Running RH7

I am trying to secure my webserver.
How do I set telnet to accept only one ip address?

Thanks,
Gene

The words 'secure' and 'telnet' are seldom used in the same sentance unless its to say "using telnet you shaft any chance of setting up a secure server"

You could restrict access using a firewall to filter the telnet port but I'd advise you to install SSH. The problem with telnet is that it doesn't encrypt your password or the data it sends. Also IP addresses can be spoofed so I wouldn't rely on them for any kind of authentication/access control unless you have to. Check out http://www.openssh.org

HTH

Jamie...

I forgot to mention that I am using Tera Term SSH to log into the box.

Sounds a bit better!

It you can't find the option in the software itself then use ipchains/iptables to only accept connections originating from your wanted IP address on the SSH port.

Jamie...

Forgive me for my lack of knowledge...
I have secured access to ftp by entering a select group of ip addresses into the /etc/ftpaccess file.

I don't know have to do ipchains/iptables.
Is Tera Term SSH loaded on the webbox too or is there a file like /etc/ftpaccess that I can edit that would only allow my ip address to access via TeraTerm?

Thanks,
Gene

Using an SSH client doesn't do any good (most SSH clients support Telnet too) unless you turn off the telnet daemon on the server. Then install SSH on the server to replace it.

Telnet is loaded from inetd on many Linux distros, so check the file /etc/inetd.conf for the telnet daemon.

You can get SSH from http://www.openssh.org

Good luck

This occurs on the linux server with SSHD running:

# iptables -P INPUT REJECT
# iptables -A INPUT -p tcp -s <the IP you want allowed> --dport 22 -j ACCEPT

Now I've had trouble when setting the default policy to REJECT, so I just do:

# iptables -A INPUT -p tcp -s <ditto> --dport 22 -j ACCEPT
# iptables -A INPUT -p tcp -j REJECT

Bear in mind that this will drop EVERY tcp packet except those designated at port 22(sshd) and from the specified IP address. If you want FTP access or any other service just mirror the above rules and change the dport to whichever port you want. Do this BEFORE the reject line if you use the 2nd method

Hope this helps,
J

ok, I found some answers in my RedHat Server Book...
I have created two files:
/etc/hosts.deny
/etc/hosts.allow
In the deny file I wrote:
ALL : ALL
In the allow file I wrote:
ALL : <my ip address>

The problem is that /etc/initd.conf will read these files and this will block ftp and email to all others exept me.
Right?
How do I exclude ftp and email from deny and allow?

Thanks

[Edited by 360 on 06-15-2001 at 12:12 AM]

hi..
i'm a newbie myself,but i've done this recently..
if you want to let others use FTP and email but not telnet, just replace in allow file:

in.ftpd : <ip addresses of those allowed to ftp>
in.telnetd : <your ip address>
popper : <ip addresses>

that is..if you use popper as your email daemon (i do)..it might be ipop3d or something else,kay?You can check that in /etc/inetd.conf file.Just replace that in the place of popper...

and in deny file:

ALL : ALL

so that anyone else aside from that list in allow file cannot access ftp , email or telnet...

hope it helps...

-suzana


[Edited by katana on 06-14-2001 at 09:16 PM]

Sweet!
Ok. Everybody is locked out of ftp and telnet but me.
Only problem is nobody can check email.
What can I add to /etc/hosts.allow for pop3 to work for my users?

Thanks for all your help.

You can also specify ports in hosts.allow

110: <ip>
25: <ip>

The port entry is not working for the allow file:
110: <ip address>

Is there something I can enter the will allow certain users to access port110?

Or can I allow ALL to acces 110?

Please be specific...

Thanks

have you tried this in allow file?:

popper : <ip address>

if your email daemon is not popper, then check /etc/inetd.conf...look at pop3 section..look at the line,do you see the entry /usr/local/lib/popper popper , or /usr/local/lib/tcpd ipop3d ?If it is ipop3d, then in your allow file:

ipop3d : ALL
or
ipop3d : <ip addresses>

i hope i'm not confusing you...i dont know port and stuff,maybe i'll look it up !

[Edited by katana on 06-15-2001 at 02:21 AM]

popper : KNOWN
Works great! Thanks!

But for some reason the server is acting funny about letting me log in with my one ip.

I was on site with the server this morning while my co-worker logged in off site. As I made different changes to deny and allow, he could get in if I commented out all entries in the deny file which is understandable. But when I uncommented ALL : ALL in deny my ip address entry did not work in the allow.

So I entered 199.178. to allow everything in that block which includes my ip and it let him in. But when I specified my one ip again it let him in. So I came back to the office 15 minutes later and now it wont let me in.

I am almost there and really apreciate everyones help.

Thanks

[Edited by 360 on 06-15-2001 at 10:34 AM]

hi..
this is what i know...maybe it can help you:

when somebody is trying to ftp or telnet or whatever to your server, first your server will check allow file and see if that somebody is allowed. If it couldnt find a match there, then it would check deny file. Now you need to understand this: if you put in ALL : ALL in deny file, that somebody who doesnt have a match in allow file will NOT be able to get in. BUT, if you dont put in ALL : ALL, and instead, you specify a list of IP addresses and your server cant find a match for that somebody in that list too..guess what it will do?? It will let him/her in!Kind of confusing isnt it...that's why it is safer for us newbies to just put in ALL : ALL in deny file..so that anybody else aside from that allow file's list wont get in...( i hope i'm right..if i'm not,correct me

now,maybe you can work from there and figure out why your server is acting all funny with allow and deny...i'm off trying to figure out my biggest prob at the moment : subdomain dns server!wish me luck!

[Edited by katana on 06-18-2001 at 12:08 AM]