Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 260
  • Last Modified:

Connectino refused in Linux

I set up linux Red Hat 6.2 straight out of a box.  I didn't enable any security (that I know of anyway).

The problem is that I can't connect to it from anything else.  I can connect to everybody else on the lan with ftp, telnet, ssh etc but nobody can connect to me.  The only inbound connections I've ever got is when somebody pings me or when I run an X-windows application on another machine.

Why does everybody else get connection refused when trying to connect to any of my ports (except X port and 21)?

More importantly how do I disable all security and let all my ports be open.  The lan is firewalled.

Thanks
St John Hawke
0
stjohnhawke
Asked:
stjohnhawke
  • 5
  • 4
  • 4
  • +3
1 Solution
 
ahoffmannCommented:
check /etc/hosts.{allow,deny}
0
 
tdaoudCommented:

If the lan is firewalled, check to see if the firewall is allowing things to bypass to your machine first.

Then on your linux box check /etc/inetd.conf to enable the lines you would like to activate, for example telnet, ftp, talk, ...etc.

To enable the line remove the first comment mark "#" infront of the line.  You should be looking for lines that start with the service you want (telnet, ftp, ...etc).

Good Luck,

Tarik
0
 
MFCRichCommented:
The default for RH6.2 is wide open (no ipchains rules and empty hosts{deny,allow} files. Other than that, I think tdaoud is probably on the right track. Make sure inetd is started at boot time as well.
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
stjohnhawkeAuthor Commented:
Ok guys I did maunally create an inetd.conf file in /etc with ftp and telnet etc but still no luck.

I also made sure hosts.deny was empty and that hosts.allow had ALL:ALL in it.

I did a "ps -ef | grep inetd" and got nothing. I don't think it is running.
I can't even find inetd (ie find / -name inetd), where is it?

I think the complete absence of the inet daemon is my problem, shouldn't it have been installed by deafult?

Finally If I have no inetd running (or even anywhere on the machine) why can people ping me? Is it because inetd deals with TCP and ping is ICMP or what?

St John Hawke

NB I have root access and what I meant about the firewalling is that the LAN NOT my machine is firewalled so leaving my box wide open would not be a problem.
0
 
stjohnhawkeAuthor Commented:
Ok guys I did maunally create an inetd.conf file in /etc with ftp and telnet etc but still no luck.

I also made sure hosts.deny was empty and that hosts.allow had ALL:ALL in it.

I did a "ps -ef | grep inetd" and got nothing. I don't think it is running.
I can't even find inetd (ie find / -name inetd), where is it?

I think the complete absence of the inet daemon is my problem, shouldn't it have been installed by deafult?

Finally If I have no inetd running (or even anywhere on the machine) why can people ping me? Is it because inetd deals with TCP and ping is ICMP or what?

St John Hawke

NB I have root access and what I meant about the firewalling is that the LAN NOT my machine is firewalled so leaving my box wide open would not be a problem.
0
 
tdaoudCommented:

if you don;t have an inetd running on RH 6.2 then that is definitly your problem.

As you said telnet, ftp, ..etc are more on the applicatio nlevel i nthe network layers and require inetd to spawn the proper daemons and so on, while pinging is more on the network layer and communicate with a lower level software that is built into TCP/Ip (inside the Kernel itself).

I don;t have RH 6.2 anymore since I upgraded to 7.1, but yo ushould be able to find the proper package in your RPMS and install.  I'm not sure about its name at this point.

Good Luck,

Tarik
0
 
stjohnhawkeAuthor Commented:
Ok guys I found inetd in a red hat rpm, installed it and ran it no luck.  I also cycled the box (the windows generic fix) but still no dice.

WHenever I try to telnet or ftp to the box I get :

FTP:
421 Service not available, remote server has closed the connection.

Telnet:
Connection refused by foreign host

I need rlogin, telnet, ftp and ports from 4000 - 9000 working, but I think the problem is all down to the same underlying issue.  How do I know if inetd is really working?

Here is a copy of netstat -a :

tcp        0      0 *:smtp                  *:*                     LISTEN      
tcp        0      0 *:printer               *:*                     LISTEN      
tcp        0      0 *:time                  *:*                     LISTEN      
tcp        0      0 *:login                 *:*                     LISTEN      
tcp        0      0 *:shell                 *:*                     LISTEN      
tcp        0      0 *:telnet                *:*                     LISTEN      
tcp        0      0 *:ftp                   *:*                     LISTEN      
tcp        0      0 *:auth                  *:*                     LISTEN      

and here is a copy of my /etc/inetd.conf

ftp     stream     tcp     nowait.50     root     /usr/sbin/tcpd     in.ftpd -l -a
telnet     stream     tcp     nowait.50     root     /usr/sbin/tcpd     in.telnetd
shell     stream     tcp     nowait.50     root     /usr/sbin/tcpd     in.rshd
login     stream     tcp     nowait.50     root     /usr/sbin/tcpd     in.rlogind
talk     dgram     udp     wait.50     root     /usr/sbin/tcpd     in.talkd
ntalk  dgram  udp  wait   root   /usr/sbin/tcpd       in.ntalkd
time   stream tcp  nowait nobody /usr/sbin/tcpd       in.timed
auth   stream tcp  nowait nobody /usr/sbin/in.identd  in.identd -l -e -o


I'm kicking the points up to 300....

St John Hawke
0
 
tdaoudCommented:

Check now if you have inetd running by such command as

ps ax | grep inetd

If it is, then did you get an /etc/inetd.conf file after you installed inetd or you are still using something you put?

Do you have the file /usr/sbin/tcpd which is called when you telnet or ftp for example?  If not yo uneed to check on it and install it also from another RPM maybe.

Let us know how it goes and good luck,

Tarik
0
 
ahoffmannCommented:
> .. and require inetd to spawn the proper daemons and so on ..

Nonesense. Sorry.
You even may start telnetd or ftpd for example as normal process, they are programmed to work as daemon and listen
on the configured ports for traffic.

As we can see in the postings from stjohnhawke inetd is running and has spawned the processes for telnet and ftp (see result of netstat). ps won't show these processes, 'cause they're are only started on demand, means when you try to connect to them.

We also see
> Telnet:
> Connection refused by foreign host
This indicated that telnetd answerd from the remote machine. Otherwise you would have gotten a timeout anyhow.

So it's definitely that the remotehost does not allow connections, probably 'cause of wrong setup of the services.
You may simply prove if the service (ftpd, logind) answers, if you issue tcpdump like
   tcpdump -l -n host yourhostname and port 21
You'll see that traffic is in both directions.
If this is true, we can also be shure that there is no router or firewall problem (in the net) anyhow.

Please check the configuration for telnetd and ftpd or tcpd (/etc/hosts.{allow,deny} again.
0
 
tdaoudCommented:

ahoffmann,

We all know that you can run daemons by hand and as normal processes, but you do also agree with me that the other way to run such daemons is through inetd that will be responsible to listen and spawn the telnet daemon for examle once request for telnet comes in.  

So in the case we are talking about here, inetd is required to be running in order to listen and spawn.  Now if your point is that inetd is running or not...you may be right that it might be running rather than it is not, but as you agreed with me that other matters such as tcpd might not be properly configured or installed.

Tarik
0
 
ahoffmannCommented:
Tarik, I'm picky, sometimes.
But telling people half the truth may confuse them if someone gives an answer/comment using another solution.
When talking about daemons, it might be a good idea to kill inetd, and start the required daemons manually. Just to avoid side effect (for example inted itself, or tcpd as in this example).
We both agree where to look for the problem, so make things as simple as possible, or: KISS - keep it small and simple :-)
Please apologies, it wasn't an offence.
0
 
tdaoudCommented:

I agree,

no offence at all from the beginning :-)

Tarik
0
 
vinnyd79Commented:

Have you installed the telnet-server rpm after installing the inetd rpm?
0
 
magnakuzCommented:
I've had the same problem before. I had to download xinetd and install the telnet daemon and ftp service.
After that I had no problems. (just make sure you don't have anying in your hosts.allow or hosts.deny in redhat 6.2)


Trying installing xinetd from

http://www.redhat.com/swr/i386/xinetd-2.1.8.8-0.9.i386.html

its a more secure replacement. I think its actually better in how its laid out as well (easier to modify and change).

0
 
magnakuzCommented:
I've had the same problem before. I had to download xinetd and install the telnet daemon and ftp service.
After that I had no problems. (just make sure you don't have anying in your hosts.allow or hosts.deny in redhat 6.2)


Trying installing xinetd from

http://www.redhat.com/swr/i386/xinetd-2.1.8.8-0.9.i386.html

its a more secure replacement. I think its actually better in how its laid out as well (easier to modify and change).

0
 
stjohnhawkeAuthor Commented:
Ok guys.  I fixed the problem.

Here is what was wrong.  I didn't have the in.telnetd or in.ftp or in.* etc. daemons installed.  The netstat -a just showed the inetd listening to those services.  When a connect was received there was no  in.* daemon to start and pass the request to.

Secondly when I did install the daemons still nothing worked.  This was because of /etc/securetty.  I didn't mention that I would be logging in to everything with root because only Linux seems to have security set against this by default.  Once the securetty file was nuked, everything became sweet.

Since nobody here seems to have really solved the problem (though there were some very interresting tips), I'll try some extra milage on it with this:

The points will go to the first person to show me how configure the /etc/securetty file so that it will accept root logins for telnet, rlogin and ftp.  "Solutions" like deleting the securetty file or renaming it are no good.  I want to figure out how the thing works.  At present I tried putting the word rlogin in the securetty file but that didn't work so I've renamed the securetty file so that it can never be checked and hence all root logins with all services work.
0
 
vinnyd79Commented:

just add the tty devices you want root to login to in
the securetty file.I would recommend using su to become root,rather than logging in as root.
0
 
ahoffmannCommented:
AFAIK, /etc/securetty just contains (local) tty names, it is not used for rlogins. Therfore you need to setup ~.rhosts (or /.rhosts for user root).
Keep in mind that you never know which tty will be assigned for rlogin.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 5
  • 4
  • 4
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now