I am trying to secure my webserver.
How do I set telnet to accept only one ip address?
The words 'secure' and 'telnet' are seldom used in the same sentance unless its to say "using telnet you shaft any chance of setting up a secure server" ;)
You could restrict access using a firewall to filter the telnet port but I'd advise you to install SSH. The problem with telnet is that it doesn't encrypt your password or the data it sends. Also IP addresses can be spoofed so I wouldn't rely on them for any kind of authentication/access control unless you have to. Check out http://www.openssh.org
I forgot to mention that I am using Tera Term SSH to log into the box.
Sounds a bit better!
It you can't find the option in the software itself then use ipchains/iptables to only accept connections originating from your wanted IP address on the SSH port.
Forgive me for my lack of knowledge...
I have secured access to ftp by entering a select group of ip addresses into the /etc/ftpaccess file.
I don't know have to do ipchains/iptables.
Is Tera Term SSH loaded on the webbox too or is there a file like /etc/ftpaccess that I can edit that would only allow my ip address to access via TeraTerm?
Using an SSH client doesn't do any good (most SSH clients support Telnet too) unless you turn off the telnet daemon on the server. Then install SSH on the server to replace it.
Telnet is loaded from inetd on many Linux distros, so check the file /etc/inetd.conf for the telnet daemon.
You can get SSH from http://www.openssh.org
This occurs on the linux server with SSHD running:
# iptables -P INPUT REJECT
# iptables -A INPUT -p tcp -s <the IP you want allowed> --dport 22 -j ACCEPT
Now I've had trouble when setting the default policy to REJECT, so I just do:
# iptables -A INPUT -p tcp -s <ditto> --dport 22 -j ACCEPT
# iptables -A INPUT -p tcp -j REJECT
Bear in mind that this will drop EVERY tcp packet except those designated at port 22(sshd) and from the specified IP address. If you want FTP access or any other service just mirror the above rules and change the dport to whichever port you want. Do this BEFORE the reject line if you use the 2nd method
Hope this helps,
ok, I found some answers in my RedHat Server Book...
I have created two files:
In the deny file I wrote:
ALL : ALL
In the allow file I wrote:
ALL : <my ip address>
The problem is that /etc/initd.conf will read these files and this will block ftp and email to all others exept me.
How do I exclude ftp and email from deny and allow?
[Edited by 360 on 06-15-2001 at 12:12 AM]
i'm a newbie myself,but i've done this recently..
if you want to let others use FTP and email but not telnet, just replace in allow file:
in.ftpd : <ip addresses of those allowed to ftp>
in.telnetd : <your ip address>
popper : <ip addresses>
that is..if you use popper as your email daemon (i do)..it might be ipop3d or something else,kay?You can check that in /etc/inetd.conf file.Just replace that in the place of popper...
and in deny file:
ALL : ALL
so that anyone else aside from that list in allow file cannot access ftp , email or telnet...
hope it helps...:)
[Edited by katana on 06-14-2001 at 09:16 PM]
Ok. Everybody is locked out of ftp and telnet but me.
Only problem is nobody can check email.
What can I add to /etc/hosts.allow for pop3 to work for my users?
Thanks for all your help.
You can also specify ports in hosts.allow
The port entry is not working for the allow file:
110: <ip address>
Is there something I can enter the will allow certain users to access port110?
Or can I allow ALL to acces 110?
Please be specific...
have you tried this in allow file?:
popper : <ip address>
if your email daemon is not popper, then check /etc/inetd.conf...look at pop3 section..look at the line,do you see the entry /usr/local/lib/popper popper , or /usr/local/lib/tcpd ipop3d ?If it is ipop3d, then in your allow file:
ipop3d : ALL
ipop3d : <ip addresses>
i hope i'm not confusing you...i dont know port and stuff,maybe i'll look it up !:)
[Edited by katana on 06-15-2001 at 02:21 AM]
popper : KNOWN
Works great! Thanks!
But for some reason the server is acting funny about letting me log in with my one ip.
I was on site with the server this morning while my co-worker logged in off site. As I made different changes to deny and allow, he could get in if I commented out all entries in the deny file which is understandable. But when I uncommented ALL : ALL in deny my ip address entry did not work in the allow.
So I entered 199.178. to allow everything in that block which includes my ip and it let him in. But when I specified my one ip again it let him in. So I came back to the office 15 minutes later and now it wont let me in.
I am almost there and really apreciate everyones help.
[Edited by 360 on 06-15-2001 at 10:34 AM]
this is what i know...maybe it can help you:
when somebody is trying to ftp or telnet or whatever to your server, first your server will check allow file and see if that somebody is allowed. If it couldnt find a match there, then it would check deny file. Now you need to understand this: if you put in ALL : ALL in deny file, that somebody who doesnt have a match in allow file will NOT be able to get in. BUT, if you dont put in ALL : ALL, and instead, you specify a list of IP addresses and your server cant find a match for that somebody in that list too..guess what it will do?? It will let him/her in!Kind of confusing isnt it...that's why it is safer for us newbies to just put in ALL : ALL in deny file..so that anybody else aside from that allow file's list wont get in...( i hope i'm right..if i'm not,correct me;)
now,maybe you can work from there and figure out why your server is acting all funny with allow and deny...i'm off trying to figure out my biggest prob at the moment : subdomain dns server!wish me luck!
[Edited by katana on 06-18-2001 at 12:08 AM]
|All times are GMT -5. The time now is 01:00 AM.|