[Hudlug] Securing telnet

[Tim]

Simon Fox-Jones wrote:
> Can anyone tell me if there is a way of securing telnet against outside
> machines but still allow one in.

Are you actually using the telnet server, or is this to access an 
application that presents a telnet interface?

> 
> I.e  all the LAN pc's should be able to telnet onto my redhat 6 server
> running a pick database and also one outside pc.

You need to look at /etc/hosts.allow and /etc/hosts.deny

But basically put

all: all      into hosts.deny
and then you can selectively allow access to services by adding lines to 
hosts.allow

[warning, it is really easy to lock yourself out of your machine this way]

Alternatively you can do similar using IP tables.

> I can configure the router to open the port on telnet to the server but it
> cannot filter the address as the router is cheap and cheerful.

Ahh.  This complicates things.    Do you trust the security of your 
network to your cheap router?

It depends how your router does the re-direction.    It depends whether 
your server on the internal network sees a connection coming in with 
your routers IP address for the far end or a connection with the IP 
address of the remote machine.

The way to test this is to watch the logs while an external connection 
comes in.

Remember that if your machine is accessible from the public internet in 
anyway, then makesure you have all the latest security patches 
installed.   You will get rooted.

Also, remember that using telnet then the password exchange and session 
contents are easily sniffable.    Use SSH if you can, or at least tunnel 
telnet through SSL.    Or if it is a telnet type app, use SSH port 
forwarding to encrypt the connection and get inside your network.

Tim