Secure OS Software for Linux
cancel
Showing results for 
Search instead for 
Did you mean: 

Secure OS and rlogin/telnet

Christiane Coda
Occasional Contributor

Secure OS and rlogin/telnet

Hi,

I am trying to set up rlogin and telnet on a secure OS Linux server, but keep getting the following:

# telnet wb2nh007
Trying...
Connected to lnuxug01.
Escape character is '^]'.
Local flow control off
Connection closed by foreign host.

# rlogin lnuxug01
rcmd: Lost connection

I updated both the telnet and rlogin files under /etc/xinetd.d and changed "disable = yes" to "disable = no". I then restarted xinetd as follows:

# /etc/init.d/xinetd restart
Stopping xinetd: [ OK ]
Starting xinetd: [ OK ]

Neither telnet nor rlogin work. Can someone help? Has anyone run into that situation?

Thanks,

Chris Coda
3 REPLIES
Adiascar Cisneros
Occasional Visitor

Re: Secure OS and rlogin/telnet

You need to use ssh instead of telnet or rlogin.

I recommend you read chapter 2 of the administration manual:
http://docs.hp.com/linux/onlinedocs/internet/hp-tlx1.0_Admin_Guide.pdf

Also check the following document:
http://www.hp.com/security/products/linux/papers/ssh/hp-secure-linux-ssh.pdf

Adiascar.
Hal Rottenberg
Frequent Advisor

Re: Secure OS and rlogin/telnet

Chris,

This is by design. If you want to enable rlogin and telnet, you will also have to create network communication rules. You can add them either to an existing compartment, or to one or more new compartments. We recommend using multiple compartments wherever practical. There is no practical limit to the number of compartments and the more you divide things the more control you have over the system.

Xinetd is a special case since you have a daemon listening that then forks a new process. We have customized xinetd to accept a new "cname" parameter in the xinetd.d files. See /etc/xinetd.d/time as an example of this. Also see the Administration Guide page 7-4.

So, taking telnet as an example you would need to perform these steps:

1) Add a new telnet compartment "tlcompadd telnet"
2) Add file access rules if desired. (See Admin Guide)
3) Add a network communication rule for 23/TCP. You may also wish to add two rules for DNS, 53/UDP. One rule to the DNS server and one from the DNS server.
4) Configure Xinetd, being sure to add a cname="telnet" line.
5) Send SIGUSR2 to xinetd to force a reconfiguration.

Now that all being said--we don't recommend you enable telnet and rlogin at all. We recommend that you use SSH for all remote administration. But--if you use xinetd as a wrapper and use some of its security measures, and put some secure linux file access controls in place, you can make telnet/rlogin fairly secure. Just know what you are doing.

Regards,

Hal
If at first you don't succeed, then skydiving isn't for you.
Steven E. Protter
Exalted Contributor

Re: Secure OS and rlogin/telnet

You need to check whichever firewall HP used and make sure port 23 is open. Since its based on Red Hat 7.1 it probably uses ipchains

See file
/etc/sysconfig/ipchains

Its pretty easy to read and understand.

I'm sure you are aware that telnetd and rlogin are insecure, exploitable protocols.

Clear text passwords and all that.

You might want to forget rlogin and use ssh for secure telnet.

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com