LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - General (http://www.linuxquestions.org/questions/linux-general-1/)
-   -   How do I set telnet access to one ip address? (http://www.linuxquestions.org/questions/linux-general-1/how-do-i-set-telnet-access-to-one-ip-address-3391/)

360 06-14-2001 01:18 PM

Running RH7

I am trying to secure my webserver.
How do I set telnet to accept only one ip address?

Thanks,
Gene

jharris 06-14-2001 01:26 PM

The words 'secure' and 'telnet' are seldom used in the same sentance unless its to say "using telnet you shaft any chance of setting up a secure server" ;)

You could restrict access using a firewall to filter the telnet port but I'd advise you to install SSH. The problem with telnet is that it doesn't encrypt your password or the data it sends. Also IP addresses can be spoofed so I wouldn't rely on them for any kind of authentication/access control unless you have to. Check out http://www.openssh.org

HTH

Jamie...

360 06-14-2001 01:31 PM

I forgot to mention that I am using Tera Term SSH to log into the box.

jharris 06-14-2001 01:37 PM

Sounds a bit better!

It you can't find the option in the software itself then use ipchains/iptables to only accept connections originating from your wanted IP address on the SSH port.

Jamie...

360 06-14-2001 01:50 PM

Forgive me for my lack of knowledge...
I have secured access to ftp by entering a select group of ip addresses into the /etc/ftpaccess file.

I don't know have to do ipchains/iptables.
Is Tera Term SSH loaded on the webbox too or is there a file like /etc/ftpaccess that I can edit that would only allow my ip address to access via TeraTerm?

Thanks,
Gene

GonzoJohn 06-14-2001 04:11 PM

Using an SSH client doesn't do any good (most SSH clients support Telnet too) unless you turn off the telnet daemon on the server. Then install SSH on the server to replace it.

Telnet is loaded from inetd on many Linux distros, so check the file /etc/inetd.conf for the telnet daemon.

You can get SSH from http://www.openssh.org

Good luck

jrmann1999 06-14-2001 05:56 PM

This occurs on the linux server with SSHD running:

# iptables -P INPUT REJECT
# iptables -A INPUT -p tcp -s <the IP you want allowed> --dport 22 -j ACCEPT

Now I've had trouble when setting the default policy to REJECT, so I just do:

# iptables -A INPUT -p tcp -s <ditto> --dport 22 -j ACCEPT
# iptables -A INPUT -p tcp -j REJECT

Bear in mind that this will drop EVERY tcp packet except those designated at port 22(sshd) and from the specified IP address. If you want FTP access or any other service just mirror the above rules and change the dport to whichever port you want. Do this BEFORE the reject line if you use the 2nd method

Hope this helps,
J

360 06-14-2001 07:01 PM

ok, I found some answers in my RedHat Server Book...
I have created two files:
/etc/hosts.deny
/etc/hosts.allow
In the deny file I wrote:
ALL : ALL
In the allow file I wrote:
ALL : <my ip address>

The problem is that /etc/initd.conf will read these files and this will block ftp and email to all others exept me.
Right?
How do I exclude ftp and email from deny and allow?

Thanks

[Edited by 360 on 06-15-2001 at 12:12 AM]

katana 06-14-2001 08:12 PM

hi..
i'm a newbie myself,but i've done this recently..
if you want to let others use FTP and email but not telnet, just replace in allow file:

in.ftpd : <ip addresses of those allowed to ftp>
in.telnetd : <your ip address>
popper : <ip addresses>

that is..if you use popper as your email daemon (i do)..it might be ipop3d or something else,kay?You can check that in /etc/inetd.conf file.Just replace that in the place of popper...

and in deny file:

ALL : ALL

so that anyone else aside from that list in allow file cannot access ftp , email or telnet...

hope it helps...:)

-suzana


[Edited by katana on 06-14-2001 at 09:16 PM]

360 06-14-2001 09:27 PM

Sweet!
Ok. Everybody is locked out of ftp and telnet but me.
Only problem is nobody can check email.
What can I add to /etc/hosts.allow for pop3 to work for my users?

Thanks for all your help.

jrmann1999 06-14-2001 09:59 PM

You can also specify ports in hosts.allow

110: <ip>
25: <ip>


360 06-14-2001 11:10 PM

The port entry is not working for the allow file:
110: <ip address>

Is there something I can enter the will allow certain users to access port110?

Or can I allow ALL to acces 110?

Please be specific...

Thanks

katana 06-15-2001 01:16 AM

have you tried this in allow file?:

popper : <ip address>

if your email daemon is not popper, then check /etc/inetd.conf...look at pop3 section..look at the line,do you see the entry /usr/local/lib/popper popper , or /usr/local/lib/tcpd ipop3d ?If it is ipop3d, then in your allow file:

ipop3d : ALL
or
ipop3d : <ip addresses>

i hope i'm not confusing you...i dont know port and stuff,maybe i'll look it up !:)

[Edited by katana on 06-15-2001 at 02:21 AM]

360 06-15-2001 09:31 AM

popper : KNOWN
Works great! Thanks!

But for some reason the server is acting funny about letting me log in with my one ip.

I was on site with the server this morning while my co-worker logged in off site. As I made different changes to deny and allow, he could get in if I commented out all entries in the deny file which is understandable. But when I uncommented ALL : ALL in deny my ip address entry did not work in the allow.

So I entered 199.178. to allow everything in that block which includes my ip and it let him in. But when I specified my one ip again it let him in. So I came back to the office 15 minutes later and now it wont let me in.

I am almost there and really apreciate everyones help.

Thanks

[Edited by 360 on 06-15-2001 at 10:34 AM]

katana 06-17-2001 10:46 PM

hi..
this is what i know...maybe it can help you:

when somebody is trying to ftp or telnet or whatever to your server, first your server will check allow file and see if that somebody is allowed. If it couldnt find a match there, then it would check deny file. Now you need to understand this: if you put in ALL : ALL in deny file, that somebody who doesnt have a match in allow file will NOT be able to get in. BUT, if you dont put in ALL : ALL, and instead, you specify a list of IP addresses and your server cant find a match for that somebody in that list too..guess what it will do?? It will let him/her in!Kind of confusing isnt it...that's why it is safer for us newbies to just put in ALL : ALL in deny file..so that anybody else aside from that allow file's list wont get in...( i hope i'm right..if i'm not,correct me;)

now,maybe you can work from there and figure out why your server is acting all funny with allow and deny...i'm off trying to figure out my biggest prob at the moment : subdomain dns server!wish me luck!

[Edited by katana on 06-18-2001 at 12:08 AM]


All times are GMT -5. The time now is 03:43 AM.