Hello, I'm having an issue with SSHd on a server that's a very long distance away from me. I want to open telnet up as a backup but _only_ to the net 10.0.0.* which FYI is on eth1. I want everything else (which would be eth0, if it matters) denied. However, I tried copying SuSE's entry for http-rman and it does no good, I can still log in from anywhere. (which makes me thing it's insecure too - can anyone explain that?) Anyway, I've read the man page (which is one of the worse I've ever seen) and I've read some articles on the web. For one thing, none of the examples for, and for another, they all disagree. IF someone could tell me the syntax for denying telnet to everything _except_ 10.0.0* I'd really appreciate it. ---------------------------------------------------- Jonathan Wilson System Administrator Cedar Creek Software http://www.cedarcreeksoftware.com Central Texas IT http://www.centraltexasit.com
On Monday 14 January 2002 06.29, JW wrote:
However, I tried copying SuSE's entry for http-rman and it does no good, I can still log in from anywhere. (which makes me thing it's insecure too - can anyone explain that?)
This is wrong. telnet by itself is no more insecure than any other service that allows logins from the net. Its insecurity comes from the fact that it sends passwords (and everything else) in cleartext. So it's only insecure if you actually use it over the net.
IF someone could tell me the syntax for denying telnet to everything _except_ 10.0.0* I'd really appreciate it.
in /etc/hosts.deny ALL:ALL or, if you have other services with specific permissions, use in.telnetd: ALL in /etc/hosts.allow in.telnetd: 10.0.0.* should do it. regards Anders
At 06:38 AM 1/14/2002 +0100, you wrote:
On Monday 14 January 2002 06.29, JW wrote:
However, I tried copying SuSE's entry for http-rman and it does no good, I can still log in from anywhere. (which makes me thing it's insecure too - can anyone explain that?)
This is wrong. telnet by itself is no more insecure than any other service that allows logins from the net. Its insecurity comes from the fact that it sends passwords (and everything else) in cleartext. So it's only insecure if you actually use it over the net.
I think you misunderstood what I meant. I was sorta saying that since that syntax didn't work for telnet, I have doubts that it works for http-rman either. But it's an irrelevant point anyway...
IF someone could tell me the syntax for denying telnet to everything _except_ 10.0.0* I'd really appreciate it.
in /etc/hosts.deny ALL:ALL
or, if you have other services with specific permissions, use in.telnetd: ALL
Thank you, thank you, that works good without blocking FTP (important)
in /etc/hosts.allow in.telnetd: 10.0.0.*
should do it.
Unfortunately it didn't - I got refused from 10.0.0.8 and 10.0.0.9 I also tried: in.telnetd: 10.0.0.*. Because one article I found on the web said numerical addresses needed to end in a . and hostnames needed to start with a dot. What ended up working correctly is (in /etc/hosts.allow: in.telnetd: 10.0.0. Thank you very much - I didn't realize you _had_ to use both hosts.deny and hosts.allow.
regards Anders
---------------------------------------------------- Jonathan Wilson System Administrator Cedar Creek Software http://www.cedarcreeksoftware.com Central Texas IT http://www.centraltexasit.com
You should use SuSEfirewall2 and do rules this way and not with hosts files IMHO. Sounds like this ystem is on a Network (10.10.10) that is private, or not direct to the internet. Just split the rules for ext/int and make the telnet available on the int network to a specific ip. Regards, Jon ----- Original Message ----- From: "JW" <jw@centraltexasit.com> To: <suse-linux-e@suse.com> Sent: Sunday, January 13, 2002 9:29 PM Subject: [SLE] Need help with hosts.deny
Hello,
I'm having an issue with SSHd on a server that's a very long distance away from me. I want to open telnet up as a backup but _only_ to the net 10.0.0.* which FYI is on eth1.
I want everything else (which would be eth0, if it matters) denied.
However, I tried copying SuSE's entry for http-rman and it does no good, I can still log in from anywhere. (which makes me thing it's insecure too - can anyone explain that?)
Anyway, I've read the man page (which is one of the worse I've ever seen) and I've read some articles on the web. For one thing, none of the examples for, and for another, they all disagree.
IF someone could tell me the syntax for denying telnet to everything _except_ 10.0.0* I'd really appreciate it.
---------------------------------------------------- Jonathan Wilson System Administrator
Cedar Creek Software http://www.cedarcreeksoftware.com Central Texas IT http://www.centraltexasit.com
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq and the archives at http://lists.suse.com
participants (3)
-
Anders Johansson -
Jon -
JW