(OLDER) <- More Stuff -> (NEWER) (NEWEST)
Printer Friendly Version


Why you don't have telnet open to the world

Tue Dec 21 18:08:48 2004 Why you don't have telnet open to the world
Posted by Tony Lawrence
Search Keys: security|ssh

I had an email today from a reseller who I have helped with routers, vpn's etc. in the past. I usually set his clients up with internet ssh access restricted to specific accounts (see Security Paranoia - restricting ssh access), but apparently I had never explained WHY I do this, because his email went something like this (edited slightly to remove extraneous material):



I had someone show me a trick the other day...I was able to connect to his customer using ALPHACOM with a TELNET session!

I think the "!" is because he probably thought telnet over the internet was impossible. My fault for not explaining this stuff better. He went on to say:

What he did is give me an IP address that I plugged in and bingo, I got a login. What I had to do was go to the advanced properties and give it a port number to use as well. This is because on his router he set it up so that port xyz forwarded to something like port 23 on the system.

Actually, it's "Bingo! You have a big security hole!".

The person who gave him this "trick" probably thought that by using a different port he had improved security. That's called "security through obscurity" and the only people it protects you from are the ones that probably couldn't hurt you anyway. Anyone else is going to scan a full range of ports and they will see your login almost as quickly as they would had you left it at port 23.

So there we are, telnet open to the world. Unless the firewall has a rule that says "only folks from these addresses get forwarded" (and if you had that, why obfuscate the port?), anyone can try to log in. Anyone can TRY to login with ssh, too, but as explained above, we only allow certain accounts to do that, and root isn't one of them. So the attacker is free to hammer away, guessing root passwords for as long as he wants.

Well, not quite. That version of SCO implements a feature to lock out a tty after so many unsuccesful logins - usually set to 99, but it doesn't take all that long for a dictionary password attack to hit that number. So, a pseudo tty gets locked out, and now nobody can login (see /Detective/ttylocked.html).

Of course that assumes that the dictionary attack failed..but dumb passwords are pretty common, and most people have no idea how many of these guys try and how long they keep trying. I see it in my server logs, and it is just incredible. Here's just a sample :

Failed logins from these:
adm/password from 61.100.180.125: 2 Time(s)
apache/password from 61.100.180.125: 1 Time(s)
cyrus/password from 61.100.180.125: 1 Time(s)
horde/password from 61.100.180.125: 1 Time(s)
iceuser/password from 61.100.180.125: 1 Time(s)
irc/password from 61.100.180.125: 2 Time(s)
jane/password from 61.100.180.125: 1 Time(s)
matt/password from 61.100.180.125: 1 Time(s)
mysql/password from 61.100.180.125: 1 Time(s)
nobody/password from 61.100.180.125: 1 Time(s)
operator/password from 61.100.180.125: 1 Time(s)
pamela/password from 61.100.180.125: 1 Time(s)
patrick/password from 61.100.180.125: 2 Time(s)
rolo/password from 61.100.180.125: 1 Time(s)
root/password from 61.100.180.125: 11 Time(s)
test/password from 61.100.180.125: 4 Time(s)
www-data/password from 61.100.180.125: 1 Time(s)
www/password from 61.100.180.125: 1 Time(s)
wwwrun/password from 61.100.180.125: 1 Time(s)

Remember - I lock people out after 2 failed logins - so the ones with more than that waited quite a while and came back at me again and again! None of those accounts could login anyway - they aren't in the ssh allowed users list - but they can't tell that, so they keep on trying. Hour after hour, day after day.

Don't do this.




Click here to add your comments


Don't miss responses! Subscribe to Comments by RSS or by Email

Click here to add your comments

If you want a picture to show with your comment, go get a Gravatar


Have you tried Searching this site?

Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more. We appreciate comments and article submissions.

Publishing your articles here

Jump to Comments



Many of the products and books I review are things I purchased for my own use. Some were given to me specifically for the purpose of reviewing them. I resell or can earn commissions from the sale of some of these items. Links within these pages may be affiliate links that pay me for referring you to them. That's mostly insignificant amounts of money; whenever it is not I have made my relationship plain. I also may own stock in companies mentioned here. If you have any question, please do feel free to contact me.

Specific links that take you to pages that allow you to purchase the item I reviewed are very likely to pay me a commission. Many of the books I review were given to me by the publishers specifically for the purpose of writing a review. These gifts and referral fees do not affect my opinions; I often give bad reviews anyway.

We use Google third-party advertising companies to serve ads when you visit our website. These companies may use information (not including your name, address, email address, or telephone number) about your visits to this and other websites in order to provide advertisements about goods and services of interest to you. If you would like more information about this practice and to know your choices about not having this information used by these companies, click here.


book graphic unix and linux troubleshooting guide

My Troubleshooting E-Book will show you how to solve tough problems on Linux and Unix systems!



 I sell and support
 Kerio Mail server




pavatar.jpg
More:
       - Security
       - Blog


Unix/Linux Consultants

Skills Tests

Guest Post Here










My Favorites

Change Congress