ftp & telnet problem

[madhavraj]

i,

I have made disabled = no in etc/xinetd.d/telnet and for ftp files and made
changes in /etc/inetd.d/wu.ftp file disable=no and we have restarted the services
but not able access FTP or Telnet says copuld not open a connection.
I have tried to check the redhat-config-securitylevel and the security level is shown
HIgh but i am trying to disable or make Medium low after asking do you want save but
after saying YES . if you check again security tab Firewall security level will has not
been changed. i have tried with GNOME Lokkit and after saying security level either to DISABLED OR
MEDIUM it is searching for some mailing and that's all .

Could you please guide me how to achieve this FTP AND TELNET

[genlee]

First off, why don't you use ssh instead of telnet. I personally don't like the idea of having username/password sent in clear text. As for ftp, I would stay away from wuftpd. Check out proftpd which is what I used on the servers at work. Very secure and has a lot more options then others. If you want to use wu, you can run it as a standalone server instead of through xinetd.

[majorwoo]

ok, well if your security level is high then the firewall scrpt is blocking the ports, you will need to open port 21 for ftp (and possibly some more for passive, lets not get into that unless you want to)

the easiest way would be to use ssh and sftp (a secure replacement for ftp) that both use port 22 and dont require any additional configuration. sftp is built into the ssh rpm's - you can download then, set your firewall to open port 22 and your in good shape.

If you have ftp for a reason, again use port 21

[MSDLinux]

I've heard that so often "I would stay away from wuftpd. Check out proftpd"

Using the Redhat support page It mentions "Basic configuration setup for both wu-ftpd and proftpd"

Where is proftpd found? How do I install it?
I see no reference to it anywhere else?

[genlee]

www.proftpd.org

[KarnEvil]

I would have to concur genlee. Telnet is a hacker's dream. I would get that service shut off ASAP. SSH is a lot better and is one port lower than telnet. As far as the ftp is concerned, I would have to agree with majorwoo. SFTP is the IT preferred way to ftp something, and it still only requires the same port as ssh. The other nice thing about SFTP is it's really simple to chroot people to their home directories if you are going to have quite a few users on the system.

www.openssh.com

You can get the tarball here. Very nice. Very efficient. Pretty dang safe.

[dessie]

don't compromise ur box!

SSH n PROFTP are the best, use this option and apply some wrappers on ur Linux box.

Example of TCP wrapper

edit /etc/hosts.deny
add in.telnetd:ALL: severity emerg

ther are more u can implement but then safety lies in the middle route.

best in the PENGUIN

urs in LINUX

[sparkix]

I would also agree that SSH is the way to go (no telnet).
As for FTP servers, I have used wuftp before and found it worked fine but took some tweaking. Now I use vsftp and it works great.

Configure it to only allow specific users in. Make these user accounts have a shell of 'nologin' (or whatever your distro uses). And use a period in the passwd file to chroot them to where you want them. I usually disable anonymous logins as well.

Anybody see any problems with this?

[xathras]

I would also agree that SSH is the way to go (no telnet).
As for FTP servers, I have used wuftp before and found it worked fine but took some tweaking. Now I use vsftp and it works great.

Configure it to only allow specific users in. Make these user accounts have a shell of 'nologin' (or whatever your distro uses). And use a period in the passwd file to chroot them to where you want them. I usually disable anonymous logins as well.

Anybody see any problems with this?

Totally agree, SSH is a great remote admin tool that provides secure encrypted communications. If you want to see the difference between secure and insecure I suggest that you install ethereal and perform a capture via ssh and a capture via ssh you will notice the difference i.e. no username/password broadcasted over the network.

SSH onces configured can be very powerful and secure. I would suggest permitrootlogins to no. A listen address rather than listening to any ip i.e. listen 192.168.1.50 and changing the port to a higher port such as 24567.

Configuration of users for specific services rather than general user login and anonymous logins is a good technique as it gives you greater scope to log, detect and prevent attacks.

ProFTPD would be my choice of FTP Server along with some configuration.

Get some bandwidth monitoring and permissions set and we can keep close tracks on what is going on.