|
Home > Archive > Red Hat Security > June 2004 > stopping telnet
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
|
|
|
| Hi All,
As I am new to the world of Linux, I hope you guys can help me.
I have set up a redhat i[ptable firewall.
In my rules I have started out with dropping everythuing, then enabeling
certain ports. One of them being smtp/25.
This firewall sits infront of a windows network.
Altho no one can telnet throu to the linux box, they still seem to be able
to telnet throu to the mail server, which is sitting on a NT server. I have
looked on nt services to try and disable the telnet service, buit there is
none, and I understand that NT never came with a telnet server. I am at a
loss as to how they can telnet in. Be that as it may, I thought of stopping
any telnet protocol at the linux firewall, but have no clue as to hbow to do
that.
Thanks
Robert
| |
| Alexander Dalloz 2004-06-15, 5:57 pm |
| On Tue, 15 Jun 2004 14:57:17 +0200 rb wrote:
> Hi All,
>
> As I am new to the world of Linux, I hope you guys can help me.
> I have set up a redhat i[ptable firewall.
> In my rules I have started out with dropping everythuing, then enabeling
> certain ports. One of them being smtp/25.
> This firewall sits infront of a windows network.
> Altho no one can telnet throu to the linux box, they still seem to be able
> to telnet throu to the mail server, which is sitting on a NT server. I have
> looked on nt services to try and disable the telnet service, buit there is
> none, and I understand that NT never came with a telnet server. I am at a
> loss as to how they can telnet in. Be that as it may, I thought of stopping
> any telnet protocol at the linux firewall, but have no clue as to hbow to do
> that.
>
> Thanks
> Robert
telnet host 25 != telnet host 23
You can not prohibit telnetting to port 25 without stopping your
mailserver being able to receive mail. There is even not need to block
telnet to port 25. "telnet is not telnet" is this way. Run no telnet
server and forget the rest. I can telnet to any webserver on port 80 and
manage the communication by hand. Nothing to worry about.
Alexander
--
Alexander Dalloz | Enger, Germany
PGP key valid: made 13.07.1999
PGP fingerprint: 2307 88FD 2D41 038E 7416 14CD E197 6E88 ED69 5653
| |
|
| Hi,
> telnet host 25 != telnet host 23
>
> You can not prohibit telnetting to port 25 without stopping your
> mailserver being able to receive mail. There is even not need to block
> telnet to port 25. "telnet is not telnet" is this way. Run no telnet
> server and forget the rest. I can telnet to any webserver on port 80 and
> manage the communication by hand. Nothing to worry about.
>
> Alexander
>
>
> --
> Alexander Dalloz | Enger, Germany
> PGP key valid: made 13.07.1999
> PGP fingerprint: 2307 88FD 2D41 038E 7416 14CD E197 6E88 ED69 5653
>
Thanks for the response. My problem is that I suspect that someone is
telnetting into our mail server and dropping off mydoom viruses. I have
disabled mailrelay on our server. So I can only think that the culprit is
spoofing the address in order to drp this onto our server.
Robert
| |
| Gerard 2004-06-15, 5:57 pm |
| On Tue, 15 Jun 2004 14:57:17 +0200, rb scribbled:
> Hi All,
>
> As I am new to the world of Linux, I hope you guys can help me.
> I have set up a redhat i[ptable firewall.
> In my rules I have started out with dropping everythuing, then enabeling
> certain ports. One of them being smtp/25.
> This firewall sits infront of a windows network.
> Altho no one can telnet throu to the linux box, they still seem to be able
> to telnet throu to the mail server, which is sitting on a NT server. I have
> looked on nt services to try and disable the telnet service, buit there is
> none, and I understand that NT never came with a telnet server. I am at a
> loss as to how they can telnet in. Be that as it may, I thought of stopping
> any telnet protocol at the linux firewall, but have no clue as to hbow to do
> that.
>
> Thanks
> Robert
Robert,
What is your exact configuration? You say: telnet through *to* the Linux
box, as though the Linux box would be behind the firewall. Earlier you
stated a Linux box was being used *as* a firewall. So you have 2 of them?
(lucky bastard ;)
My assumption for now is that you have acces to the internet, then a
firewall and then at least two machines, one Linux and one NT.
Well anyway, the short answer would be: just drop all packages that come
from outside that have a destination port of 23, both tcp and udp.
But perhaps the situation is more complicated than that. In SMTP servers,
it is often possible to 'telnet in'. I just tried it myself, based on the
info I found here: http://www.yuki-onna.co.uk/email/smtp.html and another
one: http://www.mvps.org/exchange/smtp_frames.htm
Then again, I think these constitute valid SMTP connections.
HTH in looking at the problem from a different angle and stating some more
info about your problem...
--
GerardLinux ay tee filternet dee oo tee ann el
Q: What is small, yellow, and very, very dangerous?
A: A canarie with the super-user password.
| |
| Gerard 2004-06-15, 5:57 pm |
| On Tue, 15 Jun 2004 14:57:17 +0200, rb scribbled:
> Hi All,
>
> As I am new to the world of Linux, I hope you guys can help me.
> I have set up a redhat i[ptable firewall.
> In my rules I have started out with dropping everythuing, then enabeling
> certain ports. One of them being smtp/25.
> This firewall sits infront of a windows network.
> Altho no one can telnet throu to the linux box, they still seem to be able
> to telnet throu to the mail server, which is sitting on a NT server. I have
> looked on nt services to try and disable the telnet service, buit there is
> none, and I understand that NT never came with a telnet server. I am at a
> loss as to how they can telnet in. Be that as it may, I thought of stopping
> any telnet protocol at the linux firewall, but have no clue as to hbow to do
> that.
>
> Thanks
> Robert
And I agree fully with Alexander: *do not* start your telnet server!
Use sshd if you must.
--
GerardLinux ay tee filternet dee oo tee ann el
Q: What is small, yellow, and very, very dangerous?
A: A canarie with the super-user password.
| |
| Olivier 2004-06-15, 5:57 pm |
|
> Hi All,
>
> As I am new to the world of Linux, I hope you guys can help me.
> I have set up a redhat i[ptable firewall.
> In my rules I have started out with dropping everythuing, then enabeling
> certain ports. One of them being smtp/25.
> This firewall sits infront of a windows network.
> Altho no one can telnet throu to the linux box, they still seem to be able
> to telnet throu to the mail server, which is sitting on a NT server. I have
> looked on nt services to try and disable the telnet service, buit there is
> any telnet protocol at the linux firewall, but have no clue as to hbow to do
> that.
As far as I can see from the posts, your problem is that your network is
spreading viruses other the internet and /naturally/ suspect your nt
smtp server.
You are probably wrong. The viruses are sent directly from infected
desktop computers on your network, they do not use your smtp relay for
relaying because the viruses included an smtp engine!
So what you must do on your firewall is block _ALL_ outgoing traffic on
port 25 except from your smtp server.
Put a trace when your rule is hit and you will see the contaminated
desktops try to spread..
| |
| Allan B. Colombo 2004-06-27, 10:11 am |
|
"Brad Olin" <bwo@bwo1.com> wrote in message
news:h21uc0h5jupir9isaifvuooiv7tl5q94i8@
4ax.com...
> On Tue, 15 Jun 2004 15:58:43 +0200, "rb" <me@u.com> wrote:
>
>
>
> This is starting to sound to me more like a email related
> question/problem. A good share of the virus have the ability to spread
> themselves via email. Have you looked into this as a spam email issue?
>
> I could be wrong on this, but I don't think anybody would be taking the
> time to telnet to your box and manually dropping off emails with virus.
> It seems more likely it's an actual virus that has smpt support.
>
>
> Brad
> --
> "Where the spirit does not work with the hand, there is no art."
> Leonardo da Vinci
> Bradley W. Olin
> http://www.bwo1.com
There are a lot of stories about these virus' actually opening themselves
when they come in through e-mail. If I'm using an ascii-based e-mail
client, do I still run the risk of incurring mydoom or any other? Can they
actually open up by themselves? Sorry to ask this possibly quite simple
question, but if you don't know, you don't know.
Thanks,
Al Colombo, trade journalist
--
www.SecurityMission.com
* For security professionals
* Corporate and business end users
* Crime Prevention for homeowners
* Also corporate end users
* Security case studies
* Technology stories
* Interactive e-Community page
* Poll of the week
* Technology & science news
* Seven bulletin board (BBS) forums
* Member chat room
* Industry events (submit your own)
* New product announcements
* Registration is free
* Crime prevention section
| |
| Gandalf Parker 2004-06-27, 10:11 am |
| "Allan B. Colombo" <al.colombo@securitymission.com> wrote in
news:10dtmr8554gjkd5@corp.supernews.com:
>
> There are a lot of stories about these virus' actually opening
> themselves when they come in through e-mail. If I'm using an
> ascii-based e-mail client, do I still run the risk of incurring mydoom
> or any other? Can they actually open up by themselves? Sorry to ask
> this possibly quite simple question, but if you don't know, you don't
> know.
The stories are true I guess but wording them that way makes it almost a
SciFi horror-flick thing. 
What they do is take advantage of "neat features" added for user
pleasure. Such as the ability to receive emails which are actually a mini
home-movie of the sender with sound and everything. To do that, the email
program (or browser or anything else) has to be set to automatically play
a ### file (insert whatever extension is the latest popular format) when
it gets it. Whether its to automatically display a picture, play a sound
recording thats sent, run a script, whatever... someone will figure out a
way to get it to do a bad evil thing instead of a cutesy good thing. Its
the "automatic run" part that gives you a virus which will "open
themselves".
I use an ascii mail client and I have no problems. I read my emails on a
linux text-mode only server. If I get an image or something I DO want to
view then I save it to my public_html directory and use my browser. Or if
its some html-heavy email that Im sure came from a friend I might forward
it to my popmail account that I never give out so I can open it with a
more graphic-friendly mail program.
The arrangment is not perfect security but it does let me laugh at all
the really lame and obvious attempts that show up in my mailbox. Its
kindof fun (and instructive) to see in the text version of the emails
exactly how they misnamed a file or a web site address in order to try
and trick us.
Gandalf Parker
-- Everything I know of security I learned from my mother.
Such as: "Never accept things from people you dont know."
| |
| Bit Twister 2004-06-27, 10:48 am |
| On Sun, 27 Jun 2004 10:41:43 -0400, Allan B. Colombo wrote:
>
> There are a lot of stories about these virus' actually opening themselves
> when they come in through e-mail.
Yes, and they work on Microsoft Operating Systems. Not a problem on linux.
| |
| Bill Unruh 2004-06-28, 8:58 am |
| Bit Twister <BitTwister@localhost.localdomain> writes:
]On Sun, 27 Jun 2004 10:41:43 -0400, Allan B. Colombo wrote:
]>
]> There are a lot of stories about these virus' actually opening themselves
]> when they come in through e-mail.
]Yes, and they work on Microsoft Operating Systems. Not a problem on linux.
And they do not open themselves. They are opened by the operating system,
or the mailer program. An email cannot open itself. It is just a bunch of
bits. the mailer program must run the attachment (a very stupid thing to
do-- but see the resistance of consumers to switching it off).
| |
| Brad Olin 2004-06-28, 8:58 am |
| X-Newsreader: Forte Agent 2.0/32.652
X-No-Archive: yes
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Lines: 19
Date: Mon, 28 Jun 2004 01:18:45 GMT
NNTP-Posting-Host: 66.75.93.59
X-Complaints-To: abuse@rr.com
X-Trace: twister.socal.rr.com 1088385525 66.75.93.59 (Sun, 27 Jun 2004 18:18:45 PDT)
NNTP-Posting-Date: Sun, 27 Jun 2004 18:18:45 PDT
Organization: RoadRunner - West
Xref: number1.nntp.dca.giganews.com comp.os.linux.security:72685 redhat.security.general:2132
On Sun, 27 Jun 2004 16:35:12 GMT, Bit Twister
<BitTwister@localhost.localdomain> wrote:
>Yes, and they work on Microsoft Operating Systems. Not a problem on linux.
Let me muddy the water a bit... There are Microsoft products that run
on the Mac OsX, including an email client that can run attachments. The
Mac OsX is a linux kernel (of sorts).
I'm not much of a Mac guy, but I have clients who are. Is the day
coming when there are Mac viri? Is that day here already?
Brad
--
"Where the spirit does not work with the hand, there is no art."
Leonardo da Vinci
Bradley W. Olin
http://www.bwo1.com
| |
| Bit Twister 2004-06-28, 8:59 am |
| On Mon, 28 Jun 2004 01:18:45 GMT, Brad Olin wrote:
> On Sun, 27 Jun 2004 16:35:12 GMT, Bit Twister
><BitTwister@localhost.localdomain> wrote:
>
>
> Let me muddy the water a bit... There are Microsoft products that run
> on the Mac OsX, including an email client that can run attachments. The
> Mac OsX is a linux kernel (of sorts).
NNnnooooo...
>
> I'm not much of a Mac guy, but I have clients who are. Is the day
> coming when there are Mac viri? Is that day here already?
Guess displaced Microsoft programmers whose jobs went to India and the
new China programming center are migrating from Redmond. 
| |
| Tim Haynes 2004-06-28, 8:59 am |
| Brad Olin <bwo@bwo1.com> writes:
> On Sun, 27 Jun 2004 16:35:12 GMT, Bit Twister
> <BitTwister@localhost.localdomain> wrote:
>
>
> Let me muddy the water a bit... There are Microsoft products that run
> on the Mac OsX, including an email client that can run attachments. The
> Mac OsX is a linux kernel (of sorts).
Exactly what sort of a linux kernel is extracts of Mach/FreeBSD?
> I'm not much of a Mac guy, but I have clients who are. Is the day coming
> when there are Mac viri? Is that day here already?
Hopefully there will, one day, be mac viruses, as an indication of
popularity as much as anything. There are already a couple of
proof-of-concept examples going around that have promoted a few scares, go
check an appropriate news source for the last month or so.
~Tim
--
09:30:51 up 18 days, 7:29, 0 users, load average: 0.27, 0.20, 0.10
piglet@stirfried.vegetable.org.uk |A big sky above me,
http://spodzone.org.uk/cesspit/ |West winds blow.
| |
| Brad Olin 2004-06-28, 9:14 am |
| On Mon, 28 Jun 2004 09:32:15 +0100, Tim Haynes
<usenet-20040628@stirfried.vegetable.org.uk> wrote:
>Brad Olin <bwo@bwo1.com> writes:
>
>
>Exactly what sort of a linux kernel is extracts of Mach/FreeBSD?
>
It's a Mac OsX Linux.
I honestly don't know what source they started with, but from that point
forward they rolled their own. At least that's the rumor. I would
guess that some things are almost untouched, and other areas are
complete replacements. I do know, with a root terminal shell opened,
you can run pretty much all the standard linux commands (ps, ifconfig,
netstat, route, ...) I would guess there are some commands that are
renamed or have diff options, but it sure felt like linux the few
minutes I had one day some months ago.
Brad
--
"Where the spirit does not work with the hand, there is no art."
Leonardo da Vinci
Bradley W. Olin
http://www.bwo1.com
| |
| Tim Haynes 2004-06-28, 7:33 pm |
| Brad Olin <bwo@bwo1.com> writes:
> On Mon, 28 Jun 2004 09:32:15 +0100, Tim Haynes
> <usenet-20040628@stirfried.vegetable.org.uk> wrote:
>
>
> It's a Mac OsX Linux.
>
> I honestly don't know what source they started with, but from that point
> forward they rolled their own. At least that's the rumor.
<http://www.google.com/search?q=maco...=UTF-8&oe=UTF-8>
The first few results are quite interesting.
> I would guess that some things are almost untouched, and other areas are
> complete replacements. I do know, with a root terminal shell opened, you
> can run pretty much all the standard linux commands (ps,
Note that the statuses in ps and top are different to what you get on
linux, and bear a surprising resemblance to freebsd.
> ifconfig, netstat, route,
Note that these are all the BSD variants as well:
| zsh, trough 4:14PM piglet/ % ifconfiglo0:
| flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
| inet6 ::1 prefixlen 128
| inet6 fe80::1 prefixlen 64 scopeid 0x1
| inet 127.0.0.1 netmask 0xff000000
| gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
| stf0: flags=0<> mtu 1280
netstat uses . instead of : to delimit port#s, route requires a command
rather than defaulting to providing a dump of the routing table.
> ...) I would guess there are some commands that are renamed or have diff
> options, but it sure felt like linux the few minutes I had one day some
> months ago.
You should play with freebsd. You'll be more or less at home until you spot
the "little" differences. ;)
~Tim
--
No more sun, No more wind |piglet@stirfried.vegetable.org.uk
Only this strange feeling |http://spodzone.org.uk/
Living without moving |
|
|
|
|
|