Solved

Telnet Restriction Based on IP

Posted on 2001-07-30
7
557 Views
Last Modified: 2010-03-18
I am using Redhat Linux 6.2 . I want to give telnet access only to my Intranet Users.
How can i deny telnet access from other servers. i think there may an option to reatrict Telnet access based on IP. How can i do it..

Waiting for an early reply.

 
0
Comment
Question by:bt74
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 40

Accepted Solution

by:
jlevie earned 10 total points
ID: 6334395
You can use tcpwrappers to restrict access to specific IP's. The restrictions are implemented by placing lines like:

in.telnetd:        1.2.3.4  
in.telnetd:   host.domain.tld
in.telnetd:   .domain.tld

in /etc/hosts.allow. The first and second lines allow a specific host access to telnet, the last allows anyone at domain.tld access. For more information see "man hosts.allow".
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 6334715
use rlogin, or much better ssh, instead
rlogin requires in.rlogind (sshd for ssh), then you can define restrictions globaly in /etc/hosts.equiv or per user i ~/.rhosts for rlogin, respectively in sshd.conf, ssh.conf and ~/.shost for ssh
0
 
LVL 2

Expert Comment

by:ifincham
ID: 6336799
Hi,

I would do this with ipchains (2.2 kernel series) or iptables (2.4 series) firewalling, i.e. packet filtering. As you have Redhat 6.2 I'll assume you don't have iptables..

If you have no firewalling currently in place you would effectively have the following defaults :

ipchains -P input ACCEPT
ipchains -P output ACCEPT
ipchains -P forward ACCEPT

You would do something like this :

ipchains -A input -i eth0 -p tcp -s 172.16.0.0/16 -d 172.16.1.1 23 -j ACCEPT

(input from interface (-i) eth0 with source address (-s) 172.16.x.x going to destination address /port (-d) 172.16.1.1:23 -> accept, i.e. allow)

ipchains -A output -i eth0 -p tcp ! -y -s 172.16.1.1 23 -d 172.16.0.0/16 1024:65535 -j ACCEPT

(output from 172.16.1.1 port 23 going to destination 172.16.x.x on any port in range 1024:65535 as long as not (!) syn bit set (-y) - i.e. not initiating from your box - accept)

ipchains -A input -i eth1 -p tcp -d 172.16.16.1 23 -j DENY

(input on interface eth1, tcp protocol, going to 172.16.16.1 port 23 - DENY)

In the above examples I've assumed eth0 for your lan, eth1 for your internet connex, 172.16.16.1 as your redhat box, port 23 for telnet (normal unless you changed it), and 172.16.0.0 mask 255.255.0.0 for your lan.

All you would do is add these 'ipchains' lines to the end of your /etc/rc.d/init.d/rc.local startup script Or create a script called something like /etc/rc.d/init.d/rc.firewall and call that from rc.local.

Ssh (Secure Shell) is indeed more secure but I would still firewall it from outside. You would also need your client machines to have a client implementation of ssh which may not be easy if they are windows boxes. Ssh runs on tcp port 22 incidentally and is a little more complex to firewall with ipchains.

To check active rules do the list option:

ipchains -L input
ipchains -L output
etc.

Hope this helps, Iain  

 

 
0
Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

 
LVL 51

Expert Comment

by:ahoffmann
ID: 6339972
not bad: ipchains.

BUT keep in mind that this needs a special compiled kernel.
Also, using a packetfilter (ipchains, iptables, etc.) just for restricting some host using telnet is oversized, somehow.
AND ALSO if ipchains is setup correctly you still need to configure telnet and/or ssh.
0
 
LVL 1

Expert Comment

by:reason100
ID: 6344771
You can restrict telnet access in your router config with
an access list.

Just a thought.

Rod
0
 
LVL 1

Expert Comment

by:Moondancer
ID: 6938055
ADMINISTRATION WILL BE CONTACTING YOU SHORTLY.  Moderators Computer101 or Netminder will return to finalize these if still open in seven days.  Please post closing recommendations before that time.

Question(s) below appears to have been abandoned. Your options are:
 
1. Accept a Comment As Answer (use the button next to the Expert's name).
2. Close the question if the information was not useful to you, but may help others. You must tell the participants why you wish to do this, and allow for Expert response.  This choice will include a refund to you, and will move this question to our PAQ (Previously Asked Question) database.  If you found information outside this question thread, please add it.
3. Ask Community Support to help split points between participating experts, or just comment here with details and we'll respond with the process.
4. Delete the question (if it has no potential value for others).
   --> Post comments for expert of your intention to delete and why
   --> YOU CANNOT DELETE A QUESTION with comments; special handling by a Moderator is required.

For special handling needs, please post a zero point question in the link below and include the URL (question QID/link) that it regards with details.
http://www.experts-exchange.com/jsp/qList.jsp?ta=commspt
 
Please click this link for Help Desk, Guidelines/Member Agreement and the Question/Answer process.  http://www.experts-exchange.com/jsp/cmtyHelpDesk.jsp

Click you Member Profile to view your question history and keep them updated as the collaboration effort continues, to maintain your open and locked questions.  If you are a  KnowledgePro user, use the Power Search option to find them.  Anytime you have questions which are LOCKED with a Proposed Answer which does not serve your needs, please reject it and add comments as to why.  In addition, when you do grade the question, if the grade is less than an A, please add a comment as to why.  This helps all involved, as well as future persons who may access this item for help.

To view your open questions, please click the following link(s) and keep them all current with updates.
http://www.experts-exchange.com/questions/Q.11761478.html
http://www.experts-exchange.com/questions/Q.11761498.html
http://www.experts-exchange.com/questions/Q.11939878.html
http://www.experts-exchange.com/questions/Q.11983098.html
http://www.experts-exchange.com/questions/Q.20036911.html
http://www.experts-exchange.com/questions/Q.20076314.html
http://www.experts-exchange.com/questions/Q.20081933.html
http://www.experts-exchange.com/questions/Q.20087002.html
http://www.experts-exchange.com/questions/Q.20096740.html
http://www.experts-exchange.com/questions/Q.20107721.html
http://www.experts-exchange.com/questions/Q.20122035.html
http://www.experts-exchange.com/questions/Q.20137701.html
http://www.experts-exchange.com/questions/Q.20142837.html
http://www.experts-exchange.com/questions/Q.20160168.html
http://www.experts-exchange.com/questions/Q.20229281.html
http://www.experts-exchange.com/questions/Q.20229282.html
http://www.experts-exchange.com/questions/Q.20239414.html
http://www.experts-exchange.com/questions/Q.20240363.html
http://www.experts-exchange.com/questions/Q.20240359.html
http://www.experts-exchange.com/questions/Q.20263732.html
http://www.experts-exchange.com/questions/Q.20270184.html
http://www.experts-exchange.com/questions/Q.20270186.html
http://www.experts-exchange.com/questions/Q.20278651.html
http://www.experts-exchange.com/questions/Q.20277653.html
http://www.experts-exchange.com/questions/Q.20282480.html
http://www.experts-exchange.com/questions/Q.20283128.html
http://www.experts-exchange.com/questions/Q.20283279.html
http://www.experts-exchange.com/questions/Q.20285563.html


To view your locked questions, please click the following link(s) and evaluate the proposed answer.
http://www.experts-exchange.com/questions/Q.11943438.html
http://www.experts-exchange.com/questions/Q.20149097.html
http://www.experts-exchange.com/questions/Q.11419338.html

**** PLEASE DO NOT AWARD THE POINTS TO ME. *****
 
------------>  EXPERTS:  Please leave your closing recommendations if this item remains inactive another seven (7) days.  If you are interested in the cleanup effort, please click this link http://www.experts-exchange.com/jsp/qManageQuestion.jsp?ta=commspt&qid=20274643 
POINTS FOR EXPERTS awaiting comments are listed here -> http://www.experts-exchange.com/commspt/Q.20277028.html
 

Moderators will finalize this question if still open in @7 days, by either moving this to the PAQ (Previously Asked Questions) at zero points, deleting it or awarding expert(s) when recommendations are made, or an independent determination can be made.  Expert input is always appreciated to determine the fair outcome.
 
Thank you everyone.
 
Moondancer
Moderator @ Experts Exchange
0
 
LVL 1

Expert Comment

by:Moondancer
ID: 7020048
28 open questions, ZERO courtesy of response to follow up requests, most posted for 10 points (less than the 50 point recommendation for "easy" questions); all very disheartening!

Zero response by Asker nor Expert closing recommendations, therefore this was finalized today by Moondancer - EE Moderator
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question