Hiya all,
Apologies for a slightly off-topic question - it does have to do with
security, though not (directly) firewalls.
I'm busily setting up a small network that will use non-routable IP's -
probably five boxes behind a gateway with a real IP. None of the
machines will be able to see the internet, ever - and the internet can't
be able to see any of them, either - at least not directly.
The problem I'm facing is how to allow telnet access THROUGH the
gateway to the internal machines, with the absolute MAXIMUM security
possible. What I've decided to do is lock down the gateway machine
ENTIRELY, no outgoing connections, and only incoming ssh connections
accepted. From there, the user's shell will be set to /usr/bin/telnet,
with the only possible connections being the machines on the internal
network. I've tested this VERY briefly - it works, and even displays
the motd; so users will know the names of the machines to telnet to.
Security is so incredibly crucial in this project - I can't express
it. Am I missing something large or small here? If someone were to
gain access to the gateway box (the only user to have a non-telnet shell
will be root, and then only from an attached dumb terminal) the project
would probably be comprimised past saving. After the user is inside,
packet sniffing becomes less of an issue - but it should be as near to
impenetrable from the outside as possible.
The issue I have is that, while I use it daily, I really don't have
thorough knowledge of the 'telnet' program itself. There's a load of
things it can do! Am I risking anything doing this? Are there any
common exploits that allow someone at a "telnet>" prompt to read or
write files, etc? I'm not so worried about spawning a shell, as that
SHOULD be only spawning the user's default shell, which is
/usr/bin/telnet. :)
I'm not looking for source to exploits, nor "This is how you hack
it..." - if anyone knows of anything along these lines, I'm more looking
for "Users can write or read to a file using the <something> function;
disable it.".
Again, sincere apologies for the off-topic nature - the machine WILL be
a firewall, so it's not straying so far, and I didn't offer to sell
anyone a Merchant account... ;)
Cheers,
- Drew.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
