Re: Disabling telnet on Linux iptables firewall

In comp.os.linux.security Moe Trin <ibuprofin@xxxxxxxxxxxxxxxxxxxxxx>:
On Sat, 28 Oct 2006, in the Usenet newsgroup comp.os.linux.security, in article
<pan.2006.10.28.19.55.19.780733@xxxxxxxxx>, C. J. Clegg wrote:

On my Fedora Core 2 server,

Why are you using such an old release? FC2 was declared "unsupported"
at downloads.fedoralegacy.org in April, and there have been no updates
released since the end of March. FC6 was released this past week. Consider
updating to that.

Full ack!

[..]

I would like to be able to limit all outgoing traffic to http, ssh, and
email, nothing else.

Two choices - first is to get rid of the GUI, and write the firewall rules
yourself. There is a large amount of documentation available, starting
with the official HOWTOs, as well as Rusty Russell's "unofficial" howtos
available from http://www.iptables.org/documentation/HOWTO/. Depending
on your skill level, this may or may not be a viable option. Remember that
the 'telnet' client takes a port number as an optional parameter, and thus
can telnet _to_ any port number on the remote - whether or not there is a
server there (won't connect if there isn't, but that doesn't stop the
attempt).

Alternatively you can enter iptables rules manually and store them
with 'iptables-save' on RH and associated to restore them on
reboot. The OP should check the docs, I have never used this, but
wrote rules manual.

The second choice is to either remove or disable the undesired clients.
Disabling them is likely the better choice - use the 'which' command to
find the binary, and then 'chmod 644' that:

[compton ~]$ which telnet
/usr/bin/telnet
[compton ~]$ su -c /bin/chmod 644 /usr/bin/telnet

$ ll /usr/bin/telnet
-rw-r--r-- 1 root root 68064 Jun 14 2005 /usr/bin/telnet

$ /lib/ld-linux.so.2 /usr/bin/telnet localhost 22
Trying 127.0.0.1...
Connected to localhost.

Hopefully they are dump enough? Changing perms to "750" might do
more, even if likely to not survive the next upgrade of the
package. Though it wouldn't prevent users from using something
else or there own client.

In your list of allowed traffic, you don't mention 'ftp' but that is needed
to keep your system up to dates. Admittedly, this is going to be quite
difficult for FC2, but you should be aware of your responsibility.

Upgrading would be a good idea, the OP might not ever have
installed a single patch?

--
Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
mail: echo zvpunry@xxxxxxxxxx | perl -pe 'y/a-z/n-za-m/'
#bofh excuse 278: The Dilithium Crystals need to be rotated.
.

Relevant Pages

  • Re: Where to go?
    ... Things are pretty open with Fibs. ... Fibs itself is a great place for the information, however run any telnet ... client and connect to fibs.com on port 4321. ... The thing about fibs is that all the clients do is act as a client around ...
    (rec.games.backgammon)
  • Re: securing login to LAN through firewall?
    ... > This normally ignores connection requests from the outside world. ... > windows box, I can only assume it has telnet; ... > world on a port of my choice. ... Load the client in any java-capable browser ...
    (comp.unix.bsd.freebsd.misc)
  • Re: Re: Sender Spoofing via SMTP
    ... This has absolutely nothing to do with the Telnet service! ... port 25 there, the telnet service runs on port 23 by default. ... If the SMTP port is open then any client can connect. ...
    (Security-Basics)
  • Re: perl tcp server script works, but no data.
    ... >> As far as the client, I tried to telnet a small file to that port and ... >> then I wrote an app using the VB winsock to move text to that port. ... >> Are there any good reference books on the perl socket with examples. ...
    (comp.lang.perl.misc)
  • Re: Back Orifice - RedHat 7 [Update]
    ... include telnet in the installation. ... >> upgrade the existing installation. ... > binary or shell couldn't run on the same port as BO. ... What happens when you telnet to the port: ...
    (comp.os.linux.security)
Quantcast