cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1491
Views
6
Helpful
3
Replies

How to Disable Telnet on IPS?

Jonathan Grant
Level 1
Level 1

To whom it may concern,

Good day, I hope your week is going well.  I recently discovered that my IPS sensors are listening for and accepting telnet traffic.  I looked at the configuration in the CLI, and it is disabled; however, when looking at the listening services via the Service account, I see that the sensor is indeed listening for telnet; please see below.

Does anyone know how to disable telnet?  Do I need to modify the \etc\inetd.conf file in the Service account and then reload inetd to take effect?  Thanks.

Telnet Disabled by default in the CLI:

sensor(config-hos-net)# show settings

   network-settings

   -----------------------------------------------

      host-ip: x.x.36.45/24,x.x.36.3 default: x.x.1.2/24,x.x.1.1

      host-name: sensor default: sensor

      telnet-option: disabled default: disabled

Telnet listening for telnet per netstat –na performed on the Linux partition:

-bash-2.05b$ netstat -na

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address           Foreign Address         State     

tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     

tcp        0      0 0.0.0.0:23              0.0.0.0:*               LISTEN     

tcp        0      0 0.0.0.0:7000            0.0.0.0:*               LISTEN     

tcp        0      0 x.x.36.45:443           0.0.0.0:*               LISTEN     

tcp        0     36 127.0.2.1:7000          127.0.1.1:1139          ESTABLISHED

tcp        0    268 x.x.36.45:22            x.x.251.209:12299       ESTABLISHED

udp        0      0 0.0.0.0:32768           0.0.0.0:*                          

udp        0      0 0.0.0.0:161             0.0.0.0:*                          

udp        0      0 127.0.2.1:123           0.0.0.0:*                          

udp        0      0 x.x.36.45:123           0.0.0.0:*                          

udp        0      0 127.0.0.1:123           0.0.0.0:*                          

udp        0      0 0.0.0.0:123             0.0.0.0:*

Jonathan

3 Replies 3

Jonathan Grant
Level 1
Level 1

Ok, so here is what I figured out...

I commented out the telnet line in the inetd.conf file; however, I couldn't figure out how to reload the conf file.  I tried this command without success: "/etc/inetd reload".  I did reboot the sensor, which ultimately reloaded the inetd.conf file.  When the sensor came back online, telnet was disabled.

I have 250+ sensors, so if anyone knows how to reload the /etc/inetd.conf file without rebooting the sensor, please let me know.  I can then write a script to go out to all the sensors to disable telnet.  Thank you.

Jonathan

Dustin Ralich
Cisco Employee
Cisco Employee

Hi Jonathan.

I recently discovered that my IPS sensors are listening for and accepting telnet traffic.  I looked at the configuration in the CLI, and it is disabled; however, when looking at the listening services via the Service account, I see that the sensor is indeed listening for telnet; please see below.

When Telnet is Disabled (which is also the default on modern versions of the sensor software), the sensor's firewall configuration includes a rule for dropping Telnet traffic:

-bash-2.05b# iptables -L INPUT -nv

Chain INPUT (policy DROP 0 packets, 0 bytes)

target     prot opt in     out     source               destination        

DROP       tcp  --  ma0_0  *       0.0.0.0/0            0.0.0.0/0           tcp dpt:23

ACCEPT     all  --  ma0_0  *       0.0.0.0/0            0.0.0.0/0          

ACCEPT     all  --  ma0_0  *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED

If Telnet is Enabled, then that specific rule is removed (allowing incoming Telnet traffic to reach the daemon):

-bash-2.05b# iptables -L INPUT -nv

Chain INPUT (policy DROP 0 packets, 0 bytes)

target     prot opt in     out     source               destination        

ACCEPT     all  --  ma0_0  *       0.0.0.0/0            0.0.0.0/0          

ACCEPT     all  --  ma0_0  *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED

NOTE: In the above examples, the sensor's configured access-list contained a single entry (access-list 0.0.0.0/0); the above outputs will vary depending on the the sensor's access-list configuration, but the behavior still applies.

haivrajesh
Level 1
Level 1

Check the Access list.this will help u.

Rajeswar.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: