Not able to disable finger & telnet command in Solaris 8
Hi
I need to disable finger & telnet command in solaris 8
I have put the # infront of finger and telnet line in /etc/inetd.conf file. Further I have run the below command
But when I am running finger command it is till giving information for remote machine
--- Post updated at 10:56 AM ---
Just to add that it is showing details of user through which I am login to this server along with details of server thorugh which I login to this server.
For example:
If I currently login to host1 (Solaris 10) then login to host2 ( Solaris 8 where I am facing issue) through host1 then in finger command on host2, I am getting only local user detail through which I login to host2 along with host details
--- Post updated at 11:15 AM ---
As per my understanding we don't even need to run above kill command as finger command will only run when it is invoked through the command line as it happened when command got invoked due to that inetd command will reread the /etc/inetd.conf file and run the finger daemon and if I put the # in front of finger line in /etc/inetd.conf then it should not be invoked. But it is getting invoked. Further same thing is happring in Solaris 9 as well.
Please correct me if I am wrong
I need to disable finger command due to security reason.
Location: Asia Pacific, Cyberspace, in the Dark Dystopia
Posts: 19,118
Thanks Given: 2,351
Thanked 3,359 Times in 1,878 Posts
Just disable the daemon processes so they do not start when the system is booted.
Or, better yet, just remove or move the daemon executables so they cannot be executive from any scripts (because the name has been changed).
For example, if telnetd is located in /usr/bin just rename it to disabled_telnetd, kill the existing running process and you are done.
Of course, the most secure is to just remove those executables from the server altogether... End of story. Remove them, kill any running processes... system more secure
If you think you might need them again someday, move them to a backup server, or external disk or media and be happy.
[..]
As per my understanding we don't even need to run above kill command as finger command will only run when it is invoked through the command line as it happened when command got invoked due to that inetd command will reread the /etc/inetd.conf file and run the finger daemon and if I put the # in front of finger line in /etc/inetd.conf then it should not be invoked. But it is getting invoked. Further same thing is happring in Solaris 9 as well.
[..]
You need to restart or reload the inetd/xinetd process so that it reads the new inetd.conf or inetd.d files.. You can also give a kill -HUP to the inetd/xinetd process.
This User Gave Thanks to Scrutinizer For This Post:
Location: Asia Pacific, Cyberspace, in the Dark Dystopia
Posts: 19,118
Thanks Given: 2,351
Thanked 3,359 Times in 1,878 Posts
You certainly can use built in utilities like configuration files to disable executables.
But if you REALLY want to be secure (insure telnetd cannot run in the future, for example), just remove them from the server or just change the name (move them) to something like
That is what I do... and then they are easy to search for as well, if you need to find them.
I do this a lot on production web servers because malware cannot execute a file if it does not exist. For example, curl.
If you do this, for example:
Then malware which uses curl to download backdoors, etc. cannot access curl since they have no idea you renamed it.
There are many simple things you can do to keep your system more secure than what is considered "traditional ways" to do things.
Anyway, YMMV, but this is what I do. But then again, I have manage public sites on the Internet for decades which are constantly under attack, 365 days a year, 24 hours a day.
Just one more question if I run the below command , It will only reread the configuration file of inetd.conf only and will not restart inetd or its child process/daemon as this Production Environment
I certainly agree about removing inherently insecure daemons/utilities altogether, preferably through configuration management tooling if there are many servers (I use ansible for Solaris) so that it stays removed.
I was merely responding to a part in post #1 to give the poster more insight into why inetd was not responding to the config file changes...
This User Gave Thanks to Scrutinizer For This Post:
I have been instructed to disable the finger service for our Solaris 10 box. However when I input #svcadm disable finger I receive: "svcadm: Pattern 'finger' does not match any instances. I have also tried to edit the inetd config file and comment out the finger part but Solaris has basically... (14 Replies)
I have a bunch of Solaris systems and for the 8/9 systems, I can type "finger -s 2" to get a list of all users (whether they are logged in or not) and the last time they logged in. I have some new 10 systems and this command does not work. Does anybody know whether this was changed in Solaris 10?... (6 Replies)
I need to change the security on our AIX servers and disable telnet from all but certain IP addresses.
I have hashed the telnet line in /etc/inetd.conf and added filter rules for those IP adds to allow access on port 23, but this didn't work.
Does anyone have any ideas?
Thanks. (2 Replies)
On Solaris 8 is there anyway to disable telnet for a particular user and not for entire system altogether?
I would like the user to retain a shell and so creating a noshell like ftp account is not an option. (14 Replies)
Hi...
How do I enable SSH and disable telnet..
Also - is there anything special I need to do to ensure that a new user can use ssh and su but not telnet?
Adel (15 Replies)
Hi All,
I want to disable telnet on the startup of solaris 8-10 but still wants for a standby purposes. In case I need to troubleshoot ssh, I can connect thru telnet.
Most solution on the internet is to permanently removed it.
Best Regards,
itik (5 Replies)
Hi,
Can someone help me how I can disable telnet timeout? I'm connecting remotely to some machines and after some time my telnet connection was closed. How can I disable this so that I'm always connected to those machines? Thanks! (2 Replies)
Hello all,
Here is what I am trying to do. If a user exist, then send an echo "EXIST" or else "DOES NOT EXIST". (under HP-UX)
Kind of:
#!/usr/bin/sh
USER=mylogin
finger $USER
if $? = 0
then
echo "EXIST""
else
echo "DOES NOT EXIST"
fi (10 Replies)