Solved

rules for telnet and ftp

Posted on 2003-11-09
10
1,881 Views
Last Modified: 2010-04-22
I have a server linux redhat and i need to administer it remotely.
I would like to use telnet and ftp but only accept requesting from an specific ip address.  Would be fine if i could use XDMCP also for logging into that machine but restricted to only one address.

How can i use ip tables for that goal ?

Thanks for your time to you all !!

0
Comment
Question by:diordonez
  • 4
  • 3
  • 2
  • +1
10 Comments
 
LVL 40

Expert Comment

by:jlevie
ID: 9710648
If your firewall is set up with a default deny stance (iptables -P INPUT DROP) you can add rules to the INPUT chain like:

iptables -A INPUT -p tcp -s 1.2.3.4 --dport 23 -j ACCEPT
iptables -A INPUT -p tcp -s 1.2.3.4 --dport 20 -j ACCEPT
iptables -A INPUT -p tcp -s 1.2.3.4 --dport 21 -j ACCEPT
iptables -A INPUT -p tcp -s 1.2.3.4 --dport 1024:65535 -j ACCEPT

will allow telnet & ftp access from 1.2.3.4. However, keep in mind that anyone that can see your network traffic can easily extract your username & password from the telnet or ftp sessions. If they are a clever attacker they can then spoof the IP and access your server. It is far better to only use safe protocols (ssh, scp, sftp) for remote administration since everything is encrypted.


BTW, You have tow copies of this question. I'd recommend that you go to the Community Support topic area and ask to have http://www.experts-exchange.com/Security/Linux_Security/Q_20792310.html deleted and the points refunded.
0
 

Author Comment

by:diordonez
ID: 9711410
OK jlevie
you have touched the specific point i need.  What do i got to do in order to implement ssh & sftp.  (Excuse but i don´t know... is ssh an alternative for telnet ? )

And the final question, is secure to use XDMCP for graphical remote login ?
How can i enable this kind of access in iptables.

Could you help me ?
0
 
LVL 40

Accepted Solution

by:
jlevie earned 125 total points
ID: 9714846
Most, if not all, Linux systems include OpenSSH as a part of their distribution. So it is likely that your have it available on your server (or can install it from your distro). If you are running a firewall on the remote server you need to allow inbound connections via ssh with:

iptables -A INPUT -p tcp -s 1.2.3.4 --dport 22 -j ACCEPT

The ssh client tool (similar to a telnet session) allows the forwarding of X sessions from the remote to the local system. This means that you can open an ssh connection to the remote and run some X application and have the GUI shown on your local system. This is the preferred method of using X on a remote system.
0
 
LVL 14

Expert Comment

by:chris_calabrese
ID: 9715606
BTW, why use telnet and ftp at all, when you can use ssh, which is oodles more secure?
0
 

Author Comment

by:diordonez
ID: 9722289
How do i modify those sentences if i need accept ssh and sftp from one only address from outside but all the local address 192.168.0.0/255.255.255.224

How do i deny definitively the access for ftp and telnet either from outside or inside.

How do i implemente secure access for pop3 ?
0
Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

 
LVL 14

Expert Comment

by:chris_calabrese
ID: 9722459
Jlevie already commented on iptables rules for ssh/sftp. Just replace 1.2.3.4 in his example with 192.168.0.0/255.255.255.224

Similarly, replace ACCEPT with DROP (and get rid of the -s 1.2.3.4) in Jlevie's example rules for ports 20, 21, and 23 to block telnet and ftp.

Finally, you can use iptables similarly to the above to allow access to pop3 (port 110 - read the iptables man page, this stuff is easy to figure out). But note that pop3 will still send data in the clear if you're not using an SSL-ized pop server or tunnel the pop3 traffic over ssh.

Getting those working, however, is a much larger discussion.
0
 
LVL 5

Expert Comment

by:g0rath
ID: 9724518
SSH allows you to tunnel other non-secure ports through the encrypted channel.

For instance I forward port 110 from a foreign box across the internet to my local port 110. I use SSH to connect to my the foreign linux server, then point my mail program @ 127.0.0.1 port 110 and I read my email securely.
0
 

Author Comment

by:diordonez
ID: 9725100
OK guys, thanks to you all.  I´ve download some tools for ssh and sftp and they work very well.  I´ve learned a lot with all your comments and tips.

Warm greetings from Colombia !!
0
 

Author Comment

by:diordonez
ID: 9772654
I have my las question.

What ports do i have to open in order to use internet.  I have used all about telnet, ftp, ssh and pop, but now i can´t use internet neither do a ping to outside.
0
 
LVL 40

Expert Comment

by:jlevie
ID: 9779290
If you've ditched telnet and FTP the only inbound firewall rule that you need is:

iptables -A INPUT -p tcp -s 1.2.3.4 --dport 22 -j ACCEPT

Take the others for telnet & FTP out of your rule set.
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Fine Tune your automatic Updates for Ubuntu / Debian
I designed this idea while studying technology in the classroom.  This is a semester long project.  Students are asked to take photographs on a specific topic which they find meaningful, it can be a place or situation such as travel or homelessness.…
Concerto provides fully managed cloud services and the expertise to provide an easy and reliable route to the cloud. Our best-in-class solutions help you address the toughest IT challenges, find new efficiencies and deliver the best application expe…

947 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now