i know my answer. but i would like some feedback. rhel5/6, if you were locking down a system real good and you use ssh v2 only for sysadmin access, would you leave the telnet client installed?

one argument i got to leave telnet client installed was that its used as a diag tool to check if a tcp listener is there on other systems. i gaffed, but its currently an argument. same person also believes having ftp client installed (and telnet client) poses no risk at all.

your take on this?

A client is exactly that: a client. Since it is a client and not a server it isn't listening on any ports, so why should it be a security risk?

1 members found this post helpful.

These clients only are a security risk for the machine that you connect to, not for the machine that you run them on.

Telnet or ftp into a remote server via the web and passing usernames and passwords in the clear is calling for problems.
And of course if someone downloads malware using ftp and runs it.

Why should I give a hacker tools to connect with or tools to download malware with? Also, these items may carry undocumented vulnerabilities. If not absolutely needed why should the system have them installed?

Any user could install it from scratch anyway – clients are only run under the user account. If you want to avoid execution of unauthorized applications, you need to allow only signed binaries. There is a document from IBM about it.

How exactly does any User download and install software??

I think Reuti ment on their own machines, not using yours :P

As Linux_Kidd said “Hacker” on his machine, it was not clear whether there are any users or hackers from the outside world on this machine.

If he is alone on the machine, any installed but not started application won’t affect the security at all.

I have used telnet on several occasions to help troubleshoot a problem or test a new function or feature. While I suppose it is possible to install and remove the client every time I need or wish to perform this function, my concerns about an intruder being able to capitalize on the availability of telnet on a system that they have just broken into is fairly low, and certainly much lower than their getting access in the first place. To me it becomes a matter of weighing the benefit to me versus the potential benefit to an intruder.

If you are going that route, remove wget, *ftp, lynx , links2 and python.

If a kiddie/script gets on the host, telnet not being there is a non-issue.

You can also transfer files by a plain ssh conection:Not to mention a copy/paste from/to any window where the session is run.

The hacker must first gain access. After that, any protection is basically useless. As long as you don't run ftp and telnet clients, they are no risk.

Perhaps the idea of "not needed not there" concept has vanished from the world of security?

So what's your stance when there's a zeroday for the telnet client that allows uid's to do things as uid =0 ??? Would you then say "OH, only if it wasn't installed"???

If a non-suid application suddenly run as uid=0 it’s IMO either a kernel problem or an already faulty/tampered library/loader. So the deeper cause needs to be fixed, but not the single client application (in fact: there may be many of them then).

i am not saying the binary becomes suid, i am saying the telnet binary has a binary flaw that allows privilege escalation, hence, it was not run suid, it was ran as UID >=500 and now the hacker is doing bad things as euid=0

ok, perhaps my Q was to the wrong crowd.