You may want to make your Sun available as an FTP and/or Telnet server on the internet. This is useful if you have relatives in other states and want to give them bunches of digital pictures, Mpeg home movies, or other large files which tend to flood normal mailboxes. You can set things up so they can log into your sun and FTP things out or in. This brings up the issue of security as you do not want the hackers hacking around your system. The following describes a reasonably secure method which utilizes a Linksys Cable/DSL router and TCP wrappers.
|
|
Setting up the Linksys box is pretty straight forward. What you want to do is make sure the Block WAN Request flag is set on the Filters tab under the Advanced set of tabs. That is, after you connect to the administration web panels, select the "Advanced" tab on the right. The panel which will then show is the Filters panel. Near the bottom is the check box marked Block WAN Request. You want this box checked. After you make a change press the apply button.
|
Still under the Advanced set of options, change to the Forwarding tab. The allows you to override the blocking for specific ports and route them to a specific machine (such as your Sun). Assuming you want to route telnet and ftp traffic to your Sun and disallow everything else, you will use 2 lines on this set of panels. On the first line 21 in the "from" port and 21 in the "to" port and set the IP address of your Sun in the space to the right. This will route the ftp port to your Sun. Then repeat the process for port 23 which is the telnet port. After you are done press the Apply button at the bottom of the screen.
You can download the TCP Wrappers Package for Solaris 8 from the Sun Freeware site. This package gives you the tcpd program and a bunch of documentation. Install the package with
pkgadd -d tcp_wrappers_ipv6-7.6-sol8-sparc-local
This will place the tcp wrappers program (tcpd) into /usr/local/sbin. Edit your /etc/inetd.conf file and make the following changes:
#Comment out the original fpt and telnet lines. # #ftp stream tcp6 nowait root /usr/sbin/in.ftpd in.ftpd #telnet stream tcp6 nowait root /usr/sbin/in.telnetd in.telnetd #Change the line to use the tcp wrappers program tcpd. # ftp stream tcp6 nowait root /usr/local/sbin/tcpd in.ftpd telnet stream tcp6 nowait root /usr/local/sbin/tcpd in.telnetdNow create the two files /etc/hosts.allow and /etc/hosts.deny and populate them with data. A good starting point is:
/etc/hosts.allow #Allow local machines on my home network to access the machine ALL: LOCAL #Allow machines at AGCS to access this machine. ALL: .agcs.com /etc/hosts.deny # Disallow anything not in hosts.allow ALL: ALL
The special service name ALL can be used because the Linksys router on this system is only forwarding ports 21 (ftp) and 23 (telnet). No other ports get forwarded to the Sun, so there is no reason to enumerate each service.
The manual pages for tcpd describe in great detail how to set up various combinations of allow and deny filters. In general allow it checked first and then deny. The first match is taken. If no match is found, the connection is allowed. Note that the ALL: ALL in the /etc/hosts.deny file makes deny the default since ALL: matches anything. Thus in the example, anything which did not match in /etc/hosts.allow will be rejected.
The tcpd(8) manual page and the hosts_access(5) manual page describe in great detail various ways of specifying allow and deny files.
The tcp wrappers program writes to /var/log/syslog information on all accesses to your Sun workstation. The following is a sample from a log.
Aug 24 22:13:52 styma5 in.ftpd[1907]: [ID 927837 mail.info] connect from styma4 Aug 26 13:42:55 styma5 in.ftpd[588]: [ID 927837 mail.info] connect from phnxdslgw9poolA129.phnx.uswest.net Aug 26 13:50:37 styma5 in.ftpd[597]: [ID 927837 mail.info] connect from phnxdslgw9poolA129.phnx.uswest.net Aug 26 13:52:42 styma5 in.ftpd[599]: [ID 927837 mail.info] connect from phnxdslgw9poolA129.phnx.uswest.net Aug 26 13:58:04 styma5 in.telnetd[603]: [ID 927837 mail.info] connect from phnxdslgw9poolA129.phnx.uswest.net Aug 26 19:55:47 styma5 in.ftpd[671]: [ID 947420 mail.warning] refused connect from c689166-k.tcma1.wa.home.com Aug 27 07:55:11 styma5 in.ftpd[724]: [ID 947420 mail.warning] refused connect from AMarseille-101-1-2-18.abo.wanadoo.fr Aug 27 13:16:36 styma5 in.telnetd[742]: [ID 927837 mail.info] connect from workstation.agcs.com Aug 27 13:22:30 styma5 in.ftpd[793]: [ID 927837 mail.info] connect from workstation.agcs.com Aug 27 16:02:30 styma5 in.ftpd[807]: [ID 947420 mail.warning] refused connect from sw107-169.adsl.seed.net.tw Aug 28 07:49:28 styma5 in.telnetd[877]: [ID 927837 mail.info] connect from workstation.agcs.com Aug 28 15:18:02 styma5 in.ftpd[933]: [ID 927837 mail.info] connect from workstation.agcs.com Aug 28 15:18:25 styma5 in.telnetd[934]: [ID 927837 mail.info] connect from workstation.agcs.com Aug 28 16:07:52 styma5 in.ftpd[969]: [ID 927837 mail.info] connect from workstation.agcs.com Aug 28 16:08:47 styma5 in.telnetd[970]: [ID 927837 mail.info] connect from workstation.agcs.com Aug 28 23:42:52 styma5 in.ftpd[1064]: [ID 947420 mail.warning] refused connect from ool-18bcdba3.dyn.optonline.net Aug 28 23:42:55 styma5 in.ftpd[1065]: [ID 947420 mail.warning] refused connect from ool-18bcdba3.dyn.optonline.net Aug 29 07:03:11 styma5 in.ftpd[1092]: [ID 947420 mail.warning] refused connect from dclient217-162-107-103.hispeed.ch Aug 29 07:43:30 styma5 in.telnetd[1095]: [ID 927837 mail.info] connect from workstation.agcs.com
The black line is an access from my PC to the sun using ftp. You can see on each line whether ftpd or telnetd was being used. The green entries are access from here at work. Note that we use NAT (Network Address Translation) at AGCS so all machines appear to come from the same addess. The Purple lines were me accessing my Sun workstation to retrieve files from friends house. I had previously added this to the /etc/hosts.allow file. The red lines were refused connections from people trying to attach to my ftp server. TCP Wrappers was doin its job. These appear to be people running port scanners.