[Hudlug] Securing telnet
Tim
tim at kooky.org
Fri Sep 26 12:53:28 BST 2003
Simon Fox-Jones wrote:
> Can anyone tell me if there is a way of securing telnet against outside
> machines but still allow one in.
Are you actually using the telnet server, or is this to access an
application that presents a telnet interface?
>
> I.e all the LAN pc's should be able to telnet onto my redhat 6 server
> running a pick database and also one outside pc.
You need to look at /etc/hosts.allow and /etc/hosts.deny
But basically put
all: all into hosts.deny
and then you can selectively allow access to services by adding lines to
hosts.allow
[warning, it is really easy to lock yourself out of your machine this way]
Alternatively you can do similar using IP tables.
> I can configure the router to open the port on telnet to the server but it
> cannot filter the address as the router is cheap and cheerful.
Ahh. This complicates things. Do you trust the security of your
network to your cheap router?
It depends how your router does the re-direction. It depends whether
your server on the internal network sees a connection coming in with
your routers IP address for the far end or a connection with the IP
address of the remote machine.
The way to test this is to watch the logs while an external connection
comes in.
Remember that if your machine is accessible from the public internet in
anyway, then makesure you have all the latest security patches
installed. You will get rooted.
Also, remember that using telnet then the password exchange and session
contents are easily sniffable. Use SSH if you can, or at least tunnel
telnet through SSL. Or if it is a telnet type app, use SSH port
forwarding to encrypt the connection and get inside your network.
Tim
More information about the Hudlug
mailing list