Use ssh (ssh2 homepage at http://www.ssh.fi), to replace telnet.
download it from http://metalab.unc.edu/pub/packages/security/ssh
/Vince
> -----Original Message-----
> From: Drew Smith [SMTP:[EMAIL PROTECTED]]
> Sent: Tuesday, September 07, 1999 4:01 PM
> To: [EMAIL PROTECTED]
> Subject: OT: telnet question...
>
>
> Hiya all,
>
> Apologies for a slightly off-topic question - it does have to do
> with
> security, though not (directly) firewalls.
>
> I'm busily setting up a small network that will use non-routable
> IP's -
> probably five boxes behind a gateway with a real IP. None of the
> machines will be able to see the internet, ever - and the internet can't
> be able to see any of them, either - at least not directly.
>
> The problem I'm facing is how to allow telnet access THROUGH the
> gateway to the internal machines, with the absolute MAXIMUM security
> possible. What I've decided to do is lock down the gateway machine
> ENTIRELY, no outgoing connections, and only incoming ssh connections
> accepted. From there, the user's shell will be set to /usr/bin/telnet,
> with the only possible connections being the machines on the internal
> network. I've tested this VERY briefly - it works, and even displays
> the motd; so users will know the names of the machines to telnet to.
>
> Security is so incredibly crucial in this project - I can't express
> it. Am I missing something large or small here? If someone were to
> gain access to the gateway box (the only user to have a non-telnet shell
> will be root, and then only from an attached dumb terminal) the project
> would probably be comprimised past saving. After the user is inside,
> packet sniffing becomes less of an issue - but it should be as near to
> impenetrable from the outside as possible.
>
> The issue I have is that, while I use it daily, I really don't have
> thorough knowledge of the 'telnet' program itself. There's a load of
> things it can do! Am I risking anything doing this? Are there any
> common exploits that allow someone at a "telnet>" prompt to read or
> write files, etc? I'm not so worried about spawning a shell, as that
> SHOULD be only spawning the user's default shell, which is
> /usr/bin/telnet. :)
>
> I'm not looking for source to exploits, nor "This is how you hack
> it..." - if anyone knows of anything along these lines, I'm more looking
> for "Users can write or read to a file using the <something> function;
> disable it.".
>
> Again, sincere apologies for the off-topic nature - the machine WILL
> be
> a firewall, so it's not straying so far, and I didn't offer to sell
> anyone a Merchant account... ;)
>
> Cheers,
> - Drew.
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
