Very Computer

I can:
Telnet from "New Box" to anywhere
Telnet from "New Box" to it's own IP, using my own user account (let's
call myusername)
Telnet from "New Box" to it's loop back (127.0.0.1), using myusername
Ping "New Box"'s IP address from itself and any machine on our network
Ping any IP on our network from "New Box"

I can't
Telnet from "New Box" to it's own IP (or Loop back), using the root
account (and I know I have the right password -- I login to the box
currently using root)
Telnet from a Windows machine to "New Box"'s IP address
Telnet from a Red Hat 6.2 machine to "New Box"'s IP address
Telnet from a Red Hat 6.2 machine to it using the line, "telnet -l
myusername 192.168.7.198"

About the box:
IP Address of 192.168.7.198, assigned by a DHCP server.
Configuration was pretty much "factory defaults" of the install,
choose minimum firewall security.

Configuration Files:
/etc/xinetd.d/telnet:
# default: on
# description: The telnet server serves telnet sessions; it uses \
#       unencrypted username/password pairs for authentication.
service telnet
{
        disable = no
        flags           = REUSE
        socket_type     = stream        
        wait            = no
        user            = root
        server          = /usr/sbin/in.telnetd
        log_on_failure  += USERID

Quote:}

/etc/hosts.deny:
#
# hosts.deny    This file describes the names of the hosts which are
#               *not* allowed to use the local INET services, as decided
#               by the '/usr/sbin/tcpd' server.
#
# The portmap line is redundant, but it is left to remind you that
# the new secure portmap uses hosts.deny and hosts.allow.  In
particular
# you should know that NFS uses portmap!

/etc/hosts.allow:
#
# hosts.allow   This file describes the names of the hosts which are
#               allowed to use the local INET services, as decided
#               by the '/usr/sbin/tcpd' server.
#
# Following two entries made by Matt 11/26:
in.telnetd:     192.168.7.
in.ftpd:        192.168.7.

Quote:> Installed RedHat 8.0 today on a generic clone PC.  We'll call it "New
> Box"  Seems to be a security configuration issue -- here's the
> details:

> I can:
> Telnet from "New Box" to anywhere
> Telnet from "New Box" to it's own IP, using my own user account (let's
> call myusername)
> Telnet from "New Box" to it's loop back (127.0.0.1), using myusername
> Ping "New Box"'s IP address from itself and any machine on our network
> Ping any IP on our network from "New Box"

> I can't
> Telnet from "New Box" to it's own IP (or Loop back), using the root
> account (and I know I have the right password -- I login to the box
> currently using root)
> Telnet from a Windows machine to "New Box"'s IP address
> Telnet from a Red Hat 6.2 machine to "New Box"'s IP address
> Telnet from a Red Hat 6.2 machine to it using the line, "telnet -l
> myusername 192.168.7.198"

> About the box:
> IP Address of 192.168.7.198, assigned by a DHCP server.
> Configuration was pretty much "factory defaults" of the install,
> choose minimum firewall security.

> Configuration Files:
> /etc/xinetd.d/telnet:
> # default: on
> # description: The telnet server serves telnet sessions; it uses \
> #  unencrypted username/password pairs for authentication.
> service telnet
> {
>    disable = no
>    flags           = REUSE
>    socket_type     = stream
>    wait            = no
>    user            = root
>    server          = /usr/sbin/in.telnetd
>    log_on_failure  += USERID
> }

> /etc/hosts:
> # Do not remove the following line, or various programs
> # that require network functionality will fail.
> 127.0.0.1          localhost.localdomain localhost

> /etc/hosts.deny:
> #
> # hosts.deny       This file describes the names of the hosts which are
> #          *not* allowed to use the local INET services, as decided
> #          by the '/usr/sbin/tcpd' server.
> #
> # The portmap line is redundant, but it is left to remind you that
> # the new secure portmap uses hosts.deny and hosts.allow.  In
> particular
> # you should know that NFS uses portmap!

> /etc/hosts.allow:
> #
> # hosts.allow      This file describes the names of the hosts which are
> #          allowed to use the local INET services, as decided
> #          by the '/usr/sbin/tcpd' server.
> #
> # Following two entries made by Matt 11/26:
> in.telnetd:        192.168.7.
> in.ftpd:   192.168.7.

[telnet problems]

Quote:> For a start NEVER EVER romote login as root, it is in fact not
> possible with most distributions as riduleously insecure. Su to root
> if u must.

Michael Heiming
--
Remove +SIGNS, if you expect an answer

I also found the firewall (I'm pretty sure I chose the medium strength firewall)
did not allow me to ssh in to an RH-8.0 machine, to my surprise.
I must admit I don't understand "iptables -L"
since they put the RH-LOKKIT stuff in it,
but ssh in worked when I disabled iptables ("service iptables stop").

--
Timothy Murphy  

tel: 086-233 6090
s-mail: School of Mathematics, Trinity College, Dublin 2, Ireland

Quote:> I also found the firewall (I'm pretty sure I chose the medium strength firewall)
> did not allow me to ssh in to an RH-8.0 machine, to my surprise.
> I must admit I don't understand "iptables -L"
> since they put the RH-LOKKIT stuff in it,
> but ssh in worked when I disabled iptables ("service iptables stop").

I checked, sshd was running, so I stopped the iptables and voila, I'm
in.

I'll have to look up if I should be running the iptables, and if so,
then at least I'll know that's what needs tweaking.

Matt

Quote:> I'll have to look up if I should be running the iptables, and if so,
> then at least I'll know that's what needs tweaking.

Quote:> I can't
> Telnet from "New Box" to it's own IP (or Loop back), using the root
> account (and I know I have the right password -- I login to the box
> currently using root)
> Telnet from a Windows machine to "New Box"'s IP address
> Telnet from a Red Hat 6.2 machine to "New Box"'s IP address
> Telnet from a Red Hat 6.2 machine to it using the line, "telnet -l
> myusername 192.168.7.198"

service xinetd restart

That's all

Johnny