08-17-2011 08:13 AM - edited 03-10-2019 05:27 AM
To whom it may concern,
Good day, I hope your week is going well. I recently discovered that my IPS sensors are listening for and accepting telnet traffic. I looked at the configuration in the CLI, and it is disabled; however, when looking at the listening services via the Service account, I see that the sensor is indeed listening for telnet; please see below.
Does anyone know how to disable telnet? Do I need to modify the \etc\inetd.conf file in the Service account and then reload inetd to take effect? Thanks.
Telnet Disabled by default in the CLI:
sensor(config-hos-net)# show settings
network-settings
-----------------------------------------------
host-ip: x.x.36.45/24,x.x.36.3 default: x.x.1.2/24,x.x.1.1
host-name: sensor default: sensor
telnet-option: disabled default: disabled
Telnet listening for telnet per netstat –na performed on the Linux partition:
-bash-2.05b$ netstat -na
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:7000 0.0.0.0:* LISTEN
tcp 0 0 x.x.36.45:443 0.0.0.0:* LISTEN
tcp 0 36 127.0.2.1:7000 127.0.1.1:1139 ESTABLISHED
tcp 0 268 x.x.36.45:22 x.x.251.209:12299 ESTABLISHED
udp 0 0 0.0.0.0:32768 0.0.0.0:*
udp 0 0 0.0.0.0:161 0.0.0.0:*
udp 0 0 127.0.2.1:123 0.0.0.0:*
udp 0 0 x.x.36.45:123 0.0.0.0:*
udp 0 0 127.0.0.1:123 0.0.0.0:*
udp 0 0 0.0.0.0:123 0.0.0.0:*
Jonathan
08-17-2011 08:43 AM
Ok, so here is what I figured out...
I commented out the telnet line in the inetd.conf file; however, I couldn't figure out how to reload the conf file. I tried this command without success: "/etc/inetd reload". I did reboot the sensor, which ultimately reloaded the inetd.conf file. When the sensor came back online, telnet was disabled.
I have 250+ sensors, so if anyone knows how to reload the /etc/inetd.conf file without rebooting the sensor, please let me know. I can then write a script to go out to all the sensors to disable telnet. Thank you.
Jonathan
08-17-2011 09:57 AM
Hi Jonathan.
I recently discovered that my IPS sensors are listening for and accepting telnet traffic. I looked at the configuration in the CLI, and it is disabled; however, when looking at the listening services via the Service account, I see that the sensor is indeed listening for telnet; please see below.
When Telnet is Disabled (which is also the default on modern versions of the sensor software), the sensor's firewall configuration includes a rule for dropping Telnet traffic:
-bash-2.05b# iptables -L INPUT -nv
Chain INPUT (policy DROP 0 packets, 0 bytes)
target prot opt in out source destination
DROP tcp -- ma0_0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:23
ACCEPT all -- ma0_0 * 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- ma0_0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
If Telnet is Enabled, then that specific rule is removed (allowing incoming Telnet traffic to reach the daemon):
-bash-2.05b# iptables -L INPUT -nv
Chain INPUT (policy DROP 0 packets, 0 bytes)
target prot opt in out source destination
ACCEPT all -- ma0_0 * 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- ma0_0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
NOTE: In the above examples, the sensor's configured access-list contained a single entry (access-list 0.0.0.0/0); the above outputs will vary depending on the the sensor's access-list configuration, but the behavior still applies.
08-19-2011 01:28 PM
Check the Access list.this will help u.
Rajeswar.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide