×

Loading...
Ad by
  • 推荐 OXIO 加拿大高速网络,最低月费仅$40. 使用推荐码 RCR37MB 可获得一个月的免费服务
Ad by
  • 推荐 OXIO 加拿大高速网络,最低月费仅$40. 使用推荐码 RCR37MB 可获得一个月的免费服务

OK, hopefully I got your question right this time :-)

If you want to restrice telnet access (or any other services for that matter), you have several ways (other people already gave answer, I'll just summarize here):

1. Use tcp_wrapper. Tcp_wrapper is available for almost all variant of unix. If not by default, you can always download it and compile yourself.

2. Use firewall/packet filter package:
Solaris:
- ipfilter (http://www.ipfilter.org)
- SunScreen Lite (http://www.sun.com/software/securenet/lite/)
- CheckPoint FW-1
FreeBSD:
- ipfw (the default firewall package for FreeBSD)
- ipfilter (you need to recompile the kernel to include ipfilter option)
NetBSD/OpenBSD:
- ipfilter
Linux:
- ipchains (for 2.2.x kernel)
- iptables (for 2.4.x kernel)
HP/UX:
- ipfilter (still in alpha)
- CheckPoint FW-1
AIX:
- CheckPoint FW-1 (?)
- IBM has its own firewall (I can't remember the name)
Report

Replies, comments and Discussions:

  • 工作学习 / IT技术讨论 / Can someone tell me how to block telnet from untrusted IP?
    It is not blocking r command (this is from hosts.equiv or .rhosts).
    Notice: It is blocking telnet.
    Thanks in advance
    • what system?
      • Unix, e.g. Solaris, AIX, FreeBSD, HP-Unix, etc.
        • Well, generally speaking, you'd better get a firewall. But some systems have their own ways too.
    • 1) use route -reject -net xxx.xxx.xxx.xxx mask xxx.xxx.xxx.xxx to reject any packets from certain ips. This is rough because you not only block tcp, but everything else(udp,rtp) from those ips.
      2) install a fire wall on your solaris and close the inbound tcp connection request to port 23
      3) install a third party tcp wrap which provides ip address filtering function.
      4)write your own in.inetd, it reads from a config file and gets all ip addresses you decide to deny access to, when it sees a telnet connection request, it simply closes the connection
      • Thanks, you are the man/woman. I can also disable telnetd in inetd.conf and use ssh/sshd, but I want keep telnetd works. Do you have any ideas?
        • If you are on Linux, you are in luck
          , there is a deamon program called tcpd. You just replace the /usr/bin/telnetd with this tcpd in the inetd.conf file, and define the ip addresses in the /etc/host.deny. If you are running on Solaris, you can download the tcpd source file(gnu license) and compile it on your sparc.
          • Hmm...tcp_wrapper is not under GNU, afaik it's under BSD like license. Wietse Venema changed the license term about 2 weeks ago after the ipfilter license shakeup.
    • Can you give us the content of your inetd.conf, hosts.deny, host.allow, hosts.equiv, .rhosts?
      • You can find these files in every kind of UNIX under /etc dir. I am doing a test. So mine are the defaults.
        • What I mean is that if you can give us the content of those files, then we can have more details to help diagnosing your problem.
          As long as you have the following in *both* /etc/hosts.equiv and $HOME/.rhosts you should be able to block those r-commands:

          -<your IP> [<your username>]

          Notice that those 2 files only control r-commands and have nothing to do with controlling in.telnetd. Other daemons (telnetd, ftpd, etc.) can be controlled by /etc/hosts.{allow|deny} through the use of tcp_wrapper.
          • Oh, thanks. What I want to learn is "how to block telnet from untrusted IP", not r command securities.
            • OK, hopefully I got your question right this time :-)
              If you want to restrice telnet access (or any other services for that matter), you have several ways (other people already gave answer, I'll just summarize here):

              1. Use tcp_wrapper. Tcp_wrapper is available for almost all variant of unix. If not by default, you can always download it and compile yourself.

              2. Use firewall/packet filter package:
              Solaris:
              - ipfilter (http://www.ipfilter.org)
              - SunScreen Lite (http://www.sun.com/software/securenet/lite/)
              - CheckPoint FW-1
              FreeBSD:
              - ipfw (the default firewall package for FreeBSD)
              - ipfilter (you need to recompile the kernel to include ipfilter option)
              NetBSD/OpenBSD:
              - ipfilter
              Linux:
              - ipchains (for 2.2.x kernel)
              - iptables (for 2.4.x kernel)
              HP/UX:
              - ipfilter (still in alpha)
              - CheckPoint FW-1
              AIX:
              - CheckPoint FW-1 (?)
              - IBM has its own firewall (I can't remember the name)
              • Yep, I got them. Thx a lot.
    • tcpserver may be helpful
      • Another good way, thx.
    • firewall
      A way is using some firewall like ipchains or iptables. and write a line like
      ipchains -A input -s whatever.youwant.block.ip address -p tcp 23 -d 0/0 -j DENY