sorry i should have been clear... i am using ipchains with kernel 2.2.16 on
red hat linux.
i will look into ssh.. so my guess is its the same script for ssh port 22
instead of 23?
Jeremy
----- Original Message -----
From: <[EMAIL PROTECTED]>
To: "jeremy" <[EMAIL PROTECTED]>
Sent: Monday, January 22, 2001 4:25 PM
Subject: Re: question about telnet
> On Mon, 22 Jan 2001 15:48:30 -0800 [EMAIL PROTECTED] wrote:
> >Hi,
> >
> > I would like to know how i can block telnet to everyone except one
> >ip address... what im asking is i want all users that are trying to
> >connect to telnet be blocked as normal ( stealthed so no one knows its
> >running ) yet allow my home ip to telnet in and admin the server. Is
> >this possible?
> >
> >Thanks
> >
> >Jeremy
>
> Jeremy,
>
> you'll want your firewall rules to look something like
>
> allow tcp from home_ip to telnethost 23
> deny tcp from any to telnethost 23
>
> in ipfirewall speak, or
>
> home_ip telnethost telnet allow short
> any telnethost telnet drop long
>
> in Checkpoint FW-1 speak.
>
> Having said that, i urge you to concider the following caveats:
>
> 1) telnet traffic, generally, is not enciphered (SRP,
> Kerberose, and other "secure" telnets excluded).
> This means that the traffic can easily be sniffed.
> (Ignore this if you control the entire network between
> your home ip and the server.)
> 2) IP addresses are pretty easy to spoof. That's the
> method used by Mitnick to obtain access to Shimomuru's
> machine. In other words, "IP address based authentication
> without cryptographic controls is bad."
>
> If the network between your home address and the server is not trusted
> (ie. it's the internet or is run by those bozos over in accounting :),
> you probably want to set up some sort of enciphered/authenticated
> tunnel. SRP (srp.stanford.edu, i think) with SSL does that, but you
> you need to replace telnetd on the server. You could use something
> like Securemote if you've a Checkpoint FW-1 box and Windows on the
> home machine. SSH is all the rage as a remote access replacement. :)
> Or, you might make use of IPSec between either your home machine and
> the firewall, or between your home machine and the server.
>
>
> Jeff
>
> --
> Jeffrey S. Marker, CISSP
> [EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
