-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Given that you can detect the telnet options, is there any way of
setting up a 'telnet-smtp' service in FW-1? Admittedly, not all
telnet connections to SMTP are intrusion attempts, but I can't think
of anyone I want to give telnet access to my mail server (apart from
myself). Nine out of ten telnet connections WILL be someone trying to
get information to prepare an attack. I'd like to block these
connections if possible, and I'm sure most admins would, if not be
able to report on them...
Kind Regards,
Craig Little BSc, CPD, CPI, SCJP, CCSA, CCSE
Inter-Networking / Security Consultant
Shell Services International
Phone: +64 4 462 4661
Fax: +64 4 463 4060
Mobile: +64 21 37 5858
mailto:[EMAIL PROTECTED]
http://www.shellservices.com
- -----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Thursday, 24 August 2000 2:42 p.m.
To: [EMAIL PROTECTED]
Subject: Re: SMTP servers
On 08/23/2000 at 22:47:01 ZE2, mouss <[EMAIL PROTECTED]> wrote:
> There is nothing that a firewall can use to distinguish a
> "normal"client from a guy who telnet to the
> port, for the simple reason that both are exactly the same thing.
There are at least two ways that an smtp server can suspect that a
connection has been made from a telnet client. One has been
mentioned by
others: the amount of data in each packet and the timing of the
packets.
The other is even more obvious. Most, if not all, telnet clients
will
attempt to perform telnet option negotiation at the beginning of a
connection. These tcp options will not be present in a normal mail
connection. Here is a trace of the first packet where the client was
using
the (crufty) W95 telnet command:
IP header breakdown:
< SRC = 9.1.68.5 > (trallt.almaden.ibm.com)
< DST = 9.1.10.30 > (k85b.almaden.ibm.com)
ip_v=4, ip_hl=20, ip_tos=52, ip_len=64, ip_id=656, ip_off=0DF
ip_ttl=125, ip_sum=9acf, ip_p = 6 (TCP)
TCP header breakdown:
<source port=3762, destination port=25(smtp) >
th_seq=27b65d1, th_ack=0
th_off=11, flags<SYN>
th_win=5840, th_sum=47f5, th_urp=0
mss 1460
nop
wscale 0
nop
nop
opt-8:00000000 0a000000 00000000
|........|
eol
nop
nop
opt-4: mss 0 [len 0]
Everything after the "mss 1460" would not be present when using a
normal
smtp client. These are telnet options; the smtp server is going to
completely ignore these unless it is trying to detect that a telnet
client
made the connection.
So there are ways to do it, but what's the point? There's nothing
wrong
with sending mail with telnet. I do it fairly often. I may be on a
machine that doesn't have a real mail client, I may want to see the
smtp
messages that are being issued by the server, whatever. This isn't
an
"intrusion" attempt, although a firewall admin may have some interest
in
making note of it.
Besides, we found that the originator of this thread was really just
trying
to ensure that undesired mail relaying couldn't happen. As he later
discovered, the use of telnet doesn't make this any more possible
than it
is with a normal mail client.
Tony Rall
- -
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>
iQA/AwUBOaP0dckKSVawnurJEQK3nwCg8ug/pQOBTLPUhRj/8ejmT9YHNS0An2GF
BTNeHsVqzQPwXc1+IWFvt0vL
=ajm4
-----END PGP SIGNATURE-----
Craig Little (E-mail).vcf
