Re: [suse-security] Security on telnet
Fiorenza Meini wrote:
Hi there, I installed Linux 7.2 on a machine where I want to have running only sendmail and telnet (I configured inetd). I have a network card with a public IP address, but for security reason I'd like to configure another network card with a local address on which I want telnetd listen to. So, what I'd like to to is this: - sendmail listening on the network card with public IP address - telnet listening on the network card with local IP addess.
Is this possible? Any suggestion on how can I configure the system?
There's the setup you need: 1) In /etc/hosts.allow you define all service you want to access system: for example.. in.telnetd:192.168.0. means that telnetd accepts connections from 192.168.0.1, 192.168.0.2 .. (note the . at the end of address) and, sendmail:ALL means that sendmail daemon accepts connections from all IPs. You can find the daemons names in inetd.conf (in.ftpd, in.pop3d, etc.) 2) In /etc/hosts.deny you define all services you DON'T want to access system. So to exclude ALL that does not match hosts.allow you must put ALL:ALL so a connection from a public address (for examples 195.30...) to telnetd will not match any of the lines in hosts.allow and will be blocked by ALL:ALL in hosts.deny (inetd daemon reads first hosts.allow and after hosts.deny). IMHO you should not use telnetd that is a potentially insecure protocol (all is sent in clear, even passwords!). A packet sniffer in any place of network can log all you send and receive from server. I use sshd (which is NOT a inetd service but a standalone service invoked from /etc/rc.d/sshd) that use a public key crypto communication. There are many commercial or shareware sshd clients for win. I use a freeware one that is very nice: http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html -- Mario Libraro Web Applications Developer Fulltrading S.p.A. 00148 Roma - Via Di Affogalasino, 105 tel. +39 06 65 73 170 fax +39 06 65 73 529 mob. +39 347 5205 752 email: m.libraro@fulltrading.it m.libraro@tiresia.it web: www.fulltrading.it
participants (1)
-
mario libraro