Telnet security

Telnet security

Post by mike sulliv » Fri, 16 Sep 1994 23:59:08



I've got Interactive 3.0 unix and would like to allow people to telnet
in and run an application. If I modify the inetd.conf to allow only telnet
activity on the telnet port (comment out all the other non-needed
services); dump the user in a restricted shell; trap for specific signals
to ignore/exit, and make sure the app doesn't allow a shell escape, what
else should I be aware of about the telnetd program that may cause
security holes? I'll also probably have the telnetd process owned by
someone other than root as well (I don't yet know how the owner field in
inetd.conf really affects the process).

---

Access <=> Internet(tm), a public access internet site
Sytex Access Ltd, Fairfax VA, 1-703-425-0367

 
 
 

Telnet security

Post by Barry Margol » Sun, 18 Sep 1994 08:16:55



>I've got Interactive 3.0 unix and would like to allow people to telnet
>in and run an application. If I modify the inetd.conf to allow only telnet
>activity on the telnet port (comment out all the other non-needed
>services); dump the user in a restricted shell; trap for specific signals
>to ignore/exit, and make sure the app doesn't allow a shell escape, what
>else should I be aware of about the telnetd program that may cause
>security holes? I'll also probably have the telnetd process owned by
>someone other than root as well (I don't yet know how the owner field in
>inetd.conf really affects the process).

Telnetd doesn't do very much -- it just prompts for a user name, connects a
pty to a login process for that user, and then shuffles characters back and
forth, doing the appropriate translations between Unix tty ioctls and
TELNET negotiations.  I've never heard of a security problem in the daemon
itself.

The username field in inetd.conf is the user who will execute the server
process.  I tried changing the username for telnet on my SunOS 4.1.3 system
and it stopped working (it complained "All network ports in use", which
presumably means that it was unable to allocate a pty).
--

Barry Margolin
BBN Internet Services Corp.


 
 
 

Telnet security

Post by Greg E. Myer » Mon, 19 Sep 1994 13:30:18


Is there a way to restrict incoming telnet sessions to only a list of
allowable IP numbers or subnets?  It would seem that the IP number would
be passed to in.telnetd in some way.  How would one go about checking it
against a list?   Thanks in advance

Greg Myers
Bloomsburg University

 
 
 

Telnet security

Post by David Mill » Wed, 21 Sep 1994 03:22:12



: Is there a way to restrict incoming telnet sessions to only a list of
: allowable IP numbers or subnets?  It would seem that the IP number would
: be passed to in.telnetd in some way.  How would one go about checking it
: against a list?   Thanks in advance

tcp_wrappers and netacl of fwtk are two that come to mind.  fwtk is
available from ftp.tis.com.  Ask archie about tcp_wrappers.  There is
no way to control it with just unix that I am aware of :(

: Greg Myers
: Bloomsburg University

--
David Miller                    Usual disclaimers apply
Maine State Government

 
 
 

Telnet security

Post by Thomas Koen » Wed, 21 Sep 1994 04:34:33




Quote:>Is there a way to restrict incoming telnet sessions to only a list of
>allowable IP numbers or subnets? It would seem that the IP number would
>be passed to in.telnetd in some way.

tcp_wrappers does exactly what you want it to do; it also provides
logging capabilities.  Get the most recent version from ftp.win.tue.nl,
/pub/security/.

While you're at it, you can also get the secure portmapper from
the same directory, and install it.  This will, in all probabiliy,
fix some more security holes ;-)
--

The joy of engineering is to find a straight line on a double
logarithmic diagram.

 
 
 

Telnet security

Post by Chris Newpo » Thu, 22 Sep 1994 04:31:20





> : Is there a way to restrict incoming telnet sessions to only a list of
> : allowable IP numbers or subnets?  It would seem that the IP number would
> : be passed to in.telnetd in some way.  How would one go about checking it
> : against a list?   Thanks in advance

> tcp_wrappers and netacl of fwtk are two that come to mind.  fwtk is
> available from ftp.tis.com.  Ask archie about tcp_wrappers.  There is
> no way to control it with just unix that I am aware of :(

It CAN be done, but you need to re-write the network device driver to carry
out the check. The X25 drivers I wrote a few years ago checked the caller-id
field against a permission file. With X25 ( and ISDN ) the caller-id is
provided by the network so cannot be easily cheated. I am not so sure about
the headers in TCP packets -- can they be cheated ??.

Getting hold of the sources for the device drivers can be a problem for some
systems, others like BSDI or Linux are easily available.

CAUTION --- device drivers are part of the kernel -- be sure you understand what
you are doing.

--
    +----------------------------------------+--------------------------------+
    | B'Shalom  from  Chris Newport          | Home of : netix.bbs            |
    | Location   : Clevedon, Avon, UK        |         : The Netix Consultancy|

    +----------------------------------------+--------------------------------+
    |   Consultancy and Software development   Unix & Comms Specialists       |
    +----------------------------------------+--------------------------------+

 
 
 

1. Telnet Security

I want to disable certain users from telneting into a
RedHat Linux 5.1 machine altogether, is this possible?
Actually disabling certain users from using ftp, rsh,
rlogin, and anything else would be cool too.

--
Bryan Stevenson
BMH Associates, Inc.

2. tcsh

3. telnet security

4. wu-ftp guest account

5. Telnet security

6. ## Redhat Kernel Update procedure

7. Telnet security...

8. Comments on Gigabyte-486IM m/b

9. Telnet security

10. telnet security

11. Telnet security