On the other hand, one could use a packet analyzer to search for a specific payload on the dest ip addr src 25. If it matches the telnet signature then it will trigger an alert to firewall to block the offending src for a specified time.
Tools: SNORT - network/host based intrusion detection (packet analyzer to match the signature) $ 0 SNORTSAM - plugin to pass the alert to a CHECKPOINT FW-1 firewall $ 0 FW-1 $shitload As for any other FW software, I do not have an answer. -----Original Message----- From: Benjamin Scott [mailto:[EMAIL PROTECTED]] Posted At: Tuesday, October 23, 2001 1:11 PM Posted To: MS Exchange Mailing List Conversation: Disabling telnet sessions to ports 25, 110... Subject: RE: Disabling telnet sessions to ports 25, 110... On Tue, 23 Oct 2001, Walden H. Leverich wrote: > I know this wouldn't be easy, but what if you wrote a proxy server for > port 25. That proxy server would look to see if it was receiving one > character at a time (implying telnet) or one line at a time (implying > another SMTP server). Okay, let me try to kill this misconception once again. :-) There is a protocol called "Telnet", described in RFC-845 and RFC-855. It describes a "network teletype". There is also a program called "Telnet". It implements the protocol described in RFC-845 and RFC-855. The program called "Telnet" has a second mode of operation. If you pass a TCP port number as the second argument, instead of opening a Telnet connection, it opens a raw TCP connection to the host specified by the first argument. This connection *IS NOT* the Telnet protocol. It is simply one end of a TCP stream. When operating in this mode, the program is indistinguishable from any other TCP program -- such as an SMTP client. When one speaks of "telneting to port 25", they really mean, "using the 'Telnet' program to open a raw TCP connection to port 25". You cannot block this, any more than you can block just Outlook Express version 5.00.2615.200 from connecting to TCP port 25. Sorry, folks. :-) -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do not | | necessarily represent the views or policy of any other person, entity or | | organization. All information is provided without warranty of any kind. | _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
