networking/firewall question

[dishawjp]

Hi All,

I've networked two of my Linux boxes (RH 6.2 and RH 8.0).  Since the original setup on the RH 6.2 box was just for desktop, I had to install wu-ftpd
and telnet.  The two machines will now "talk" to each other, and that is what I was looking for so far, though I will want to do more later.

My problem is that now ports 21 and 23 (FTP and telnet) are wide open on my RH 6.2 machine.  I got rooted once and didn't find it to be a pleasant experience.  I want to close those two ports to non-local traffic.  I gave my machines IP addresses of 192.168.1.76 and 192.168.1.77.  I messed with the hosts.allow and hosts.deny files, but they didn't close those ports off to non-local traffic the way I thought they would, so I guess that means I'll have to mess with ipchains.  I have no rules set there now.

I tried reading the man pages and looking for other references on ipchains, but I'll need some "English" instructions.  I really didn't understand what I was reading.  I could get about as far as "ipchains -A" but wasn't at all clear on how to put the appropriate lines together to do what I want.  I want to "reject" all non-local requests to those ports, but "accept" local requests to them.  

I'd be more than willing to look at any references any of you folks could suggest, but they would have to be pretty basic for me to understand them.

Thanks in advance for any pointers or assistance.

Jim

[voidmain]

Why are you using telnet and ftp? SSH replaces both of those and uses encryption. It also can be restricted in the /etc/ssh/sshd_config as to was IP addresses/ranges are allowed to connect to it.

[dishawjp]

Thanks voidmain,

Excellent question. I've used telnet and FTP forever and know them.  Don't know anything about ssh... yet.

I'll look into it tonight when I get home.

Jim

[mobrien_12]

Void Main is right.  There is nothing different about using SSH and SFTP once you have the server and client configured.

to login with ssh

ssh [email protected]

to use sftp

sftp [email protected]

You can also use gftp in SFTP/SSH mode.

Suggested options for client and server configs.

1)  SSH 2 protocols by default
2)  Do not allow root login
3)  If you need remote Xwindows access, allow X11 tunneling (this replaces the old method of xhost +system, export DISPLAY="computer.net:0.0").
4)  Set the hosts allow line.

[voidmain]

Yeah, it took me a long time to make the switch but still, that was 5 years ago. The functionality is *far* superior to telnet/ftp. ssh/scp is quite amazing. And ssh tunnels are awesome. X11 forwarding is very cool. And you can set it up to use keys rather than passwords so you can have trusts between machines without requiring a password (sort of like the old insecure rcommands). Using keys rather than passwords in some ways are more secure than using passwords.