Disabling telnet on Linux iptables firewall - Security

This is a discussion on Disabling telnet on Linux iptables firewall - Security ; On my Fedora Core 2 server, I call up system-config-securitylevels (the GUI configuration tool for iptables) and I tell it to disallow telnet. That works ... no one can telnet in any longer. So far so good. But, isn't that ...

+ Reply to Thread
Results 1 to 9 of 9

Thread: Disabling telnet on Linux iptables firewall

  1. Disabling telnet on Linux iptables firewall


    On my Fedora Core 2 server, I call up system-config-securitylevels (the
    GUI configuration tool for iptables) and I tell it to disallow telnet.

    That works ... no one can telnet in any longer. So far so good.

    But, isn't that supposed to disable telnet'ing out, as well?

    That doesn't seem to be working.

    (In general it seems the iptables configuration GUI is MIGHTY limited in
    the things that it can do, and yet the /etc/sysconfig/iptables file, that
    gets generated by system-config-securitylevels, has tbis big caveat at the
    top: "Firewall configuration written by system-config-securitylevel ...
    Manual customization of this file is not recommended".)

    I would like to be able to limit all outgoing traffic to http, ssh, and
    email, nothing else.


  2. Re: Disabling telnet on Linux iptables firewall

    C. J. Clegg wrote:


    > On my Fedora Core 2 server, I call up system-config-securitylevels (the
    > GUI configuration tool for iptables) and I tell it to disallow telnet.
    >
    > That works ... no one can telnet in any longer. So far so good.
    >
    > But, isn't that supposed to disable telnet'ing out, as well?
    >
    > That doesn't seem to be working.
    >
    > (In general it seems the iptables configuration GUI is MIGHTY limited in
    > the things that it can do, and yet the /etc/sysconfig/iptables file,
    > that gets generated by system-config-securitylevels, has tbis big caveat
    > at the top: "Firewall configuration written by
    > system-config-securitylevel ... Manual customization of this file is not
    > recommended".)
    >
    > I would like to be able to limit all outgoing traffic to http, ssh, and
    > email, nothing else.


    chkconfig gives the option to determine what gets started when your system
    starts. If you are trying to stop telnet into your machine, you should
    use this to prevent telnet from listening (starting), in addition to the
    firewall.

    To prevent outgoing telnet, disable (rename or remove) telnet on all your
    machines. That's a start, but doesn't prevent users or processes from
    installing or starting their own telnet clients. You can allow or deny
    service (incoming or outgoing) to or from any port with iptables (more
    below), but it is much more difficult if even possible to allow or deny
    any particular protocol (http, ssh, pop3, imap, etc.).

    Work out the iptables rules you think you need to allow or block whatever
    traffic to or from whatever ports you are interested in, and put them into
    a separate shell script with an

    "iptables -I ..."

    command in the script, which places these rules at the start of the
    rulesets in memory. Run this script manually at startup, or automatically
    after everything else has started, possibly from /etc/rc.d/rc.local.

    I do not believe there is any particular or easy specific way to allow or
    deny any particular protocol, in or out, using iptables alone. The rules
    have many options, but it has no way to examine or evaluate protocols used.

  3. Re: Disabling telnet on Linux iptables firewall

    On Sat, 28 Oct 2006, in the Usenet newsgroup comp.os.linux.security, in article
    , C. J. Clegg wrote:

    >On my Fedora Core 2 server,


    Why are you using such an old release? FC2 was declared "unsupported"
    at downloads.fedoralegacy.org in April, and there have been no updates
    released since the end of March. FC6 was released this past week. Consider
    updating to that.

    >I call up system-config-securitylevels (the GUI configuration tool for
    >iptables) and I tell it to disallow telnet.
    >
    >That works ... no one can telnet in any longer. So far so good.
    >
    >But, isn't that supposed to disable telnet'ing out, as well?


    No - that's a mis-understanding on your part.

    >(In general it seems the iptables configuration GUI is MIGHTY limited in
    >the things that it can do, and yet the /etc/sysconfig/iptables file, that
    >gets generated by system-config-securitylevels, has tbis big caveat at the
    >top: "Firewall configuration written by system-config-securitylevel ...
    >Manual customization of this file is not recommended".)


    This is normal for a GUI tool. You can easily do what the tool author
    thought you might want to do, and typically have much difficulty doing
    things the author didn't think you'd need, or didn't think of. This has
    always been the case. As for editing the actual configuration file, the
    precaution is because the tool doesn't know what your changes look like,
    and may accidentally delete them when you run the tool.

    >I would like to be able to limit all outgoing traffic to http, ssh, and
    >email, nothing else.


    Two choices - first is to get rid of the GUI, and write the firewall rules
    yourself. There is a large amount of documentation available, starting
    with the official HOWTOs, as well as Rusty Russell's "unofficial" howtos
    available from http://www.iptables.org/documentation/HOWTO/. Depending
    on your skill level, this may or may not be a viable option. Remember that
    the 'telnet' client takes a port number as an optional parameter, and thus
    can telnet _to_ any port number on the remote - whether or not there is a
    server there (won't connect if there isn't, but that doesn't stop the
    attempt).

    The second choice is to either remove or disable the undesired clients.
    Disabling them is likely the better choice - use the 'which' command to
    find the binary, and then 'chmod 644' that:

    [compton ~]$ which telnet
    /usr/bin/telnet
    [compton ~]$ su -c /bin/chmod 644 /usr/bin/telnet
    Password:
    [compton ~]$

    In your list of allowed traffic, you don't mention 'ftp' but that is needed
    to keep your system up to dates. Admittedly, this is going to be quite
    difficult for FC2, but you should be aware of your responsibility.

    Old guy

  4. Re: Disabling telnet on Linux iptables firewall

    In comp.os.linux.security Moe Trin :
    > On Sat, 28 Oct 2006, in the Usenet newsgroup comp.os.linux.security, in article
    > , C. J. Clegg wrote:


    >>On my Fedora Core 2 server,


    > Why are you using such an old release? FC2 was declared "unsupported"
    > at downloads.fedoralegacy.org in April, and there have been no updates
    > released since the end of March. FC6 was released this past week. Consider
    > updating to that.


    Full ack!

    [..]

    >>I would like to be able to limit all outgoing traffic to http, ssh, and
    >>email, nothing else.


    > Two choices - first is to get rid of the GUI, and write the firewall rules
    > yourself. There is a large amount of documentation available, starting
    > with the official HOWTOs, as well as Rusty Russell's "unofficial" howtos
    > available from http://www.iptables.org/documentation/HOWTO/. Depending
    > on your skill level, this may or may not be a viable option. Remember that
    > the 'telnet' client takes a port number as an optional parameter, and thus
    > can telnet _to_ any port number on the remote - whether or not there is a
    > server there (won't connect if there isn't, but that doesn't stop the
    > attempt).


    Alternatively you can enter iptables rules manually and store them
    with 'iptables-save' on RH and associated to restore them on
    reboot. The OP should check the docs, I have never used this, but
    wrote rules manual.

    > The second choice is to either remove or disable the undesired clients.
    > Disabling them is likely the better choice - use the 'which' command to
    > find the binary, and then 'chmod 644' that:


    > [compton ~]$ which telnet
    > /usr/bin/telnet
    > [compton ~]$ su -c /bin/chmod 644 /usr/bin/telnet


    $ ll /usr/bin/telnet
    -rw-r--r-- 1 root root 68064 Jun 14 2005 /usr/bin/telnet

    $ /lib/ld-linux.so.2 /usr/bin/telnet localhost 22
    Trying 127.0.0.1...
    Connected to localhost.

    Hopefully they are dump enough? Changing perms to "750" might do
    more, even if likely to not survive the next upgrade of the
    package. Though it wouldn't prevent users from using something
    else or there own client.

    > In your list of allowed traffic, you don't mention 'ftp' but that is needed
    > to keep your system up to dates. Admittedly, this is going to be quite
    > difficult for FC2, but you should be aware of your responsibility.


    Upgrading would be a good idea, the OP might not ever have
    installed a single patch?

    --
    Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
    mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/'
    #bofh excuse 278: The Dilithium Crystals need to be rotated.

  5. Re: Disabling telnet on Linux iptables firewall

    On Sun, 29 Oct 2006 10:57:15 -0600, Moe Trin wrote:

    > Why are you using such an old release?


    Good afternoon, Old Guy.

    On that particular machine I have no choice. If it were up to me I'd have
    upgraded to at least FC5 long ago.

    > The second choice is to either remove or disable the undesired clients.
    > Disabling them is likely the better choice


    Yes, I didn't think of that, that sounds like the best choice. As has
    been said here, though, it doesn't prevent people from installing their
    own clients and using them.

    > In your list of allowed traffic, you don't mention 'ftp' but that is needed
    > to keep your system up to dates. Admittedly, this is going to be quite
    > difficult for FC2, but you should be aware of your responsibility.


    Thanks. I have no need to keep this machine up to date; as you say it's
    obsolete anyway.

    I am allowing sftp rather than ftp.

    Others here have also mentioned that firewalls filter ports and not
    protocols... yes, I'm aware of that and when I mentioned protocols I
    assumed they'd be on their default ports ... not always a valid assumption
    I know...


  6. Re: Disabling telnet on Linux iptables firewall

    C. J. Clegg wrote:
    > On Sun, 29 Oct 2006 10:57:15 -0600, Moe Trin wrote:
    >
    >
    >>Why are you using such an old release?

    >
    >
    > Good afternoon, Old Guy.
    >
    > On that particular machine I have no choice. If it were up to me I'd have
    > upgraded to at least FC5 long ago.
    >
    >
    >>The second choice is to either remove or disable the undesired clients.
    >>Disabling them is likely the better choice

    >
    >
    > Yes, I didn't think of that, that sounds like the best choice. As has
    > been said here, though, it doesn't prevent people from installing their
    > own clients and using them.
    >
    >
    >>In your list of allowed traffic, you don't mention 'ftp' but that is needed
    >>to keep your system up to dates. Admittedly, this is going to be quite
    >>difficult for FC2, but you should be aware of your responsibility.

    >
    >
    > Thanks. I have no need to keep this machine up to date; as you say it's
    > obsolete anyway.
    >
    > I am allowing sftp rather than ftp.
    >
    > Others here have also mentioned that firewalls filter ports and not
    > protocols... yes, I'm aware of that and when I mentioned protocols I
    > assumed they'd be on their default ports ... not always a valid assumption
    > I know...



    In the original post you told that:

    - you're having a kernel with iptables,
    - you'd like to allow only http (TCP/80) ssh (TCP/22) and
    email (which: POP3, IMAP, SMTP or all?)

    If the server is used as a gateway, you need to add the rules
    into the FORWARD chain. If the server is the end-point of the
    connection, the rules belong to the OUTPUT chain to limit the
    outward services.

    You need to create rules:

    - chain policy REJECT or DENY
    - allow TCP/80 (HTTP),
    - allow TCP/22 (SSH),
    - allow the relevant email TCP ports.

    If your administrative tool does not allow these,
    dump the tool and command iptables directly.

    For instructions, get suitable HOWTOs from
    .

    --

    Tauno Voipio
    tauno voipio (at) iki fi

  7. Re: Disabling telnet on Linux iptables firewall


    Thanks to all who helped on this issue. Please see my last post to the
    "Questions on secure remote access to Fedora Core 2" for the end result.
    Basically it seems I have iptables more or less sort of figured out and
    what I have in place seems to be working.


  8. Re: Disabling telnet on Linux iptables firewall

    On Sun, 29 Oct 2006, in the Usenet newsgroup comp.os.linux.security, in article
    , Michael Heiming wrote:

    >Alternatively you can enter iptables rules manually and store them
    >with 'iptables-save' on RH and associated to restore them on
    >reboot. The OP should check the docs, I have never used this, but
    >wrote rules manual.


    Yeah, I've always created my own scripts for that. At least they work
    interchangeably across nearly all distributions rather than depending
    on a distribution specific tool, or some third party thing.

    >$ /lib/ld-linux.so.2 /usr/bin/telnet localhost 22
    >Trying 127.0.0.1...
    >Connected to localhost.
    >
    >Hopefully they are dump enough?


    [Assumed typ0 - dump == dumb]

    Actually, not all that many experienced users are aware of that trick.

    >Changing perms to "750" might do more, even if likely to not survive the
    >next upgrade of the package.


    The other problem might be some wonderful security enforcement problem
    that runs as a cron job to enforce "sane" permissions.

    >Though it wouldn't prevent users from using something else or there own
    >client.


    That's always the problem. Only the more paranoid mount /home -noexec,
    and this becomes a nightmare to set up in a chroot() setting.

    Old guy

  9. Re: Disabling telnet on Linux iptables firewall

    In comp.os.linux.security Moe Trin :
    > On Sun, 29 Oct 2006, in the Usenet newsgroup comp.os.linux.security, in article
    > , Michael Heiming wrote:


    [..]
    >>$ /lib/ld-linux.so.2 /usr/bin/telnet localhost 22

    [..]

    > Actually, not all that many experienced users are aware of that trick.


    >>Changing perms to "750" might do more, even if likely to not survive the
    >>next upgrade of the package.


    > The other problem might be some wonderful security enforcement problem
    > that runs as a cron job to enforce "sane" permissions.


    Yep, that is another problem on some distro/installations,
    needing adjustment to reflect changes.

    >>Though it wouldn't prevent users from using something else or there own
    >>client.


    > That's always the problem. Only the more paranoid mount /home -noexec,


    Which wouldn't prevent someone from the above trick.

    > and this becomes a nightmare to set up in a chroot() setting.


    ;-)

    --
    Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
    mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/'
    #bofh excuse 200: The monitor needs another box of pixels.

+ Reply to Thread