Subject: Re: Telnet to open ports
From: Graham Leggett (minfrin@sharp.fm)
Date: Sat Sep 29 2001 - 13:49:26 MDT
Brian Watson wrote:
> You are mistaken in what I was asking. It is possible to telnet into
> almost any open service port, even with telnet and port 23 disabled.
> I was asking about how to disable telnet to other ports through
> tcpwrapper.
As a general rule, you should do this:
- If you don't need a service, switch it off, and uninstall that service
with rpm -e <package>. You can always add it back later if you need it.
If the service is not there, you don't need to secure it. Examples
include telnetd (use ssh), fingerd, ftpd (use ssh/scp), and a few
others.
- If you need something, but it has a limited scope, set up the service
so that it only binds to the IP addresses it needs. For example,
typically an LDAP server would only be bound to 127.0.0.1 only (unless
your needs are different). Again, if a service is not listening on a
port, there is no need to secure it.
- If you need something, but it must be restricted to the local network,
then use tcpwrappers. They are a bit of a pain in the ass to set up
though, and not all applications support tcpwrappers, or support them
consistently.
- Use encrypted versions of services where available. Use SSH, SPOP3,
IMAPS, HTTPS, etc - you will be able to use client side certs to protect
your ports. No valid cert - no access to the port. Without client side
certs, you still have the benefit of no clear text passwords.
- Don't run known-insecure services. The BIND nameserver (for example)
is notorious for bugs - avoid installing such services if you can, or
choose software that is more reliable.
Regards,
Graham
-- ----------------------------------------- minfrin@sharp.fm "There's a moon over Bourbon Street tonight..."
This archive was generated by hypermail 2a24 : Sat Sep 29 2001 - 12:59:16 MDT