restricting telnet port access with hosts.deny?

restricting telnet port access with hosts.deny?

Post by DJ Noahphe » Tue, 23 Jun 1998 04:00:00



Is it possible to prevent people from telnetting to a certain port with
hosts.deny? IE I want to prevent certain hosts from telnetting into this
port, but allow others. Is this possible?

 
 
 

restricting telnet port access with hosts.deny?

Post by Ben Rosenga » Tue, 23 Jun 1998 04:00:00


Access control is usually applied to *services*, not ports.  Usually,
any port you'd be concerned about is associated with a service.

Take a look at the tcp_wrappers package.  You can get it at, uh, let's
see, ftp://ftp.win.tue.nl/pub/security/.

On Mon, 22 Jun 1998 15:27:31 -0500, DJ Noahphex


>Is it possible to prevent people from telnetting to a certain port with
>hosts.deny? IE I want to prevent certain hosts from telnetting into this
>port, but allow others. Is this possible?

--

 Ben



 
 
 

restricting telnet port access with hosts.deny?

Post by Lund » Tue, 30 Jun 1998 04:00:00


putting a hostmask in hosts.deny will effectively prevent connections from
any machine from anywhere within the range of possible ip addresses in the
hostmask. its rather handy if someone has been nuking you. just block him.


>Is it possible to prevent people from telnetting to a certain port with
>hosts.deny? IE I want to prevent certain hosts from telnetting into this
>port, but allow others. Is this possible?

 
 
 

restricting telnet port access with hosts.deny?

Post by Tracy R Re » Tue, 30 Jun 1998 04:00:00



>putting a hostmask in hosts.deny will effectively prevent connections from
>any machine from anywhere within the range of possible ip addresses in the
>hostmask. its rather handy if someone has been nuking you. just block him.

hosts.deny only blocks access to services running tcpd or which otherwise read
hosts.deny. "nuking" usually occurs on a much lower level, before hosts.deny
acn ever be consulted.

--
Tracy Reed      http://www.ultraviolet.org
Linux: Opening doors and shattering Windows.

 
 
 

restricting telnet port access with hosts.deny?

Post by Garry Garre » Thu, 02 Jul 1998 04:00:00




>>putting a hostmask in hosts.deny will effectively prevent connections from
>>any machine from anywhere within the range of possible ip addresses in the
>>hostmask. its rather handy if someone has been nuking you. just block him.

>hosts.deny only blocks access to services running tcpd or which otherwise read
>hosts.deny. "nuking" usually occurs on a much lower level, before hosts.deny
>acn ever be consulted.

If you want to cut off all traffic to a particular host, consider this:

route add {offending.host.ip.address} 127.0.0.1 1

This will tell your system that the route to the host in question is
through the loopback interface, so it will not be able to find the
host.  Drastic, but it usually works, even for things that don't
go through TCP wrappers (however it does cut off ALL traffic).

--
-----------------------------------------------------------------------
Garry J. Garrett              
CSG Systems, Inc.      ._o    see my homepage for a "mailto:" tag
2525 North 117th Ave.    |>   to send me e-mail...
Mailstop 2-A             4    
Omaha, NE 68164-3679          

CSG Systems - http://www.csgsys.com/
My Homepage - http://monarch.papillion.ne.us/~ggarrett

I do not speak in any capacity on behalf of CSG Systems.
I get into enough trouble speaking for myself.  

 
 
 

restricting telnet port access with hosts.deny?

Post by d3vnu1 » Thu, 02 Jul 1998 04:00:00


Better yet on most routers exists void type interface sorta like /dev/null
on Unix systems. It takes more time for a packet to be dropped then to be
forwarded so why not just forward it to that. It will save your router some
cycles. You will obviously have to look at your router user man to find out
what this device is. Like I believe on Baynetwork's BCN's it's /dev/void
something like that. Anyone correct me if im wrong about this or I have it
mixed up. :)


>>>putting a hostmask in hosts.deny will effectively prevent connections
from
>>>any machine from anywhere within the range of possible ip addresses in
the
>>>hostmask. its rather handy if someone has been nuking you. just block
him.

>>hosts.deny only blocks access to services running tcpd or which otherwise
read
>>hosts.deny. "nuking" usually occurs on a much lower level, before
hosts.deny
>>acn ever be consulted.

>If you want to cut off all traffic to a particular host, consider this:

>route add {offending.host.ip.address} 127.0.0.1 1

>This will tell your system that the route to the host in question is
>through the loopback interface, so it will not be able to find the
>host.  Drastic, but it usually works, even for things that don't
>go through TCP wrappers (however it does cut off ALL traffic).

>--
>-----------------------------------------------------------------------
>Garry J. Garrett
>CSG Systems, Inc.      ._o    see my homepage for a "mailto:" tag
>2525 North 117th Ave.    |>   to send me e-mail...
>Mailstop 2-A             4
>Omaha, NE 68164-3679

>CSG Systems - http://www.csgsys.com/
>My Homepage - http://monarch.papillion.ne.us/~ggarrett

>I do not speak in any capacity on behalf of CSG Systems.
>I get into enough trouble speaking for myself.

 
 
 

1. hosts.access & hosts.deny

Hello all,
  I have though just one problem I hope someone can help me with.
  In the Net-HOWTO and the man pages concerning hosts.allow and the
hosts.deny files, it says that you can run a shell command.
  I personally have tried every example I've seen and I always see in
the syslog "bad option" concerning the shell command no matter what.
  Here's an exert I've tried:
 ALL: ALL : echo "hi" >> /var/tmp/junk
  This produces a bad option "echo" line in the syslog. I've tried
surrounding the whole thing in () and qoutes and commas. To no avail.
  The documentation states that when tcpd invokes the shell command it
runs sh as the shell.
  So I finagled a little and played with starting sh to just run a
command. It took the line:
 sh -c - "echo \"hi" >>/var/tmp/junk";
 just fine, so I put that line in the access file minus the sh of course
and it produced bad option "-c" in the syslog.
  Any ideas on how to get it to actually do a command?

Phil

--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Handle:Wild Card

Thought of the day:
After a number of decimal places, nobody gives a damn.

2. Linux graphics projects - questions about interrelationships

3. Problem restricting access with "Allow/Deny from All" in Apache

4. Multiple BiT3 VMEbus adaptors in one SUN workstation

5. restricted ftp user guest/ access denied

6. Making a Linux License Plate

7. restricting telnet from only one host

8. Using pipes

9. Restrict only Telnet from certain hosts

10. telnet hosts.allow/deny (tcp wrappers only?)

11. telnet using hosts.allow/deny

12. restricting telnet shell access

13. Restricted FTP/telnet access?