Linux - GeneralThis Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
The words 'secure' and 'telnet' are seldom used in the same sentance unless its to say "using telnet you shaft any chance of setting up a secure server"
You could restrict access using a firewall to filter the telnet port but I'd advise you to install SSH. The problem with telnet is that it doesn't encrypt your password or the data it sends. Also IP addresses can be spoofed so I wouldn't rely on them for any kind of authentication/access control unless you have to. Check out http://www.openssh.org
It you can't find the option in the software itself then use ipchains/iptables to only accept connections originating from your wanted IP address on the SSH port.
Forgive me for my lack of knowledge...
I have secured access to ftp by entering a select group of ip addresses into the /etc/ftpaccess file.
I don't know have to do ipchains/iptables.
Is Tera Term SSH loaded on the webbox too or is there a file like /etc/ftpaccess that I can edit that would only allow my ip address to access via TeraTerm?
Using an SSH client doesn't do any good (most SSH clients support Telnet too) unless you turn off the telnet daemon on the server. Then install SSH on the server to replace it.
Telnet is loaded from inetd on many Linux distros, so check the file /etc/inetd.conf for the telnet daemon.
This occurs on the linux server with SSHD running:
# iptables -P INPUT REJECT
# iptables -A INPUT -p tcp -s <the IP you want allowed> --dport 22 -j ACCEPT
Now I've had trouble when setting the default policy to REJECT, so I just do:
# iptables -A INPUT -p tcp -s <ditto> --dport 22 -j ACCEPT
# iptables -A INPUT -p tcp -j REJECT
Bear in mind that this will drop EVERY tcp packet except those designated at port 22(sshd) and from the specified IP address. If you want FTP access or any other service just mirror the above rules and change the dport to whichever port you want. Do this BEFORE the reject line if you use the 2nd method
ok, I found some answers in my RedHat Server Book...
I have created two files:
/etc/hosts.deny
/etc/hosts.allow
In the deny file I wrote:
ALL : ALL
In the allow file I wrote:
ALL : <my ip address>
The problem is that /etc/initd.conf will read these files and this will block ftp and email to all others exept me.
Right?
How do I exclude ftp and email from deny and allow?
hi..
i'm a newbie myself,but i've done this recently..
if you want to let others use FTP and email but not telnet, just replace in allow file:
in.ftpd : <ip addresses of those allowed to ftp>
in.telnetd : <your ip address>
popper : <ip addresses>
that is..if you use popper as your email daemon (i do)..it might be ipop3d or something else,kay?You can check that in /etc/inetd.conf file.Just replace that in the place of popper...
and in deny file:
ALL : ALL
so that anyone else aside from that list in allow file cannot access ftp , email or telnet...
Sweet!
Ok. Everybody is locked out of ftp and telnet but me.
Only problem is nobody can check email.
What can I add to /etc/hosts.allow for pop3 to work for my users?
if your email daemon is not popper, then check /etc/inetd.conf...look at pop3 section..look at the line,do you see the entry /usr/local/lib/popper popper , or /usr/local/lib/tcpd ipop3d ?If it is ipop3d, then in your allow file:
ipop3d : ALL
or
ipop3d : <ip addresses>
i hope i'm not confusing you...i dont know port and stuff,maybe i'll look it up !
But for some reason the server is acting funny about letting me log in with my one ip.
I was on site with the server this morning while my co-worker logged in off site. As I made different changes to deny and allow, he could get in if I commented out all entries in the deny file which is understandable. But when I uncommented ALL : ALL in deny my ip address entry did not work in the allow.
So I entered 199.178. to allow everything in that block which includes my ip and it let him in. But when I specified my one ip again it let him in. So I came back to the office 15 minutes later and now it wont let me in.
I am almost there and really apreciate everyones help.
when somebody is trying to ftp or telnet or whatever to your server, first your server will check allow file and see if that somebody is allowed. If it couldnt find a match there, then it would check deny file. Now you need to understand this: if you put in ALL : ALL in deny file, that somebody who doesnt have a match in allow file will NOT be able to get in. BUT, if you dont put in ALL : ALL, and instead, you specify a list of IP addresses and your server cant find a match for that somebody in that list too..guess what it will do?? It will let him/her in!Kind of confusing isnt it...that's why it is safer for us newbies to just put in ALL : ALL in deny file..so that anybody else aside from that allow file's list wont get in...( i hope i'm right..if i'm not,correct me
now,maybe you can work from there and figure out why your server is acting all funny with allow and deny...i'm off trying to figure out my biggest prob at the moment : subdomain dns server!wish me luck!
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.