How to restrict ftp and telnet only from one specific machine?

How to restrict ftp and telnet only from one specific machine?

Post by vector_sig » Sun, 11 Nov 2001 10:45:41



Hi all:

  I have inetd running and have ftp and telnet uncommented in
/etc/inetd.conf. I have home LAN with WinME the gateway to internet
configured as:
internet<--56k-->WinME<--ether-->FreeBSD4.4

  Would it be possible to allow ftp only from my WinME (192.168.0.1)
so that an evil cracker from hives.of.evil.cracker.org won't be able
to connect to my FreeBSD box?

  Thanks for all enlightenments.

vector sigma

 
 
 

How to restrict ftp and telnet only from one specific machine?

Post by Sol » Sun, 11 Nov 2001 12:07:40


Edit your /etc/hosts.allow file like:

ftpd : 192.168.0.1 : allow
telnetd : 192.168.0.1 : allow
ALL : ALL : deny

Must be in this order, it's first match wins.

HTH,

Sol


: Hi all:
:
:   I have inetd running and have ftp and telnet uncommented in
: /etc/inetd.conf. I have home LAN with WinME the gateway to internet
: configured as:
: internet<--56k-->WinME<--ether-->FreeBSD4.4
:
:   Would it be possible to allow ftp only from my WinME (192.168.0.1)
: so that an evil cracker from hives.of.evil.cracker.org won't be able
: to connect to my FreeBSD box?
:
:   Thanks for all enlightenments.
:
: vector sigma


 
 
 

How to restrict ftp and telnet only from one specific machine?

Post by DrCla » Sun, 11 Nov 2001 14:33:03


There are several options

man ftpd :
 Ftpd authenticates users according to six rules.

           1.   The login name must be in the password data base and not
have
                a null password.  In this case a password must be provided
by
                the client before any file operations may be performed.  If
                the user has an S/Key key, the response from a successful
USER
                command will include an S/Key challenge.  The client may
                choose to respond with a PASS command giving either a
standard
                password or an S/Key one-time password.  The server will
auto-
                matically determine which type of password it has been given
                and attempt to authenticate accordingly.  See key(1) for
more
                information on S/Key authentication.  S/Key is a Trademark
of
                Bellcore.

           2.   The login name must not appear in the file /etc/ftpusers.

           3.   The login name must not be a member of a group specified in
                the file /etc/ftpusers.  Entries in this file interpreted as

Therefore you could restrict access by only allowing yourself to login.

If the winme box is performing NAT as I understand it, the IP trying to
access your FreeBSD box will be different to that of the WinMe box...
correct? IE the FreeBSD box will get an FTP request from evilhackers.org,
not the IP of the Winme box (unless of course that box is comprimised.) The
other alternative is to only allow FTP access from the IP of the WinMe box.
But as mentioned, if the WinMe box is hacked, your FreeBSD FTP server may be
vulerable using this method.

HTH


> Hi all:

>   I have inetd running and have ftp and telnet uncommented in
> /etc/inetd.conf. I have home LAN with WinME the gateway to internet
> configured as:
> internet<--56k-->WinME<--ether-->FreeBSD4.4

>   Would it be possible to allow ftp only from my WinME (192.168.0.1)
> so that an evil cracker from hives.of.evil.cracker.org won't be able
> to connect to my FreeBSD box?

>   Thanks for all enlightenments.

> vector sigma


 
 
 

How to restrict ftp and telnet only from one specific machine?

Post by vector sigm » Mon, 12 Nov 2001 00:23:17


Thanks sol and dr claw for your help. I will follow your pointers.