ssh client as a java applet.
:You can just place it on a page on a webserver. Webserver and ssh
:server must run on same computer due to the java security model.

It looks like a good option. Thanks.

:But this doesn't protect you against a trojaned client, and it
:will be difficult to get it verify the hostkey.

Hmmm. I am not sure I understand this. My aim is to prevent someone from
obtaining the password by packet sniffing. Authentication is still using
password.

Have a nice day,
Pradeep

 
 
 

Disabling telnet access to wheel group.

Post by Kasper Dupon » Sat, 05 Jan 2002 22:33:17



> :But this doesn't protect you against a trojaned client, and it
> :will be difficult to get it verify the hostkey.

> Hmmm. I am not sure I understand this. My aim is to prevent someone from
> obtaining the password by packet sniffing. Authentication is still using
> password.

The solution I suggested is probably secure against passive
attacks. That means people will not get any information by
sniffing. But if anybody is able to redirect a TCP connection
they can attack the system.

There are two ways to make an active attack on this system.
First they could attack the download from the webserver. If
the attacker sends a trojan version of the ssh client to the
client computer it could sniff anything.

The other option is to attack the ssh connection. Usually
this is prevented by the host key, but in the suggested
setup the host key is not verified. So a man in the middle
attack would be possible.

If you are only worried about sniffing my suggestion can be
used.

Quote:

> Have a nice day,
> Pradeep

--
Kasper Dupont

 Notice: By sending SPAM (UCE/BCE) to this address, you are
accepting and agreeing to our charging a $1000 fee, per
email, for handling and processing, and you agree to pay any
and all costs for collecting this fee.

 
 
 

Disabling telnet access to wheel group.

Post by Jeremy Da » Sat, 12 Jan 2002 09:20:05


Email everyone who uses the system and give them a deadline to install
putty32 a free win32 ssh client.



> On Wed, 02 Jan 2002 22:17:47 +1000, in comp.os.linux.security, Luke


> :(SNIP)
> :Delete telnet from your machine

> Unfortunately, it is not an option. :-(

> :use ssh instead (protocol 2)

> I and most of the users already use SSH.

> Have a nice day,
> Pradeep

 
 
 

1. WHEEL group and root access

Pardon my inexperience with Sun, but what prevents a normal user with
the root password from simply logging in directly as root?  Or is "su"
the ONLY way to get root in SunOS?

I suppose the easiest way to prevent non-wheel members would be to
make /etc/securetty an empty file (assuming Slackware uses securetty
by default; Red Hat does), change the group owner of /bin/su to wheel,
and "chmod o-rwx /bin/su" to prevent anyone else from switching users.

What I would do if you have multiple people who need root access,
however, is give only one of them the "root" password, make another
username in /etc/passwd with uid 0 for each other root member, and let
each member set the password on his own root username.  The convention
I've seen is to just add a "z" to the end of their regular username.
That way you get more specific information in your logs about who is
doing what as root.
---
Roy Stogner

2. P100 Bogomips...

3. cannot set up UMASK or groups so that users from one group cannot access other groups

4. File name parsing

5. Newbie question: disable telnet access on an account?

6. Very Ugly Fonts in Mandrake 8.0 Using Abiword

7. disable telnet access

8. changing refresh rate

9. disable root access when using telnet.

10. Disable telnet access for some users

11. disabling telnet access after SSH

12. Disable remote telnet access

13. Help! Disabling Shell Access from Telnet