Hi, I have a SuSE (Linux 2.2.16) box and am trying to get tcpd to restrict access Effectively I want 1 machine to have telnet access say x.x.x.x (a 102. style internal domain) I have in /etc/inetd. telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd and in /etc/hosts.allow telnet : x.x.x.x and in /etc/hosts.deny telnet : ALL Question is: why can anyone get on? it is as if tcpd is not reading the /etc/hosts.* files Thanks in advance. Nigel _____________________________________________________________________ This message has been checked for all known viruses by MessageLabs on behalf of Rentokil Initial plc
I have a SuSE (Linux 2.2.16) box and am trying to get tcpd to restrict access Effectively I want 1 machine to have telnet access say x.x.x.x (a 102. style internal domain) I have in /etc/inetd.
telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
and in /etc/hosts.allow telnet : x.x.x.x
and in /etc/hosts.deny telnet : ALL
Question is: why can anyone get on?
Just put into the /etc/hosts.allow: in.telnetd: x.x.x.x and into /etc/hosts.deny: in.telnetd: ALL That should give you the expected results. Ulf ____________________________________ Ulf Leichsenring Lufthansa Systems AS GmbH mailto:uleichsenring@lhsystemsas.de http://www.lhsystemsas.de
In my opinion the correct strategy for pretty well any system manager is to put # Deny everything not explicitly allowed in hosts.allow ALL: ALL in /etc/hosts.deny, then figure out what you need in hosts.allow to make services work. This way you may lose a service for an hour or so while you experiment with different service names; the other way you can very easily end up running an unprotected service for ever because you have made a mistake. This certainly applies to workstation managers who are unlikely to want to run services anyway, and it applies to managers of important servers who are very serious about security. So, a request to SuSE: how about changing the default? You could distribute a well-documented hosts.allow which made it pretty well impossible to choose the wrong service name. Regards, Bob ============================================================== Bob Vickers R.Vickers@cs.rhul.ac.uk Dept of Computer Science, Royal Holloway, University of London WWW: http://www.cs.rhul.ac.uk/home/bobv Phone: +44 1784 443691
Hi
* Nigel Cox;
and in /etc/hosts.allow telnet : x.x.x.x
why don't you specify it x.x.x.x/32
Question is: why can anyone get on?
it is as if tcpd is not reading the /etc/hosts.* files
Have you restarted inet.d Question also could be what makes telnet better then ssh ? -- Togan Muftuoglu
Togan Muftuoglu schrieb am Wed, 14 Nov 2001 um 19:16:
* Nigel Cox;
on 14 Nov, 2001 wrote: it is as if tcpd is not reading the /etc/hosts.* files
Have you restarted inet.d
You don't have to. the tcp wrapper is started with every connection attempt, re-reading /etc/hosts.[allow|deny]. Even programs "directly" linked against libwrap (such as syslogd or sshd) don't have to be restarted; libwrap reads it's configuration files on each new connection. Regards, Bastian -- Bastian Friedrich bastian@bastian-friedrich.de Adress & Fon available on my HP http://www.bastian-friedrich.de/ \~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\ \ A mainframe: The biggest PC peripheral available.
I think that you have to have hosts.allow and hosts.deny in.telnetd instead of just telnet. man 5 hosts_access has some good examples of how to configure hosts.allow and hosts.deny. Ed On Wed, 14 Nov 2001, Nigel Cox wrote:
and in /etc/hosts.allow telnet : x.x.x.x
and in /etc/hosts.deny telnet : ALL
Question is: why can anyone get on?
participants (6)
-
Bastian Friedrich
-
Bob Vickers
-
Ed Coates
-
Nigel Cox
-
Togan Muftuoglu
-
Ulf Leichsenring