Deny rsh,tn,or rlogin

leemalloy · March 28, 2013, 8:24am

Is there a way to deny access to a specific remote login option.

example:
usera--deny telnet access but keep rsh and rlogin
userb--keeps telnet, rsh, and rlogin

I'm basically trying to contol the access per services instead of changing the LOGIN REMOTELY(rsh,tn,rlogin) option to yes or no.

MichaelFelt · March 28, 2013, 1:14pm

tcp_wrappers is what comes to mind. It is available via AIX standard media as well as via various download sites (I should probably repackage it myself).

---------- Post updated at 06:14 PM ---------- Previous update was at 06:07 PM ----------

Some quick links:
Using TCP Wrappers to control access

So, above - 1 from ibm developerworks, 4 from unix.com

bakunin · March 29, 2013, 5:51pm

Michaels suggestion is a good one. It should be pointed out, though, that using ANY of the mentioned protocols - rsh, telnet, rlogin, ... - is a severe security hazard and should be replaced by some securified protocol: ssh, scp, etc..

I hope this helps.

bakunin

williamen · May 7, 2013, 12:29am

hii broo..

You must check the config inetd.conf

or edit this: vi /etc/inetd.conf

deleted # telnet

MichaelFelt · May 8, 2013, 1:48pm

To edit /etc/inetd.conf I would recommend using the command

# smitty otherserv

DGPickett · May 8, 2013, 4:09pm

If you comment out the services, inet will not listen.

MichaelFelt · May 9, 2013, 4:53am

With AIX, it is not considered "best practice" to edit the files directly. Sometimes it cannot be helped (non-standard services, i.e. services not supplied on AIX media) - but yes, if you edit the file - comment or delete the entry you do not want THEN! run refresh -s inetd

DGPickett · May 9, 2013, 2:29pm

Yes, each O/S may have nicities in how you properly remove services from listening. Usually, you deconfigure inetd but leave the services registered, in case a client wants to know the port to connect on another host.

williamen · May 9, 2013, 11:29pm

If you done edit /etc/inetd.conf

you must restart the service.

#stopsrc -s inetd
#startsrc -s inetd

or refresh -s inetd

best regard

DGPickett · May 10, 2013, 12:18pm

Yes, generally inetd and other classic daemons will reread config if you send it the right signal with a kill, sighup I think, and the refresh thing maybe a wrapper for that.

bakunin · May 12, 2013, 5:11am

As it is, things are a little bit more complicated in AIX: most of the system services are managed by a AUX-specific piece of software called the "System Resource Controller" (SRC). It supports signal communication too (so you are partly correct), but that is not the only function.

Most services ("inetd" included) are started with "startsrc", stopped with "stopsrc", etc.. All these "*src" commands are using the SRC frontend to control service processes controlled by the SRC. Here are the most important commands:

startsrc starts defined services
stopsrc stops running services
lssrc lists all defined services and if they are started or not
refresh restarts a service (really intuitively named, LOL)

For further information here is the link to IBMs documentation about the SRC.

I hope this helps.

bakunin

DGPickett · May 13, 2013, 11:58am

Yes, any daemon running under a master like src in AIX has to be managed by that master. The src ensures it is restarted if it fails, but generally a well written daemon like inetd does not.

MichaelFelt · May 13, 2013, 1:51pm

Since we have delved so deeply into SRC the missing commands are:

mkssys
chssys
and rmssys

The mkssys command adds a new subsystem definition to the subsystem object class. The chssys command modifies an existing subsystem definition in the subsystem object class. The rmssys command removes an existing subsystem definition from the subsystem object class.

In short, you can add/modify/remove daemons to the SRC system.