LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices

Reply
 
Search this Thread
Old 06-14-2001, 01:18 PM   #1
360
Member
 
Registered: Jun 2001
Distribution: FC4
Posts: 136

Rep: Reputation: 15
Question


Running RH7

I am trying to secure my webserver.
How do I set telnet to accept only one ip address?

Thanks,
Gene
 
Old 06-14-2001, 01:26 PM   #2
jharris
Senior Member
 
Registered: May 2001
Location: Bristol, UK
Distribution: Slackware, Fedora, RHES
Posts: 2,243

Rep: Reputation: 46
The words 'secure' and 'telnet' are seldom used in the same sentance unless its to say "using telnet you shaft any chance of setting up a secure server"

You could restrict access using a firewall to filter the telnet port but I'd advise you to install SSH. The problem with telnet is that it doesn't encrypt your password or the data it sends. Also IP addresses can be spoofed so I wouldn't rely on them for any kind of authentication/access control unless you have to. Check out http://www.openssh.org

HTH

Jamie...
 
Old 06-14-2001, 01:31 PM   #3
360
Member
 
Registered: Jun 2001
Distribution: FC4
Posts: 136

Original Poster
Rep: Reputation: 15
I forgot to mention that I am using Tera Term SSH to log into the box.
 
Old 06-14-2001, 01:37 PM   #4
jharris
Senior Member
 
Registered: May 2001
Location: Bristol, UK
Distribution: Slackware, Fedora, RHES
Posts: 2,243

Rep: Reputation: 46
Sounds a bit better!

It you can't find the option in the software itself then use ipchains/iptables to only accept connections originating from your wanted IP address on the SSH port.

Jamie...
 
Old 06-14-2001, 01:50 PM   #5
360
Member
 
Registered: Jun 2001
Distribution: FC4
Posts: 136

Original Poster
Rep: Reputation: 15
Forgive me for my lack of knowledge...
I have secured access to ftp by entering a select group of ip addresses into the /etc/ftpaccess file.

I don't know have to do ipchains/iptables.
Is Tera Term SSH loaded on the webbox too or is there a file like /etc/ftpaccess that I can edit that would only allow my ip address to access via TeraTerm?

Thanks,
Gene
 
Old 06-14-2001, 04:11 PM   #6
GonzoJohn
Member
 
Registered: Jun 2001
Location: Louisville, KY USA
Distribution: RedHat and Debian
Posts: 89

Rep: Reputation: 15
Using an SSH client doesn't do any good (most SSH clients support Telnet too) unless you turn off the telnet daemon on the server. Then install SSH on the server to replace it.

Telnet is loaded from inetd on many Linux distros, so check the file /etc/inetd.conf for the telnet daemon.

You can get SSH from http://www.openssh.org

Good luck
 
Old 06-14-2001, 05:56 PM   #7
jrmann1999
Member
 
Registered: Feb 2001
Location: Texas
Distribution: Slackware, Mandrake, LFS
Posts: 306

Rep: Reputation: 30
This occurs on the linux server with SSHD running:

# iptables -P INPUT REJECT
# iptables -A INPUT -p tcp -s <the IP you want allowed> --dport 22 -j ACCEPT

Now I've had trouble when setting the default policy to REJECT, so I just do:

# iptables -A INPUT -p tcp -s <ditto> --dport 22 -j ACCEPT
# iptables -A INPUT -p tcp -j REJECT

Bear in mind that this will drop EVERY tcp packet except those designated at port 22(sshd) and from the specified IP address. If you want FTP access or any other service just mirror the above rules and change the dport to whichever port you want. Do this BEFORE the reject line if you use the 2nd method

Hope this helps,
J
 
Old 06-14-2001, 07:01 PM   #8
360
Member
 
Registered: Jun 2001
Distribution: FC4
Posts: 136

Original Poster
Rep: Reputation: 15
ok, I found some answers in my RedHat Server Book...
I have created two files:
/etc/hosts.deny
/etc/hosts.allow
In the deny file I wrote:
ALL : ALL
In the allow file I wrote:
ALL : <my ip address>

The problem is that /etc/initd.conf will read these files and this will block ftp and email to all others exept me.
Right?
How do I exclude ftp and email from deny and allow?

Thanks

[Edited by 360 on 06-15-2001 at 12:12 AM]
 
Old 06-14-2001, 08:12 PM   #9
katana
Member
 
Registered: Jun 2001
Posts: 100

Rep: Reputation: 15
hi..
i'm a newbie myself,but i've done this recently..
if you want to let others use FTP and email but not telnet, just replace in allow file:

in.ftpd : <ip addresses of those allowed to ftp>
in.telnetd : <your ip address>
popper : <ip addresses>

that is..if you use popper as your email daemon (i do)..it might be ipop3d or something else,kay?You can check that in /etc/inetd.conf file.Just replace that in the place of popper...

and in deny file:

ALL : ALL

so that anyone else aside from that list in allow file cannot access ftp , email or telnet...

hope it helps...

-suzana


[Edited by katana on 06-14-2001 at 09:16 PM]
 
Old 06-14-2001, 09:27 PM   #10
360
Member
 
Registered: Jun 2001
Distribution: FC4
Posts: 136

Original Poster
Rep: Reputation: 15
Sweet!
Ok. Everybody is locked out of ftp and telnet but me.
Only problem is nobody can check email.
What can I add to /etc/hosts.allow for pop3 to work for my users?

Thanks for all your help.
 
Old 06-14-2001, 09:59 PM   #11
jrmann1999
Member
 
Registered: Feb 2001
Location: Texas
Distribution: Slackware, Mandrake, LFS
Posts: 306

Rep: Reputation: 30
You can also specify ports in hosts.allow

110: <ip>
25: <ip>

 
Old 06-14-2001, 11:10 PM   #12
360
Member
 
Registered: Jun 2001
Distribution: FC4
Posts: 136

Original Poster
Rep: Reputation: 15
The port entry is not working for the allow file:
110: <ip address>

Is there something I can enter the will allow certain users to access port110?

Or can I allow ALL to acces 110?

Please be specific...

Thanks
 
Old 06-15-2001, 01:16 AM   #13
katana
Member
 
Registered: Jun 2001
Posts: 100

Rep: Reputation: 15
have you tried this in allow file?:

popper : <ip address>

if your email daemon is not popper, then check /etc/inetd.conf...look at pop3 section..look at the line,do you see the entry /usr/local/lib/popper popper , or /usr/local/lib/tcpd ipop3d ?If it is ipop3d, then in your allow file:

ipop3d : ALL
or
ipop3d : <ip addresses>

i hope i'm not confusing you...i dont know port and stuff,maybe i'll look it up !

[Edited by katana on 06-15-2001 at 02:21 AM]
 
Old 06-15-2001, 09:31 AM   #14
360
Member
 
Registered: Jun 2001
Distribution: FC4
Posts: 136

Original Poster
Rep: Reputation: 15
Smile

popper : KNOWN
Works great! Thanks!

But for some reason the server is acting funny about letting me log in with my one ip.

I was on site with the server this morning while my co-worker logged in off site. As I made different changes to deny and allow, he could get in if I commented out all entries in the deny file which is understandable. But when I uncommented ALL : ALL in deny my ip address entry did not work in the allow.

So I entered 199.178. to allow everything in that block which includes my ip and it let him in. But when I specified my one ip again it let him in. So I came back to the office 15 minutes later and now it wont let me in.

I am almost there and really apreciate everyones help.

Thanks

[Edited by 360 on 06-15-2001 at 10:34 AM]
 
Old 06-17-2001, 10:46 PM   #15
katana
Member
 
Registered: Jun 2001
Posts: 100

Rep: Reputation: 15
hi..
this is what i know...maybe it can help you:

when somebody is trying to ftp or telnet or whatever to your server, first your server will check allow file and see if that somebody is allowed. If it couldnt find a match there, then it would check deny file. Now you need to understand this: if you put in ALL : ALL in deny file, that somebody who doesnt have a match in allow file will NOT be able to get in. BUT, if you dont put in ALL : ALL, and instead, you specify a list of IP addresses and your server cant find a match for that somebody in that list too..guess what it will do?? It will let him/her in!Kind of confusing isnt it...that's why it is safer for us newbies to just put in ALL : ALL in deny file..so that anybody else aside from that allow file's list wont get in...( i hope i'm right..if i'm not,correct me

now,maybe you can work from there and figure out why your server is acting all funny with allow and deny...i'm off trying to figure out my biggest prob at the moment : subdomain dns server!wish me luck!

[Edited by katana on 06-18-2001 at 12:08 AM]
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
how to find the telnet server IP address on a multihomed Linux.. lynuz Linux - General 4 10-27-2005 12:13 AM
How can i set access point address ? i getting operation not supported error sahil1 Linux - Hardware 0 03-14-2004 02:17 PM
telnet:connect to address 127.0.0.1: connection refused sdeven Linux - Networking 6 12-23-2002 12:38 AM
Telnet for remote control, how do I set it up? bripage Linux - Networking 5 08-01-2002 08:02 PM
how do i set vmac address udayan Linux - General 2 05-31-2002 11:04 AM


All times are GMT -5. The time now is 12:36 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration