A.P. Lawrence

Information and Resources for Unix and Linux Systems
Bloggers and the self-employed

Get APLawrence.com by RSS

Home
Kerio
Sections
- MacOSX
- Linux
- Blogging
- Self-Employment
- Support
Contents
- Most Popular
- Browse All Topics
- Newest Articles
- Random Page
- Surveys
Tests
- Linux
- Mac OS X
- SCO Unix
- Perl
Resources
- Site Forum
- Write for this site
- Find a Consultant
- Contact Info
- RSS Feeds
- Store
- Advertise Here
- Disclaimer
Help
- About
- Rates
- Copyrights
- Contact
- Support

(OLDER) <- More Stuff -> (NEWER) (NEWEST)
Kerio Reseller
Printer Friendly Version

Why you don't have telnet open to the world

(Traditional format)

Tue Dec 21 18:08:48 2004 Why you don't have telnet open to the world
Posted by Tony Lawrence
Search Keys: security|ssh

I had an email today from a reseller who I have helped with routers, vpn's etc. in the past. I usually set his clients up with internet ssh access restricted to specific accounts (see Security Paranoia - restricting ssh access), but apparently I had never explained WHY I do this, because his email went something like this (edited slightly to remove extraneous material):

Hate these ads?

I had someone show me a trick the other day...I was able to connect to his customer using ALPHACOM with a TELNET session!

I think the "!" is because he probably thought telnet over the internet was impossible. My fault for not explaining this stuff better. He went on to say:

What he did is give me an IP address that I plugged in and bingo, I got a login. What I had to do was go to the advanced properties and give it a port number to use as well. This is because on his router he set it up so that port xyz forwarded to something like port 23 on the system.

Actually, it's "Bingo! You have a big security hole!".

The person who gave him this "trick" probably thought that by using a different port he had improved security. That's called "security through obscurity" and the only people it protects you from are the ones that probably couldn't hurt you anyway. Anyone else is going to scan a full range of ports and they will see your login almost as quickly as they would had you left it at port 23.

So there we are, telnet open to the world. Unless the firewall has a rule that says "only folks from these addresses get forwarded" (and if you had that, why obfuscate the port?), anyone can try to log in. Anyone can TRY to login with ssh, too, but as explained above, we only allow certain accounts to do that, and root isn't one of them. So the attacker is free to hammer away, guessing root passwords for as long as he wants.

Well, not quite. That version of SCO implements a feature to lock out a tty after so many unsuccesful logins - usually set to 99, but it doesn't take all that long for a dictionary password attack to hit that number. So, a pseudo tty gets locked out, and now nobody can login (see /Detective/ttylocked.html).

Of course that assumes that the dictionary attack failed..but dumb passwords are pretty common, and most people have no idea how many of these guys try and how long they keep trying. I see it in my server logs, and it is just incredible. Here's just a sample :

Failed logins from these:
adm/password from 61.100.180.125: 2 Time(s)
apache/password from 61.100.180.125: 1 Time(s)
cyrus/password from 61.100.180.125: 1 Time(s)
horde/password from 61.100.180.125: 1 Time(s)
iceuser/password from 61.100.180.125: 1 Time(s)
irc/password from 61.100.180.125: 2 Time(s)
jane/password from 61.100.180.125: 1 Time(s)
matt/password from 61.100.180.125: 1 Time(s)
mysql/password from 61.100.180.125: 1 Time(s)
nobody/password from 61.100.180.125: 1 Time(s)
operator/password from 61.100.180.125: 1 Time(s)
pamela/password from 61.100.180.125: 1 Time(s)
patrick/password from 61.100.180.125: 2 Time(s)
rolo/password from 61.100.180.125: 1 Time(s)
root/password from 61.100.180.125: 11 Time(s)
test/password from 61.100.180.125: 4 Time(s)
www-data/password from 61.100.180.125: 1 Time(s)
www/password from 61.100.180.125: 1 Time(s)
wwwrun/password from 61.100.180.125: 1 Time(s)

Remember - I lock people out after 2 failed logins - so the ones with more than that waited quite a while and came back at me again and again! None of those accounts could login anyway - they aren't in the ssh allowed users list - but they can't tell that, so they keep on trying. Hour after hour, day after day.

Don't do this.

Comments /Blog/B1206.html

Add your comments

Why no "Digg this!" etc.?

Lone-Tar Backup and Disaster Recovery
for Linux and Unix

Enter your email address for automatic notification of new posts here
(be sure to whitelist 'feedburner.com' if you use spam filtering)

Forget the expense of flying to New England. Forget hotel and meals costs.
Installation and light training Boston and New England

Printer Friendly Version

Views for this page
Today	This Week	This Month	This Year	Overall
1	10	19	551	2,805

Have you tried Searching this site?

Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more. We appreciate comments and article submissions.

Publishing your articles here

Printer Friendly Version

More:

- Security

- Blog

Unix/Linux Consultants

Your ad here - $24.00 yearly!

http://echo3.net/ Unix/Linux Custom Applications, Web Hosting, C/C++ Programming Courses

http://www.vss3.com SCO/Caldera OpenServer, Unixware & Linux. Tarantella & Non-stop Clustering

http://bcstechnology.net Full service Linux & UNIX systems integrator; Windows to UNIX/Linux Client-Server Specialist; Secure E-Mail & Website Hosting; Thoroughbred Software Developer; Custom Industrial Automation; Hardware & Electronics Experts; In Business Since 1985.

Coming Attractions

My Favorites

Publish your articles, comments, book reviews or opinions here!