08-17-2011 08:13 AM - edited 03-10-2019 05:27 AM
To whom it may concern,
Good day, I hope your week is going well. I recently discovered that my IPS sensors are listening for and accepting telnet traffic. I looked at the configuration in the CLI, and it is disabled; however, when looking at the listening services via the Service account, I see that the sensor is indeed listening for telnet; please see below.
Does anyone know how to disable telnet? Do I need to modify the \etc\inetd.conf file in the Service account and then reload inetd to take effect? Thanks.
Telnet Disabled by default in the CLI:
sensor(config-hos-net)# show settings
network-settings
-----------------------------------------------
host-ip: x.x.36.45/24,x.x.36.3 default: x.x.1.2/24,x.x.1.1
host-name: sensor default: sensor
telnet-option: disabled default: disabled
Telnet listening for telnet per netstat –na performed on the Linux partition:
-bash-2.05b$ netstat -na
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:7000 0.0.0.0:* LISTEN
tcp 0 0 x.x.36.45:443 0.0.0.0:* LISTEN
tcp 0 36 127.0.2.1:7000 127.0.1.1:1139 ESTABLISHED
tcp 0 268 x.x.36.45:22 x.x.251.209:12299 ESTABLISHED
udp 0 0 0.0.0.0:32768 0.0.0.0:*
udp 0 0 0.0.0.0:161 0.0.0.0:*
udp 0 0 127.0.2.1:123 0.0.0.0:*
udp 0 0 x.x.36.45:123 0.0.0.0:*
udp 0 0 127.0.0.1:123 0.0.0.0:*
udp 0 0 0.0.0.0:123 0.0.0.0:*
Jonathan
08-17-2011 08:43 AM
Ok, so here is what I figured out...
I commented out the telnet line in the inetd.conf file; however, I couldn't figure out how to reload the conf file. I tried this command without success: "/etc/inetd reload". I did reboot the sensor, which ultimately reloaded the inetd.conf file. When the sensor came back online, telnet was disabled.
I have 250+ sensors, so if anyone knows how to reload the /etc/inetd.conf file without rebooting the sensor, please let me know. I can then write a script to go out to all the sensors to disable telnet. Thank you.
Jonathan
08-17-2011 09:57 AM
Hi Jonathan.
I recently discovered that my IPS sensors are listening for and accepting telnet traffic. I looked at the configuration in the CLI, and it is disabled; however, when looking at the listening services via the Service account, I see that the sensor is indeed listening for telnet; please see below.
When Telnet is Disabled (which is also the default on modern versions of the sensor software), the sensor's firewall configuration includes a rule for dropping Telnet traffic:
-bash-2.05b# iptables -L INPUT -nv
Chain INPUT (policy DROP 0 packets, 0 bytes)
target prot opt in out source destination
DROP tcp -- ma0_0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:23
ACCEPT all -- ma0_0 * 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- ma0_0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
If Telnet is Enabled, then that specific rule is removed (allowing incoming Telnet traffic to reach the daemon):
-bash-2.05b# iptables -L INPUT -nv
Chain INPUT (policy DROP 0 packets, 0 bytes)
target prot opt in out source destination
ACCEPT all -- ma0_0 * 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- ma0_0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
NOTE: In the above examples, the sensor's configured access-list contained a single entry (access-list 0.0.0.0/0); the above outputs will vary depending on the the sensor's access-list configuration, but the behavior still applies.
08-19-2011 01:28 PM
Check the Access list.this will help u.
Rajeswar.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: