iptables - I have searched and come up empty handed regarding telnet.
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
iptables - I have searched and come up empty handed regarding telnet.
Hi,
I am using iptables. Telnet is not running on my box. However someone can still telnet to port 25, 110, etc. How can i possible reject all incoming telnet sessions to ALL ports? I have searched and tryed many things, but i am totally lost.
Go to /etc/xinetd.d and there'll be a file telnet. Edit that, and there should be a line disable = no in there, just change it to be yes. No-one will be allowed to telnet in now. (The above is true for latest RedHat. IIRC, xinetd was changed from inetd, and some distros still use inetd)
I dont even have telnet package installed. I have another machine with telnet installed but not running and the line in the telnet file is disable = yes and still people can telnet on port 25, 110, etc.
if you allow connections to those ports, telnet will work.
anyway it doesnt matter wether you retrieve your messages from a pop3 server with a program or using telnet and typing commands...
if you left those ports open, telnet will be possible...
anyway, setting telnet to disable in inetd.conf only disables telnetting to the telnet port (no insecure remote login), but there is no way to stop anyone to connect to ports which are allowed to be connected to.
I have some friends that are using windows servers. EWWWWWW. ANyway they say they can prevent telnet on mail ports. I find it hard to believe that with iptables you cannot prevent telnetting on specified ports.
Oh well. I guess ill find some way to do it.
Thanks
Someone told me a while ago that they also had that option on their windows firewall. I'm not really sure on how well it works though. Most firewall work by blocking based on ip and port either from the source or destination. Using those techniques it's not really possible to tell the difference if it's a sendmail program or a telnet client.
The only way I think they could tell the difference is if they would analyze the packets themselves. This would make the firewall run at a higher network level and consume more resources. But they could easily check for telnet characteristics. One of the main ones being that each key pressed usually gets sent in a seperate packet because the user is typing them one by one. So if it receives a command in multiple network packets the most likely it's a telnet user typing out his command. But you could still write a simple program which mimics a email program to get around that.
The best way is to make sure you've configured your mail server properly. If you've done that you shouldn't have to worry about people telnetting in.
Hey,
First I would like to thank everyone for the input that was left.
Second "and again. there should be no risk in allowing telnet to a open service. (at least not more than while normal use)". Is the above quote true?
Someone can telnet to port 25 and not be able to send or check mail at all??????
well, if someone CAN telnet to port 25 and you ALLOWED him to connect (that means he is legally on your site) then he can do everything what a mail client can do (if he knows the commands)
BUT
if you disallow, say, mail-routing, then NOONE will EVER be able to send mail using telnet or ANY other software. kmail would also fail then.
its all a question of cofiguration. telnetting to a service means nothing else, than dropping the good ol' user interface and doung everything hatdcore text-based.
for example: i can connect to my ISP's pop3 server using kmail, and then read my mails.
but i can also connect to him using telnet and doing the same. and this is no risk, you could never login to that site if you are not auhorised.
same with mail-routing. everyone can connect to my isp's smtp service. but mail routing IS forbidden, so i cannot do anything, becouse my IP differs from that he allowed to use. if i HAD permission to send mail without password, then the isp did bad work in protecting his system...
btw: my server runs with iptables protection only, never wanted to keep away telnet connections (except to the telnet port itself) and i dont have ANY rpoblems ))
You can recomplie IPTABLES with string filtering capability. I have not done this but was trying to find away to kill code red before it reached outlook on my windows clients. Telnet requests have standard packet headers just likt HTTP, etc. I am sure since it is plain text, you could filter by the string contained in the headers. Or, if you are not offering services, just drop everything with a -SYN flag coming from outside.
Not sure what you mean by "Or, if you are not offering services, just drop everything with a -SYN flag coming from outside."
Port 25 is the only port open from the outside so my mail can come in. Thats the only thing that this server is used for. Can a still block all -SYN from coming in and still get my mail?
What he means by SYN is that any connection from the outside to your box starts by the remote side sending a packet with the SYN flag set, this marks them wanting to set up a connection. Note Im still a newbie on iptables syntax but the (un)blocking lines should look like this:
iptables -P INPUT DROP
iptables -A INPUT -p tcp --tcp-flags ALL SYN -j DROP
iptables -A INPUT -s <addr> -p tcp --destination-port 25 -j ACCEPT
This would add default deny policy for incoming TCP, then add a default deny for incoming TCP with SYN flags, then add allow for incoming TCP with SYN flags from specified IP <addr>. This will only work if you can specifiy all <addr> or network ranges where mail is sposed to come from. If this is a mailserver my guess is you don't want to do this but only block from illegal adresses like IANA designated private networks like 192 etc etc.
Then the last line could be something like
iptables -A INPUT -s 0.0.0.0 --destination-port 25 -p tcp --tcp-flags ALL SYN -j ACCEPT.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.