Quick HOWTO : Ch16 : Telnet, TFTP, and xinetd - Linux Home ...



xinetd – Sample Telnet Installation

[pic]Introduction

Many network enabled Linux applications don't rely on themselves to provide restricted access or bind to a particular TCP port; instead they often offload a lot of this work to a program suite made just for this purpose, xinetd.

Managing xinetd Programs

The xinetd RPM is installed by default in Fedora Linux and uses /etc/xinetd.conf as its main configuration file. Fortunately you usually don't have to edit this file so that day to day xinetd operation is frequently limited to only starting and stopping xinetd managed applications.

Controlling xinetd

The starting and stopping of the xinetd daemon is controlled by the by scripts in the /etc/init.d directory and it is behavior at boot time is controlled by chkconfig.

You can start/stop/restart xinetd after booting by using the following commands:

[root@bigboy tmp]# service xinetd start

[root@bigboy tmp]# service xinetd stop

[root@bigboy tmp]# service xinetd restart

To get xinetd configured to start at boot you can use the chkconfig command.

[root@bigboy tmp]# chkconfig xinetd on

Controlling xinetd-Managed Applications

Xinetd-managed applications all store their configuration files in the /etc/xinetd.d directory. Each configuration file has a disable statement that you can set to yes or no. This governs whether xinetd is allowed to start them or not.

You don't have to edit these files to activate or deactivate the application. The chkconfig command does that for you automatically will also stops or starts the application accordingly too! Here is an example of the activation and deactivation of the Samba SWAT web GUI management application.

[root@bigboy tmp]# chkconfig swat on

[root@bigboy tmp]# chkconfig swat off

Telnet

Telnet is a program that allows users to log into your server and get a command prompt just as if they were logged into the VGA console. The Telnet server RPM is installed and disabled by default on Fedora Linux.

One of the disadvantages of Telnet is that the data is sent as clear text. This means that it is possible for someone to use a network analyzer to peek into your data packets and see your username and password. A more secure method for remote logins would be via Secure Shell (SSH) which uses varying degrees of encryption.

In spite of this, the older Telnet application remains popular. Many network devices don't have SSH clients, making telnet the only means of accessing other devices and servers from them. I'll show you how to limit your exposure to Telnet's insecurities are mentioned later in this chapter.

Using The Telnet Client

The command to do remote logins via telnet from the command line is simple. You enter the word telnet and then the IP address or server name to which you want to connect.

Here is an example of someone logging into a remote server named smallfry from server bigboy. The user looks at the routing table and then logs out.

[root@bigboy tmp]# telnet 192.168.1.105

Trying 192.168.1.105...

Connected to 192.168.1.105.

Escape character is '^]'.

Linux 2.4.18-14 (smallfry.my-) (10:35 on Sunday, 05 January 2003)

Login: peter

Password:

Last login: Fri Nov 22 23:29:44 on ttyS0

You have new mail.

[peter@smallfry peter]$

[peter@smallfry peter]$ netstat -nr

Kernel IP routing table

Destination Gateway Genmask Flags MSS Window irtt Iface

255.255.255.255 0.0.0.0 255.255.255.255 UH 40 0 0 wlan0

192.168.1.0 0.0.0.0 255.255.255.0 U 40 0 0 wlan0

127.0.0.0 0.0.0.0 255.0.0.0 U 40 0 0 lo

0.0.0.0 192.168.1.1 0.0.0.0 UG 40 0 0 wlan0

[peter@smallfry peter]$ exit

logout

Connection closed by foreign host.

[root@bigboy tmp]#

Installing The Telnet Server Software

Older versions of RedHat had the Telnet server installed by default. Fedora Linux doesn't do this and you will have to install it yourself.

When searching for the file, remember that the Telnet server RPM's filename usually starts with the word telnet-server followed by a version number as in telnet-server-0.17-28.i386.rpm.

Setting Up A Telnet Server

To set up a Telnet server use the chkconfig command to activate Telnet.

[root@bigboy tmp]# chkconfig telnet on

You can test whether the Telnet process is running with the following command which is used to check the TCP/UDP ports on which your server is listening, if it isn't running then there will be no response.

[root@bigboy tmp]# netstat -a | grep telnet

tcp 0 0 *:telnet *:* LISTEN

[root@bigboy tmp]#

You can also use the chkconfig --list command to verify that telnet will be started on the next reboot.

[root@bigboy tmp]# chkconfig --list | grep telnet

telnet: on

[root@bigboy tmp]#

Stopping A Telnet Server

Use the chkconfig command to deactivate telnet, even after the next reboot.

[root@bigboy tmp]# chkconfig telnet off

Basic Telnet Security

There are a number of things you can do to improve the security of telnet. For example, you should also try to ensure that telnet sessions run over secure internal networks or across VPNs to reduce the risk of exposing sensitive data to unauthorized eyes. Check out some other options.

Let Telnet Listen On Another TCP Port

Letting telnet run on an alternate TCP port doesn't encrypt the traffic, but it makes it less likely to be detected as telnet traffic. Remember that this isn't a foolproof strategy; good port scanning programs can detect telnet and other applications running on alternative ports.

1) Edit your /etc/services file and add an entry for a new service. Call it stelnet.

# Local services

stelnet 7777/tcp # "secure" telnet

2) Copy the telnet configuration file called /etc/xinetd.d/telnet and call it /etc/xinetd.d/stelnet:

[root@bigboy tmp]# cp /etc/xinetd.d/telnet /etc/xinetd.d/stelnet

3) Edit the new /etc/xinetd.d/stelnet file. Make the new service stelnet and add a port statement for TCP port 7777.

# default: on

# description: The telnet server serves telnet sessions

# unencrypted username/password pairs for authentication.

service stelnet

{

flags = REUSE

socket_type = stream

wait = no

user = root

server = /usr/sbin/in.telnetd

log_on_failure += USERID

disable = no

port = 7777

}

4) Use chkconfig to activate stelnet.

[root@bigboy tmp]# chkconfig stelnet on

5) Check to make sure your server is now listening on port 7777 with the netstat command.

[root@bigboy tmp]# netstat -an | grep 777

tcp 0 0 0.0.0.0:7777 0.0.0.0:* LISTEN

[root@bigboy tmp]#

You should now be able to log in to the new stelnet server on port 7777. This is done using the telnet command with the TCP port as the second argument.

[root@smallfry tmp]# telnet 192.168.1.100 7777

Trying 192.168.1.100...

Connected to 192.168.1.100.

Escape character is '^]'.

Fedora Core release 2 (Tettnang)

Kernel 2.6.8-1.521 on an i686

login:

Let Telnet Allow Connections From Trusted Addresses

You can restrict telnet logins access to individual remote servers by using the only_from keyword in the telnet configuration file. Here's how.

1) Add a list of trusted servers to the /etc/xinetd.d/telnet file separated by spaces:

# default: on

# description: The telnet server serves telnet sessions

# unencrypted username/password pairs for authentication.

service telnet

{

flags = REUSE

socket_type = stream

wait = no

user = root

server = /usr/sbin/in.telnetd

log_on_failure += USERID

disable = no

only_from = 192.168.1.100 127.0.0.1 192.168.1.200

}

2) Restart telnet.

[root@bigboy tmp]# chkconfig telnet off

[root@bigboy tmp]# chkconfig telnet on

3) Test the telnet session. Servers that are not on the trusted list get the message Connection closed by foreign host.

[root@smallfry tmp]# telnet 192.168.1.100

Trying 192.168.1.100...

Connected to 192.168.1.100.

Escape character is '^]'.

Connection closed by foreign host.

[root@smallfry tmp]#

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download