Obtaining a Telnet Client's IP Address
Massis Isagholian
I need to determine a telnet client's IP address.
I understand that I can obtain the IP address of a client during and after
establishing a network connection. However, the situation that I have is
as follows. Users log-in to a UNIX server via Telnet and run an
application on the server. The application needs to capture and log the
client's (Telnet user) IP address.
Given this scenario, I need a function/system call to query the OS or the
terminal communication abstraction layer for the client's (Telnet user) IP
address. Similar functionality exists in the UNIX "who" command. For
example:
$ who
opstxn tty0 Nov 30 14:16
imassis pts/1 Nov 30 14:52 (sas342.usc.edu)
opsdh pts/2 Nov 30 08:42 (ais-a)
$
I would appreciate any help that you may be able to provide. Please
respond to isag...@usc.edu.
Thanks in advance.
--------------------------------------------------------------
Massis Isagholian
University of Southern California
Los Angeles
isag...@usc.edu
--------------------------------------------------------------
Stanley C. Wood
In article <01bbe007$b5a7b340$3a667d80@sas-342>,
Massis Isagholian <isag...@usc.edu> wrote:
>Given this scenario, I need a function/system call to query the OS or the
>terminal communication abstraction layer for the client's (Telnet user) IP
>address. Similar functionality exists in the UNIX "who" command. For
>example:
You can get most of the information you're looking for from the /etc/utmp
file. Do a man "utmp" for more details. I once had a shell script which
ran the "tty" command and then grepped through the output of who to find
the hostname. It wasn't bulletproof but it worked pretty well.
The problem that you're likely to run into is that the IP names of the
systems are truncated to 15 characters in the utmp file. I haven't ever
seen a better way to get this information and I'd be interested to know
if there is an easier or more reliable method.
Good Luck!
Stanley Wood
LAIX Software Consulting
Since "who" appears to have the information that you're looking for,
try dump -Tv /usr/bin/who and see what kernel system calls who is
making... If any of them are documented, you can include whatever who
is doing within your code.
Regards,
Paul L.
J. F. Haugh wrote:
> >Given this scenario, I need a function/system call to query the OS or the
> >terminal communication abstraction layer for the client's (Telnet user) IP
> >address. Similar functionality exists in the UNIX "who" command. For
> >example:
> >
> >$ who
> >opstxn tty0 Nov 30 14:16
> >imassis pts/1 Nov 30 14:52 (sas342.usc.edu)
> >opsdh pts/2 Nov 30 08:42 (ais-a)
> >$
>
> "who" has this information because either telnetd or tsm put it
> there.
>
> >I would appreciate any help that you may be able to provide. Please
> >respond to isag...@usc.edu.
>
> You posted to the net, so I responded here.
> --
> Julianne Frances Haugh RS/6000 Division, IBM/Austin, Texas
> AIX Security Development Bldg 905/2F002, 512-823-8817 (Tie 793)
>
> Disclaimer: Opinions expressed are those of the author, not IBM.
Vic Abell
j...@austin.ibm.com (J. F. Haugh) writes:
>In article <01bbe007$b5a7b340$3a667d80@sas-342>,
>Massis Isagholian <isag...@usc.edu> wrote:
>>I need to determine a telnet client's IP address.
>>...
>The only way that I can think of doing this is to find the telnetd
>process and then use some tool such as lsof to locate the remote side
>of the network connection.
Yes, lsof can be asked to do this. There are some examples of how
to do it in the lsof distribution's 00QUICKSTART file.
Using lsof's -F output and a Perl script it's possible to automate
the lookup. One needs to locate the telnetd process whose /dev/ptc/*
file's last component (minor device of the /dev/ptc clone instance)
matches the last element of /dev/pts/* for the process in question.
(This is an AIX 4.1.4 description -- earlier versions of AIX do this
in a slightly different fashion, but I don't have access to any for
creating an example.)
Here's an example, using discrete commands:
1. Locate the /dev/pts/* file:
cloud: 3 = tty
/dev/pts/10
2. Locate the telnetd process using /dev/ptc/10:
cloud: 12 = lsof -ctelnetd | grep /dev/ptc/10
telnetd 22290 root 3u VCHR 25, 10 0t8735 103 /dev/ptc/10
3. List the telnetd's FD 0:
cloud: 28 = lsof -p22290 -ad0
COMMAND PID USER FD TYPE DEVICE SIZE/OFF INODE NAME
telnetd 22290 root 0u inet 0x05a0e900 0t25877 TCP cloud.cc.purdue.edu:telnet->vic.cc.purdue.edu:3118
(Lsof would be able to search for /dev/ptc/10 if there were such
a file in /dev under AIX 4.1.4. Unfortunately, /dev/ptc is a
clone device, lsof recognizes it specially, and manufactures
the trailing path component from the minor device number of
the particular clone instance.)
From this I think it's pretty clear how Perl could be used to do
this job in one pass. Given the /dev/pts/* file name, it could be
asked to read all telnetd process output (perhaps restricted to
FD's and 3), looking for the matching /dev/ptc/* name, saving the
FD 0 network addresses as it searched.
I suppose you could even extract the C code from lsof that does
this work and stuff it in a special function, but it wouldn't be
nearly as easy as Perl. :-)
Lsof is available in a source distribution via anonymous ftp from
vic.cc.purdue.edu. Look in pub/tools/unix/lsof.
Vic Abell <abe@purdue>
Andrew Gierth
>>>>> "LAIX" == LAIX Software Consulting <laix...@flash.net> writes:
> J. F. Haugh wrote:
>>
>> >$ who
>> >opstxn tty0 Nov 30 14:16
>> >imassis pts/1 Nov 30 14:52 (sas342.usc.edu)
>> >opsdh pts/2 Nov 30 08:42 (ais-a)
>> >$
>>
>> "who" has this information because either telnetd or tsm put it
>> there.
Precisely; and the 'where' and 'how' are documented, if you look in the
right place; look up getutent() and the utmp structure.
LAIX> Since "who" appears to have the information that you're looking for,
LAIX> try dump -Tv /usr/bin/who and see what kernel system calls who is
LAIX> making... If any of them are documented, you can include whatever who
LAIX> is doing within your code.
Well, you'll probably see it reading /etc/utmp, but using the getut???()
calls is easier.
--
Andrew Gierth (and...@microlise.co.uk)
"Ceterum censeo Microsoftam delendam esse" - Alain Knaff in nanam
Andrew Gierth
OK, so in my previous answers in this thread I was overlooking one thing:
although AIX 3.2.5 has a ut_host field in utmp, it has no ut_addr field
(all the other Unixes I've used have had both these fields, or neither).
Is this fixed in 4.x, or not? If not, why not?
Valdis Kletnieks
>terminal communication abstraction layer for the client's (Telnet user) IP
>address. Similar functionality exists in the UNIX "who" command. For
>example:
Well, for starters, you should be running the "TCP Wrappers" software
*anyhow* (if for no other reason than to add logging of who is
contacting you). You can get a copy from ftp://ft.cert.org/pub/tools,
I believe.
Once you have that installed, you can probably have it do something to
cut an audit record of which hostname it is, if it's coming in via
telnet.
Actually, for most systems, probably just matching up the 'connect'
time from the telnetd and the login time from the utmp should be
sufficient for auditing purposes.
I missed the original posting, but I suspect that tcp_wrapper's
"twist" functionality may be able to accomplish what was intended (I
once used the "twist" function to create a jump-startable X
application when allowing rsh wasn't an option - basically, if the
user telnet'ed to port 19584 or some such, it hit the tcp_wrapper,
which first did the source address checking (so not all the world
could do it to us), then involed a shell script that used the source
address to build a 'DISPLAY=source.addr:0.0 canned_X11_proggie &"
command. Then it ran the "real" listener for the port, which instead
of being a telnetd or similar, was just a symlink to /bin/true ;)
--
Valdis Kletnieks
Computer Systems Engineer
Virginia Tech
Helmut Springer
Valdis Kletnieks (val...@black-ice.cc.vt.edu) wrote in comp.unix.aix:
> I missed the original posting, but I suspect that tcp_wrapper's
> "twist" functionality may be able to accomplish what was intended (I
setting environment-variables through tcp_wrappers doesn't help since
telnetd (or login) clears its environment for security reasons.
I think IBM should implement an environment variable REMOTEIP or
something like that set login and usebale in the shell.
regards
delta
--
helmut 'delta' springer Unix/Net Consulting, InfoSystems, StudBox
de...@RUS.Uni-Stuttgart.DE Stuttgart University, FRG
http://home.pages.de/~delta/
phone : +49 711 685-2003 "Freedom's just another word for
FAX : +49 711 685-2043 nothing left to lose" Kris Kristofferson
Andrew Gierth
>>>>> "J" == J F Haugh <j...@austin.ibm.com> writes:
> Andrew Gierth <and...@microlise.co.uk> wrote:
>> OK, so in my previous answers in this thread I was overlooking one thing:
>> although AIX 3.2.5 has a ut_host field in utmp, it has no ut_addr field
>> (all the other Unixes I've used have had both these fields, or neither).
>>
>> Is this fixed in 4.x, or not? If not, why not?
J> I have never heard of this field (doesn't mean anything ;-), so I suspect
J> it is not quite that widely used yet.
It exists in HP-UX 9 and 10, at least.
Think about it: FQDNs can get pretty long, so storing the raw IP address
is the best way guaranteed not to cause loss of information. Either that, or
you need to increase ut_host to at least 257 bytes.
There is a compatible fix; change telnetd to set ut_host to the IP address
rather than the hostname, if the hostname is longer than 16 characters.
(16 is always enough for a numeric dotted-quad for IPv4; of course, IPv6
would break that again.)
If this issue was important to me, I would try two approaches; one would
be to deliberately break telnetd's ability to reverse-lookup the client's
address, forcing it to store the raw IP in ut_host; alternatively, try
wrapping telnetd using a similar approach to tcp_wrapper, but plant the
client's IP in the protected environment or somewhere equally obscure
(as someone else has noted, you can't pass normal env. vars from such a
wrapper to the user process; I believe, though I am not certain, that you
*can* use the protected environment for this).
Mathew A. Hennessy
Why not just use TCPWrappers and be done with it? ;)
--
- Matt (henn...@thoughtcrime.com)
<em><a href="http://www.cloud9.net/~hennessy">My mildly useful page</a></em>
Ole Holm Nielsen
>
>establishing a network connection. However, the situation that I have is
>as follows. Users log-in to a UNIX server via Telnet and run an
>client's (Telnet user) IP address.
This is easy: Install the TCP-wrapper security software (you should
do that anyhow !) and look in the log-files. It's all there, also
for rlogin, rsh, ... connections.
Get Wietse Venema's TCP-wrapper software at:
ftp.win.tue.nl:/pub/security/tcp_wrappers_7.4.tar.gz
With best regards,
Ole H. Nielsen
Department of Physics, Building 307
Technical University of Denmark, DK-2800 Lyngby, Denmark
E-mail: Ole.H....@fysik.dtu.dk
WWW URL: http://www.fysik.dtu.dk/persons/ohnielse.html
Telephone: (+45) 45 25 31 87
Telefax: (+45) 45 93 23 99
Paul Buder
>In article <01bbe007$b5a7b340$3a667d80@sas-342>,
>Massis Isagholian <isag...@usc.edu> wrote:
>>I need to determine a telnet client's IP address.
>>
I got a copy of a program some time ago that queries the kernel for
the information. It is available at
ftp://ftp.teleport.com/users/paulb/aix/hostwhence.txt
Andrew Gierth
>>>>> "Julianne" == Julianne F Haugh <j...@austin.ibm.com> writes:
Julianne> The problem with using the protected environment is that it
Julianne> is =small= and fairly full already. There are only 64
Julianne> bytes in the uinfo_t structure.
Er, so that means (according to my calculations) that it is *already* full
if the tty name is longer than 12 characters? Isn't this a problem?
(ut_line is also 12 bytes, but that's *after* an initial /dev/ has been
elided.)
Andrew Gierth
>>>>> "Julianne" == Julianne F Haugh <j...@austin.ibm.com> writes:
Julianne> The problem with using the protected environment is that it
Julianne> is =small= and fairly full already. There are only 64
Julianne> bytes in the uinfo_t structure.
>> Er, so that means (according to my calculations) that it is *already* full
>> if the tty name is longer than 12 characters? Isn't this a problem?
Julianne> TTY names SHOULD NOT get to be more than 12 characters in
Julianne> length. I think the longest you can have (realistically)
Julianne> is pts/#####, or about 9 characters.
At least on 3.2.5, the TTY= setting in the protected environment contains
the full name of the device, i.e. /dev/pts/nnn, which would obviously break
if you had 1000 or more simultaneous network logins.
(I've never had to deal with a system that size, so I don't know if anything
else would break first.)