×

Loading...

Topic

This topic has been archived. It cannot be replied.
  • 工作学习 / IT技术讨论 / Can someone tell me how to block telnet from untrusted IP? -unix_learner(unix_learner); 2001-6-14 {120} (#101421@0)
    It is not blocking r command (this is from hosts.equiv or .rhosts).
    Notice: It is blocking telnet.
    Thanks in advance
    • what system? -pazu(InTheSky); 2001-6-14 (#101455@0)
      • Unix, e.g. Solaris, AIX, FreeBSD, HP-Unix, etc. -unix_learner(unix_learner); 2001-6-15 (#102212@0)
        • Well, generally speaking, you'd better get a firewall. But some systems have their own ways too. -pazu(InTheSky); 2001-6-15 (#102455@0)
    • 1) use route -reject -net xxx.xxx.xxx.xxx mask xxx.xxx.xxx.xxx to reject any packets from certain ips. This is rough because you not only block tcp, but everything else(udp,rtp) from those ips. -numnum(numnum); 2001-6-14 {362} (#101461@0)
      2) install a fire wall on your solaris and close the inbound tcp connection request to port 23
      3) install a third party tcp wrap which provides ip address filtering function.
      4)write your own in.inetd, it reads from a config file and gets all ip addresses you decide to deny access to, when it sees a telnet connection request, it simply closes the connection
      • Thanks, you are the man/woman. I can also disable telnetd in inetd.conf and use ssh/sshd, but I want keep telnetd works. Do you have any ideas? -unix_learner(unix_learner); 2001-6-15 (#102218@0)
        • If you are on Linux, you are in luck -numnum(numnum); 2001-6-15 {280} (#102489@0)
          , there is a deamon program called tcpd. You just replace the /usr/bin/telnetd with this tcpd in the inetd.conf file, and define the ip addresses in the /etc/host.deny. If you are running on Solaris, you can download the tcpd source file(gnu license) and compile it on your sparc.
          • Hmm...tcp_wrapper is not under GNU, afaik it's under BSD like license. Wietse Venema changed the license term about 2 weeks ago after the ipfilter license shakeup. -dennis2(Dennis); 2001-6-15 (#102596@0)
    • Can you give us the content of your inetd.conf, hosts.deny, host.allow, hosts.equiv, .rhosts? -dennis2(Dennis); 2001-6-15 (#101936@0)
      • You can find these files in every kind of UNIX under /etc dir. I am doing a test. So mine are the defaults. -unix_learner(unix_learner); 2001-6-15 (#102217@0)
        • What I mean is that if you can give us the content of those files, then we can have more details to help diagnosing your problem. -dennis2(Dennis); 2001-6-15 {376} (#102320@0)
          As long as you have the following in *both* /etc/hosts.equiv and $HOME/.rhosts you should be able to block those r-commands:

          -<your IP> [<your username>]

          Notice that those 2 files only control r-commands and have nothing to do with controlling in.telnetd. Other daemons (telnetd, ftpd, etc.) can be controlled by /etc/hosts.{allow|deny} through the use of tcp_wrapper.
          • Oh, thanks. What I want to learn is "how to block telnet from untrusted IP", not r command securities. -unix_learner(unix_learner); 2001-6-15 (#102341@0)
            • OK, hopefully I got your question right this time :-) -dennis2(Dennis); 2001-6-15 {861} (#102594@0)
              If you want to restrice telnet access (or any other services for that matter), you have several ways (other people already gave answer, I'll just summarize here):

              1. Use tcp_wrapper. Tcp_wrapper is available for almost all variant of unix. If not by default, you can always download it and compile yourself.

              2. Use firewall/packet filter package:
              Solaris:
              - ipfilter (http://www.ipfilter.org)
              - SunScreen Lite (http://www.sun.com/software/securenet/lite/)
              - CheckPoint FW-1
              FreeBSD:
              - ipfw (the default firewall package for FreeBSD)
              - ipfilter (you need to recompile the kernel to include ipfilter option)
              NetBSD/OpenBSD:
              - ipfilter
              Linux:
              - ipchains (for 2.2.x kernel)
              - iptables (for 2.4.x kernel)
              HP/UX:
              - ipfilter (still in alpha)
              - CheckPoint FW-1
              AIX:
              - CheckPoint FW-1 (?)
              - IBM has its own firewall (I can't remember the name)
              • Yep, I got them. Thx a lot. -unix_learner(unix_learner); 2001-6-18 (#104969@0)
    • tcpserver may be helpful -netee(netee); 2001-6-18 (#104791@0)
      • Another good way, thx. -unix_learner(unix_learner); 2001-6-18 (#104971@0)
    • firewall -guest:guest; 2001-6-22 {158} (#108967@0)
      A way is using some firewall like ipchains or iptables. and write a line like
      ipchains -A input -s whatever.youwant.block.ip address -p tcp 23 -d 0/0 -j DENY
枫下论坛主坛工作学习IT技术讨论