HPE Community
Operating System - HP-UX
1822449 Members
2410 Online
109642 Solutions
New Discussion юеВ

Re: Disable Telnet but Allow Telnet Out

 
Vinesh Dhevcharran_1
Advisor

тАО07-11-2003 12:30 AM

тАО07-11-2003 12:30 AM

Disable Telnet but Allow Telnet Out

Hi,

I have just installed SSH and disabled telnet. The client is now happy with the added security.
My client now wants to be able to ssh into the box and telnet to any machine outside our network. (This is a library system (Aleph)using the Z39.50 protocol)

Is it possible to disable telnet in but allow telnet out?
0 Kudos
Reply
8 REPLIES 8
Massimo Bianchi
Honored Contributor

тАО07-11-2003 12:33 AM

тАО07-11-2003 12:33 AM

Re: Disable Telnet but Allow Telnet Out

Hi,
to disable telnet in you can either disalbe it from the inet (/etc/inetd.conf) or use the sec to secure them (/var/adm/inetd.sec).

telnet out is always enabled, unless you remove the executable, i think.

HTH,
Massimo
0 Kudos
Reply
T G Manikandan
Honored Contributor

тАО07-11-2003 12:50 AM

тАО07-11-2003 12:50 AM

Re: Disable Telnet but Allow Telnet Out

check the man pages of inetd.sec

0 Kudos
Reply
Sanjiv Sharma_1
Honored Contributor

тАО07-11-2003 12:51 AM

тАО07-11-2003 12:51 AM

Re: Disable Telnet but Allow Telnet Out

Hi Vinesh,

Yes. Massimo is correct. Telnet in can be disabled which you have done and telnet out should work.

Check the following for disabling telnet. See that you have followed the correct steps.
http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0x24fee822e739d711abdc0090277a778c,00.html

Thanks,
Everything is possible
0 Kudos
Reply
RAC_1
Honored Contributor

тАО07-11-2003 12:54 AM

тАО07-11-2003 12:54 AM

Re: Disable Telnet but Allow Telnet Out

Once you disable telnet you wont pe able to telnet into or telnet to from the box.

You can get around this as follows.

Run telnetd as some other service on some other port. (Files - inetd.conf and services)
Now restrict this service in inetd.sec. (So that incoming connections will not be possible, but you can use that port for outbound connections.)

Also you need to have required permissions on your firewall.
There is no substitute to HARDWORK
0 Kudos
Reply
U.SivaKumar_2
Honored Contributor

тАО07-11-2003 01:06 AM

тАО07-11-2003 01:06 AM

Re: Disable Telnet but Allow Telnet Out

hi,

In your server,

#iptables -A INPUT -i eth0 -p tcp --dport telnet -j DROP
#iptables-save > /etc/sysconfig/iptables


eth0 is just a example , replace the exact interface of your server.

Now you will able to ssh to the server. But users cannot telnet to his server. But users can telnet outside.

regards,
U.SivaKumar
Innovations are made when conventions are broken
0 Kudos
Reply
Fred.Wu
Frequent Advisor

тАО07-11-2003 01:25 AM

тАО07-11-2003 01:25 AM

Re: Disable Telnet but Allow Telnet Out

comment telnet in /etc/inetd.conf and use
"inetd -c" to refresh .
fred
0 Kudos
Reply
twang
Honored Contributor

тАО07-11-2003 01:58 AM

тАО07-11-2003 01:58 AM

Re: Disable Telnet but Allow Telnet Out

- You may disable telnet service via /etc/inetd.conf
- telnet tool may be you usual practice, but you should prevent it become you second nature. using ssh starts from today.
0 Kudos
Reply
Steven Sim Kok Leong
Honored Contributor

тАО07-11-2003 05:24 PM

тАО07-11-2003 05:24 PM

Re: Disable Telnet but Allow Telnet Out

Hi,

The easiest way is to disable the telnet reference to port 23 in /etc/services. However, that doesn't prevent someone from explicitly specifying the port at the command line and telneting out:

# telnet another.com 23

You can disable the telnet binaries but that doesn't prevent users from compiling their own. Users can rely on other tools like netcat etc.

The most effective way would be to perform filtering at either a network-based firewall or host-based firewall on outbound traffic.

There are of course still loopholes on this. Depending on which ports you allow for initiated outbound traffic, a malicious user can still run a telnetd daemon at a high port which you did not block on his system e.g.

# telnet another.com 65535

OR

# nc another.com 65535

Such residual risk is where your Corporate IT Security Policies come into play. If you have a policy that states that no clear-text data should be transmitted over the network, then all staff should adhere to it.

Hope this helps. Regards.

Steven Sim Kok Leong
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.