Not able to disable finger & telnet command in Solaris 8


 
Thread Tools Search this Thread
Operating Systems Solaris Not able to disable finger & telnet command in Solaris 8
# 1  
Old 11-01-2019
Not able to disable finger & telnet command in Solaris 8

Hi
I need to disable finger & telnet command in solaris 8

I have put the # infront of finger and telnet line in /etc/inetd.conf file. Further I have run the below command

Code:
kill -1 <process id of inetd >

But when I am running finger command it is till giving information for remote machine

--- Post updated at 10:56 AM ---

Just to add that it is showing details of user through which I am login to this server along with details of server thorugh which I login to this server.

For example:

If I currently login to host1 (Solaris 10) then login to host2 ( Solaris 8 where I am facing issue) through host1 then in finger command on host2, I am getting only local user detail through which I login to host2 along with host details

--- Post updated at 11:15 AM ---

As per my understanding we don't even need to run above kill command as finger command will only run when it is invoked through the command line as it happened when command got invoked due to that inetd command will reread the /etc/inetd.conf file and run the finger daemon and if I put the # in front of finger line in /etc/inetd.conf then it should not be invoked. But it is getting invoked. Further same thing is happring in Solaris 9 as well.

Please correct me if I am wrong

I need to disable finger command due to security reason.
# 2  
Old 11-01-2019
Just disable the daemon processes so they do not start when the system is booted.

Or, better yet, just remove or move the daemon executables so they cannot be executive from any scripts (because the name has been changed).

For example, if telnetd is located in /usr/bin just rename it to disabled_telnetd, kill the existing running process and you are done.

Of course, the most secure is to just remove those executables from the server altogether... End of story. Remove them, kill any running processes... system more secure Smilie

If you think you might need them again someday, move them to a backup server, or external disk or media and be happy.
# 3  
Old 11-01-2019
Quote:
Originally Posted by amity
[..]
As per my understanding we don't even need to run above kill command as finger command will only run when it is invoked through the command line as it happened when command got invoked due to that inetd command will reread the /etc/inetd.conf file and run the finger daemon and if I put the # in front of finger line in /etc/inetd.conf then it should not be invoked. But it is getting invoked. Further same thing is happring in Solaris 9 as well.
[..]
You need to restart or reload the inetd/xinetd process so that it reads the new inetd.conf or inetd.d files.. You can also give a kill -HUP to the inetd/xinetd process.
This User Gave Thanks to Scrutinizer For This Post:
# 4  
Old 11-01-2019
You certainly can use built in utilities like configuration files to disable executables.

But if you REALLY want to be secure (insure telnetd cannot run in the future, for example), just remove them from the server or just change the name (move them) to something like

Code:
mv telnetd disabled_by_amity_nov_2013_telnetd

That is what I do... and then they are easy to search for as well, if you need to find them.

I do this a lot on production web servers because malware cannot execute a file if it does not exist. For example, curl.

If you do this, for example:

Code:
mv curl to amity_curl

Then malware which uses curl to download backdoors, etc. cannot access curl since they have no idea you renamed it.

There are many simple things you can do to keep your system more secure than what is considered "traditional ways" to do things.

Anyway, YMMV, but this is what I do. But then again, I have manage public sites on the Internet for decades which are constantly under attack, 365 days a year, 24 hours a day.
This User Gave Thanks to Neo For This Post:
# 5  
Old 11-01-2019
Also, FYI.. on my servers:

Code:
ubuntu:/usr/bin# finger
-bash: /usr/bin/finger: Permission denied

ubuntu:/usr/bin# l finger
-r--r--r-- 1 root root 27104 Nov 11  2016 finger

etc etc....
# 6  
Old 11-01-2019
Just one more question if I run the below command , It will only reread the configuration file of inetd.conf only and will not restart inetd or its child process/daemon as this Production Environment


Code:
kill -1 <process id of inetd >

# 7  
Old 11-01-2019
I certainly agree about removing inherently insecure daemons/utilities altogether, preferably through configuration management tooling if there are many servers (I use ansible for Solaris) so that it stays removed.

I was merely responding to a part in post #1 to give the poster more insight into why inetd was not responding to the config file changes...
This User Gave Thanks to Scrutinizer For This Post:
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. Shell Programming and Scripting

What is the use of "finger" command & how to use it to kill the online processes ?

Hi there, I am eager to know what exactly is the use of "finger" command & how to use it to kill the online processes ? :b: (1 Reply)
Discussion started by: abhijitpaul0212
1 Replies

2. Solaris

Solaris Finger Service Problem

I have been instructed to disable the finger service for our Solaris 10 box. However when I input #svcadm disable finger I receive: "svcadm: Pattern 'finger' does not match any instances. I have also tried to edit the inetd config file and comment out the finger part but Solaris has basically... (14 Replies)
Discussion started by: mvhoward
14 Replies

3. Solaris

Having problems with finger on Solaris 10

I have a bunch of Solaris systems and for the 8/9 systems, I can type "finger -s 2" to get a list of all users (whether they are logged in or not) and the last time they logged in. I have some new 10 systems and this command does not work. Does anybody know whether this was changed in Solaris 10?... (6 Replies)
Discussion started by: Muller
6 Replies

4. AIX

Allow telnet in AIX from specific IP adds, but disable for everyone else

I need to change the security on our AIX servers and disable telnet from all but certain IP addresses. I have hashed the telnet line in /etc/inetd.conf and added filter rules for those IP adds to allow access on port 23, but this didn't work. Does anyone have any ideas? Thanks. (2 Replies)
Discussion started by: Alps
2 Replies

5. Solaris

Disable telnet for a particular user

On Solaris 8 is there anyway to disable telnet for a particular user and not for entire system altogether? I would like the user to retain a shell and so creating a noshell like ftp account is not an option. (14 Replies)
Discussion started by: boshyd
14 Replies

6. Solaris

SSH enable, Telnet disable ...

Hi... How do I enable SSH and disable telnet.. Also - is there anything special I need to do to ensure that a new user can use ssh and su but not telnet? Adel (15 Replies)
Discussion started by: ArabOracle.com
15 Replies

7. Solaris

disable telnet on the startup

Hi All, I want to disable telnet on the startup of solaris 8-10 but still wants for a standby purposes. In case I need to troubleshoot ssh, I can connect thru telnet. Most solution on the internet is to permanently removed it. Best Regards, itik (5 Replies)
Discussion started by: itik
5 Replies

8. Solaris

Disable telnet timeout

Hi, Can someone help me how I can disable telnet timeout? I'm connecting remotely to some machines and after some time my telnet connection was closed. How can I disable this so that I'm always connected to those machines? Thanks! (2 Replies)
Discussion started by: ayhanne
2 Replies

9. Solaris

disable telnet on Solaris

All - would you please some one help me to disable telnet on Solaris? /etc/inetd.conf Thanks :confused: (11 Replies)
Discussion started by: March_2007
11 Replies

10. UNIX for Advanced & Expert Users

finger command

Hello all, Here is what I am trying to do. If a user exist, then send an echo "EXIST" or else "DOES NOT EXIST". (under HP-UX) Kind of: #!/usr/bin/sh USER=mylogin finger $USER if $? = 0 then echo "EXIST"" else echo "DOES NOT EXIST" fi (10 Replies)
Discussion started by: qfwfq
10 Replies
Login or Register to Ask a Question