telnet on local LAN question

Rick Sewill rsewill at gmail.com
Tue Aug 16 11:11:28 UTC 2011 

On Tuesday, August 16, 2011 12:04:57 AM Paul Allen Newell wrote:
> Greetings
> 
> I am trying to figure out how to get communication between my F14 boxes
> on a local wired LAN. The best test case I can come up with to prove
> that I don't know what I am doing wrong is telnet.
> 
<...snip...>
> Ping works great between all of the machines for both <otherX> and
> <otherX>.localdomain, lists the 192.168.10.x address like a happy camper
> should
> 
> But a telnet <otherX> 25 or telnet <otherX>.localdomain 25 fails.
> 
> I can't tell if I need to add information about the other machines
> somewhere else on <name> or if they really are known but something is
> blocking it.
> 

You didn't say if you could telnet locally to your local host:
Does this command work: telnet localhost
If not, the telnet service needs to be enabled/started.

Another possibility, iptables might be blocking it.
See if your iptables allows new incoming connections on the tcp telnet port.

There are other possibilities, but these are the first two I'd check.

If you plan to use ssh instead of telnet anyway, is best to do ssh instead.
I believe ssh is normally enabled/started.
I believe iptables is normally set up to allow incoming ssh connections.

I'm not sure the default sshd settings in /etc/ssh/sshd_config.
I'd go through those options.  Please see man sshd_config

I think the default is now only protocol 2 -- good if that's true.

I wish the default didn't allow PasswordAuthentication.
For testing and getting ssh working, password authentication may be okay.
Wouldn't want PasswordAuthentication as my default.
Is best to use PubkeyAuthentication, at a minimum, with good keys.

I think the default is to allow root login.  Wish that were not the case.
Make the person ssh in on a normal user account and su to root.
Please change "PermitRootLogin yes" to "PermitRootLogin no"

Please limit which users can come in over ssh in /etc/sshd_config.
Use AllowGroups and/or AllowUsers.

Not sure if you want X11Forwarding or not.

Some object to security by obscurity,
but you might wish to change the ssh port from port 22 to some other port.
It doesn't stop hackers if they discover your open ssh port.
It slows down those hackers who only look for ssh on port 22.

Question for iptables/firewall GUI people...
is there a way to specify ip address ranges in any firewall GUIs?

Rather than allow new incoming ssh connections 
from any IP address given by the rule, 
"-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT"
I think the OP would like to specify acceptable IP address ranges.

The OP sounds like he only wants local hosts coming in.
By hand, I would have entries with the source IP address range specified 
as in -s 192.168.0.0/16, -s 10.0.0.0/8, -s 172.16.0.0/12 

I can muck up /etc/sysconfig/iptables manually...most people shouldn't.
Bad things can happen if they don't know what they are doing.
It would be nice if firewall GUIs did this for them.  
Which firewall GUIs do?

More information about the users mailing list