Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Restricting access to a machine by IP Address
Top Forums UNIX for Dummies Questions & Answers Restricting access to a machine by IP Address Post 41946 by hassan2 on Sunday 19th of October 2003 05:27:32 PM
Old 10-19-2003
solaris 9 come with tcpwrapper which you can use to restricte access to certain ip address.

To enable tcpwrapper edit /etc/inetd.conf or /etc/inet/inetd.conf
to restrict telnet access

Do the following:
change this

telnet stream tcp6 nowait root /usr/sbin/in.telnetd in.telnetd

to

telnet stream tcp6 nowait root /usr/local/bin/tcpd /usr/sbin/in.telnetd

then edit /etc/hosts.allow and put the entry

in.telnetd: x.x.x.x

also

edit /etc/hosts.deny and put the entry

ALL: ALL

You can also do the above to restrict ip access for ftp, rsync, rcp,ssh and so on

Note

x.x.x.x is the ip address you want to allow access, it can also be in form of x.x.0.0/255.255.0.0
 

10 More Discussions You Might Find Interesting

1. Cybersecurity

restricting access...

restricted access... Hi I need to restrict users shell access to only $HOME under /home for each user. I don't want them getting out of their own directories. From what I understand chroot is something I could use, but I want to avoid this since it involves creating symbolic links to a number... (9 Replies)
Discussion started by: alwayslearningunix
9 Replies

2. UNIX for Dummies Questions & Answers

Restricting access

I need to create a user that only has access to 1 directory (e.g. /vol/mita/test). The user needs to be able to rsh into that directory to run a script. The user should not be able to navigate to any other directories above /vol/mita/test. Any help would be appreciated! (4 Replies)
Discussion started by: ngagne
4 Replies

3. Solaris

restricting access

Hi All, I'm on Solaris 8, I need to provide Read-only access to a user to 2 directories only. Using rsh (restricted shell) as the user's login shell, I can restrict the user's access to a certain directory only, but how can I set in such a way that the user can access only the 2 directories... (4 Replies)
Discussion started by: max_min
4 Replies

4. UNIX for Advanced & Expert Users

restricting root access

I'm the admin in a shop in which my developers have and use the root account, all UNIX newbies. I've been unable to convince management myself that this is an unacceptable practice. I've looked in a couple books I have and can't find any chapters, discussions, etc that make the argument that... (2 Replies)
Discussion started by: keith.m
2 Replies

5. Solaris

restricting access to a server

We want to secure access to a server by restricting the number of users who can login to it. Our users are NIS users. Only few of them can telnet/ssh this server. Do you have any idea on how to implement that? thanks. (1 Reply)
Discussion started by: melanie_pfefer
1 Replies

6. UNIX for Dummies Questions & Answers

Setting permissions and restricting access

Hi all, I have user called "Z". The home directory is /home/Z. I have another directory /home/Z/OP. Within /home/Z/OP, i have 2 directories /home/Z/OP/OP1 and /home/Z/OP2. I want to restrict access for Z to only access /home/Z/OP and /home/Z/OP1 and /home/Z/OP2. What kind of... (4 Replies)
Discussion started by: new2ss
4 Replies

7. UNIX for Advanced & Expert Users

Restricting access to code

Hi All, I am facing a problem, regarding code security on a server. We have configured a server which contains our code (ear present in jboss/server/xyz/deploy) in it, and need to bind the code to the server itself so that no one can take the code out of the. the problem is that the password of... (3 Replies)
Discussion started by: akshay61286
3 Replies

8. Solaris

Restricting FTP access for a particular directory

Dear All, I have created a user called "x" who is allowed only to FTP and it is working fine. Here my problem is, I want to give access to a particular directory say for eg:- /dump/test directory. I don't find any option in the useradd command to restrict access to this particular directory only... (1 Reply)
Discussion started by: Vijayakumarpc
1 Replies

9. UNIX for Dummies Questions & Answers

Restricting SFTP access

Hello, I am using MySecureShell to chroot all sftp accesses. The problem that I have is that my boss does not want root to be able to use sftp. Root should still be able to ssh. Any ideas? (2 Replies)
Discussion started by: mojoman
2 Replies

10. Solaris

Restricting commands & access

Dear all, I am administering a DC environment of over 100+ Solaris servers used by various teams including Databases. Every user created on the node belonging to databases is assigned group staff(10) . I want that all users belonging to staff should NOT be able to execute certain system... (6 Replies)
Discussion started by: Junaid Subhani
6 Replies

LEARN ABOUT FREEBSD

faithd

FAITHD(8)						    BSD System Manager's Manual 						 FAITHD(8)

NAME

     faithd -- FAITH IPv6/v4 translator daemon

SYNOPSIS

     faithd [-dp] [-f configfile] service [serverpath [serverargs]]

DESCRIPTION

     The faithd utility provides IPv6-to-IPv4 TCP relaying.  It can only be used on an IPv4/v6 dual stack router.

     When faithd receives TCPv6 traffic, it will relay the TCPv6 traffic to TCPv4.  The destination for the relayed TCPv4 connection will be
     determined by the last 4 octets of the original IPv6 destination.	For example, if 3ffe:0501:4819:ffff:: is reserved for faithd, and the
     TCPv6 destination address is 3ffe:0501:4819:ffff::0a01:0101, the traffic will be relayed to IPv4 destination 10.1.1.1.

     To use the faithd translation service, an IPv6 address prefix must be reserved for mapping IPv4 addresses into.  The kernel must be properly
     configured to route all the TCP connections toward the reserved IPv6 address prefix into the faith(4) pseudo interface, using the route(8)
     command.  Also, sysctl(8) should be used to configure net.inet6.ip6.keepfaith to 1.

     The router must be configured to capture all the TCP traffic for the reserved IPv6 address prefix, by using route(8) and sysctl(8) commands.

     The faithd utility needs special name-to-address translation logic, so that hostnames get resolved into the special IPv6 address prefix.  For
     small-scale installations, use hosts(5); For large-scale installations, it is useful to have a DNS server with special address translation
     support.  An implementation called totd is available at http://www.vermicelli.pasta.cs.uit.no/software/totd.html.	Make sure you do not prop-
     agate translated DNS records over to normal DNS, as it can cause severe problems.

   Daemon mode
     When faithd is invoked as a standalone program, faithd will daemonize itself.  The faithd utility will listen to TCPv6 port service.  If
     TCPv6 traffic to port service is found, it relays the connection.

     Since faithd listens to TCP port service, it is not possible to run local TCP daemons for port service on the router, using inetd(8) or other
     standard mechanisms.  By specifying serverpath to faithd, you can run local daemons on the router.  The faithd utility will invoke a local
     daemon at serverpath if the destination address is a local interface address, and will perform translation to IPv4 TCP in other cases.  You
     can also specify serverargs for the arguments for the local daemon.

     The following options are available:

     -d      Debugging information will be generated using syslog(3).

     -f configfile
	     Specify a configuration file for access control.  See below.

     -p      Use privileged TCP port number as source port, for IPv4 TCP connection toward final destination.  For relaying ftp(1), this flag is
	     not necessary as special program code is supplied.

     The faithd utility will relay both normal and out-of-band TCP data.  It is capable of emulating TCP half close as well.  The faithd utility
     includes special support for protocols used by ftp(1).  When translating the FTP protocol, faithd translates network level addresses in
     PORT/LPRT/EPRT and PASV/LPSV/EPSV commands.

     Inactive sessions will be disconnected in 30 minutes, to prevent stale sessions from chewing up resources.  This may be inappropriate for
     some services (should this be configurable?).

   inetd mode
     When faithd is invoked via inetd(8), faithd will handle connections passed from standard input.  If the connection endpoint is in the
     reserved IPv6 address prefix, faithd will relay the connection.  Otherwise, faithd will invoke a service-specific daemon like telnetd(8), by
     using the command argument passed from inetd(8).

     The faithd utility determines operation mode by the local TCP port number, and enables special protocol handling whenever necessary/possible.
     For example, if faithd is invoked via inetd(8) on the FTP port, it will operate as an FTP relay.

     The operation mode requires special support for faithd in inetd(8).

   Access control
     To prevent malicious access, faithd implements simple address-based access control.  With /etc/faithd.conf (or configfile specified by -f),
     faithd will avoid relaying unwanted traffic.  The faithd.conf configuration file contains directives of the following format:

     o	 src/slen deny dst/dlen

	 If the source address of a query matches src/slen, and the translated destination address matches dst/dlen, deny the connection.

     o	 src/slen permit dst/dlen

	 If the source address of a query matches src/slen, and the translated destination address matches dst/dlen, permit the connection.

     The directives are evaluated in sequence, and the first matching entry will be effective.	If there is no match (if we reach the end of the
     ruleset) the traffic will be denied.

     With inetd mode, traffic may be filtered by using access control functionality in inetd(8).

EXIT STATUS

     The faithd utility exits with EXIT_SUCCESS (0) on success, and EXIT_FAILURE (1) on error.

EXAMPLES

     Before invoking faithd, the faith(4) interface has to be configured properly.

	   # sysctl net.inet6.ip6.accept_rtadv=0
	   # sysctl net.inet6.ip6.forwarding=1
	   # sysctl net.inet6.ip6.keepfaith=1
	   # ifconfig faith0 up
	   # route add -inet6 3ffe:501:4819:ffff:: -prefixlen 96 ::1
	   # route change -inet6 3ffe:501:4819:ffff:: -prefixlen 96 -ifp faith0

   Daemon mode samples
     To translate telnet service, and provide no local telnet service, invoke faithd as follows:

	   # faithd telnet

     If you would like to provide local telnet service via telnetd(8) on /usr/libexec/telnetd, use the following command line:

	   # faithd telnet /usr/libexec/telnetd telnetd

     If you would like to pass extra arguments to the local daemon:

	   # faithd ftp /usr/libexec/ftpd ftpd -l

     Here are some other examples.  You may need -p if the service checks the source port range.

	   # faithd ssh
	   # faithd telnet /usr/libexec/telnetd telnetd

   inetd mode samples
     Add the following lines into inetd.conf(5).  Syntax may vary depending upon your operating system.

	   telnet  stream  tcp6/faith  nowait  root  faithd  telnetd
	   ftp	   stream  tcp6/faith  nowait  root  faithd  ftpd -l
	   ssh	   stream  tcp6/faith  nowait  root  faithd  /usr/sbin/sshd -i

     inetd(8) will open listening sockets with kernel TCP relay support enabled.  Whenever a connection comes in, faithd will be invoked by
     inetd(8).	If the connection endpoint is in the reserved IPv6 address prefix.  The faithd utility will relay the connection.  Otherwise,
     faithd will invoke service-specific daemon like telnetd(8).

   Access control samples
     The following illustrates a simple faithd.conf setting.

	   # permit anyone from 3ffe:501:ffff::/48 to use the translator,
	   # to connect to the following IPv4 destinations:
	   # - any location except 10.0.0.0/8 and 127.0.0.0/8.
	   # Permit no other connections.
	   #
	   3ffe:501:ffff::/48 deny 10.0.0.0/8
	   3ffe:501:ffff::/48 deny 127.0.0.0/8
	   3ffe:501:ffff::/48 permit 0.0.0.0/0

SEE ALSO

     faith(4), route(8), sysctl(8)

     Jun-ichiro itojun Hagino and Kazu Yamamoto, "An IPv6-to-IPv4 transport relay translator", RFC3142, http://tools.ietf.org/html/rfc3142, June
     2001.

HISTORY

     The faithd utility first appeared in the WIDE Hydrangea IPv6 protocol stack kit.

     IPv6 and IPsec support based on the KAME Project (http://www.kame.net/) stack was initially integrated into FreeBSD 4.0.

SECURITY CONSIDERATIONS

     It is very insecure to use IP-address based authentication, for connections relayed by faithd, and any other TCP relaying services.

     Administrators are advised to limit accesses to faithd using faithd.conf, or by using IPv6 packet filters, to protect the faithd service from
     malicious parties, and to avoid theft of service/bandwidth.  IPv6 destination addresses can be limited by carefully configuring routing
     entries that point to faith(4), using route(8).  The IPv6 source address needs to be filtered using packet filters.  The documents listed in
     SEE ALSO have more information on this topic.

BSD
								  August 2, 2011							       BSD
All times are GMT -4. The time now is 09:59 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy