Hi,
I am using iptables. Telnet is not running on my box. However someone can still telnet to port 25, 110, etc. How can i possible reject all incoming telnet sessions to ALL ports? I have searched and tryed many things, but i am totally lost.

Thanks

Go to /etc/xinetd.d and there'll be a file telnet. Edit that, and there should be a line disable = no in there, just change it to be yes. No-one will be allowed to telnet in now. (The above is true for latest RedHat. IIRC, xinetd was changed from inetd, and some distros still use inetd)

HTH

glj

Hi, Thanks for the reply.

I dont even have telnet package installed. I have another machine with telnet installed but not running and the line in the telnet file is disable = yes and still people can telnet on port 25, 110, etc.

Thanks

if you allow connections to those ports, telnet will work.

anyway it doesnt matter wether you retrieve your messages from a pop3 server with a program or using telnet and typing commands...

if you left those ports open, telnet will be possible...

anyway, setting telnet to disable in inetd.conf only disables telnetting to the telnet port (no insecure remote login), but there is no way to stop anyone to connect to ports which are allowed to be connected to.

greetz

visit: raven.eplay.ch

oh forgot something: you can find a good tutorial how to set up iptables firewalls at

raven.eplay.ch

bye

Hi,

I have some friends that are using windows servers. EWWWWWW. ANyway they say they can prevent telnet on mail ports. I find it hard to believe that with iptables you cannot prevent telnetting on specified ports.

Oh well. I guess ill find some way to do it.
Thanks

well in ths case there has to be a way......

if they can do it, then there should be a way with iptables too...

if it really works on their site and its not only a bug of the windows server )))

well....

im surprised...

tell me if you found a way... )

bye

Someone told me a while ago that they also had that option on their windows firewall. I'm not really sure on how well it works though. Most firewall work by blocking based on ip and port either from the source or destination. Using those techniques it's not really possible to tell the difference if it's a sendmail program or a telnet client.
The only way I think they could tell the difference is if they would analyze the packets themselves. This would make the firewall run at a higher network level and consume more resources. But they could easily check for telnet characteristics. One of the main ones being that each key pressed usually gets sent in a seperate packet because the user is typing them one by one. So if it receives a command in multiple network packets the most likely it's a telnet user typing out his command. But you could still write a simple program which mimics a email program to get around that.
The best way is to make sure you've configured your mail server properly. If you've done that you shouldn't have to worry about people telnetting in.

yeah you are right.

firewalls like iptables work on low (packet) level.

the solution what you need would be a gateway that runs at OSI layer 5 or higer. that uses more resources (as the previous post says).

and again. there should be no risk in allowing telnet to a open service. (at least not more than while normal use)

bye

Hey,
First I would like to thank everyone for the input that was left.
Second "and again. there should be no risk in allowing telnet to a open service. (at least not more than while normal use)". Is the above quote true?
Someone can telnet to port 25 and not be able to send or check mail at all??????

THanks

hello

well, if someone CAN telnet to port 25 and you ALLOWED him to connect (that means he is legally on your site) then he can do everything what a mail client can do (if he knows the commands)

BUT

if you disallow, say, mail-routing, then NOONE will EVER be able to send mail using telnet or ANY other software. kmail would also fail then.

its all a question of cofiguration. telnetting to a service means nothing else, than dropping the good ol' user interface and doung everything hatdcore text-based.

for example: i can connect to my ISP's pop3 server using kmail, and then read my mails.
but i can also connect to him using telnet and doing the same. and this is no risk, you could never login to that site if you are not auhorised.

same with mail-routing. everyone can connect to my isp's smtp service. but mail routing IS forbidden, so i cannot do anything, becouse my IP differs from that he allowed to use. if i HAD permission to send mail without password, then the isp did bad work in protecting his system...

btw: my server runs with iptables protection only, never wanted to keep away telnet connections (except to the telnet port itself) and i dont have ANY rpoblems ))

bye

You can recomplie IPTABLES with string filtering capability. I have not done this but was trying to find away to kill code red before it reached outlook on my windows clients. Telnet requests have standard packet headers just likt HTTP, etc. I am sure since it is plain text, you could filter by the string contained in the headers. Or, if you are not offering services, just drop everything with a -SYN flag coming from outside.

Not sure what you mean by "Or, if you are not offering services, just drop everything with a -SYN flag coming from outside."

Port 25 is the only port open from the outside so my mail can come in. Thats the only thing that this server is used for. Can a still block all -SYN from coming in and still get my mail?

Thanks

Is there a way to block someone from sending mail from my server after telnetting on port 25

halo
mail from
rcpt to
data
to
from
subject
test.

The above commands allow someone to send an email.
Is this preventable???

What he means by SYN is that any connection from the outside to your box starts by the remote side sending a packet with the SYN flag set, this marks them wanting to set up a connection.
Note Im still a newbie on iptables syntax but the (un)blocking lines should look like this:

iptables -P INPUT DROP
iptables -A INPUT -p tcp --tcp-flags ALL SYN -j DROP
iptables -A INPUT -s <addr> -p tcp --destination-port 25 -j ACCEPT

This would add default deny policy for incoming TCP, then add a default deny for incoming TCP with SYN flags, then add allow for incoming TCP with SYN flags from specified IP <addr>. This will only work if you can specifiy all <addr> or network ranges where mail is sposed to come from. If this is a mailserver my guess is you don't want to do this but only block from illegal adresses like IANA designated private networks like 192 etc etc.

Then the last line could be something like
iptables -A INPUT -s 0.0.0.0 --destination-port 25 -p tcp --tcp-flags ALL SYN -j ACCEPT.