How to Disable Telnet on IPS?

Jonathan Grant · ‎08-17-2011

To whom it may concern,

Good day, I hope your week is going well. I recently discovered that my IPS sensors are listening for and accepting telnet traffic. I looked at the configuration in the CLI, and it is disabled; however, when looking at the listening services via the Service account, I see that the sensor is indeed listening for telnet; please see below.

Does anyone know how to disable telnet? Do I need to modify the \etc\inetd.conf file in the Service account and then reload inetd to take effect? Thanks.

Telnet Disabled by default in the CLI:

sensor(config-hos-net)# show settings

network-settings

-----------------------------------------------

host-ip: x.x.36.45/24,x.x.36.3 default: x.x.1.2/24,x.x.1.1

host-name: sensor default: sensor

telnet-option: disabled default: disabled

Telnet listening for telnet per netstat –na performed on the Linux partition:

-bash-2.05b$ netstat -na

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address Foreign Address State

tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN

tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN

tcp 0 0 0.0.0.0:7000 0.0.0.0:* LISTEN

tcp 0 0 x.x.36.45:443 0.0.0.0:* LISTEN

tcp 0 36 127.0.2.1:7000 127.0.1.1:1139 ESTABLISHED

tcp 0 268 x.x.36.45:22 x.x.251.209:12299 ESTABLISHED

udp 0 0 0.0.0.0:32768 0.0.0.0:*

udp 0 0 0.0.0.0:161 0.0.0.0:*

udp 0 0 127.0.2.1:123 0.0.0.0:*

udp 0 0 x.x.36.45:123 0.0.0.0:*

udp 0 0 127.0.0.1:123 0.0.0.0:*

udp 0 0 0.0.0.0:123 0.0.0.0:*

Jonathan

Jonathan Grant · ‎08-17-2011

Ok, so here is what I figured out...

I commented out the telnet line in the inetd.conf file; however, I couldn't figure out how to reload the conf file. I tried this command without success: "/etc/inetd reload". I did reboot the sensor, which ultimately reloaded the inetd.conf file. When the sensor came back online, telnet was disabled.

I have 250+ sensors, so if anyone knows how to reload the /etc/inetd.conf file without rebooting the sensor, please let me know. I can then write a script to go out to all the sensors to disable telnet. Thank you.

Jonathan

Dustin Ralich · ‎08-17-2011

Hi Jonathan.

I recently discovered that my IPS sensors are listening for and accepting telnet traffic.  I looked at the configuration in the CLI, and it is disabled; however, when looking at the listening services via the Service account, I see that the sensor is indeed listening for telnet; please see below.

When Telnet is Disabled (which is also the default on modern versions of the sensor software), the sensor's firewall configuration includes a rule for dropping Telnet traffic:

-bash-2.05b# iptables -L INPUT -nv

Chain INPUT (policy DROP 0 packets, 0 bytes)

target prot opt in out source destination

DROP tcp -- ma0_0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:23

ACCEPT all -- ma0_0 * 0.0.0.0/0 0.0.0.0/0

ACCEPT all -- ma0_0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED

If Telnet is Enabled, then that specific rule is removed (allowing incoming Telnet traffic to reach the daemon):

-bash-2.05b# iptables -L INPUT -nv

Chain INPUT (policy DROP 0 packets, 0 bytes)

target prot opt in out source destination

ACCEPT all -- ma0_0 * 0.0.0.0/0 0.0.0.0/0

ACCEPT all -- ma0_0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED

NOTE: In the above examples, the sensor's configured access-list contained a single entry (access-list 0.0.0.0/0); the above outputs will vary depending on the the sensor's access-list configuration, but the behavior still applies.

haivrajesh · ‎08-19-2011

Check the Access list.this will help u.

Rajeswar.