Re: [OT] Detecting telnet?
On Jun 10, 2010, at 9:19 PM, Victor Duchovni wrote: On Thu, Jun 10, 2010 at 11:31:49PM +0200, Ralf Hildebrandt wrote: I heard that there are firewalls/security appliances that supposedly can distinguish somebody using telnet from a machine speaking SMTP. I must admit, it sounds feasible (timing between keystrokes etc.), but little useful. Anyway. Is there such a thing? Does anybody use such a thing? Why do you want to discriminate against telnet 25? Administrators of sites that want to trouble-shoot connectivity issues with your server will use telnet 25 from time to time. There is no need to block this, it is by far the least likely source of any significant spam volume... Certainly agree. If someone IS doing it ... they have a really good reason. And you would do WELL to make it reasonably easy for them. I had to do it the other day to figure out what was going wrong with a certain hard to debug subsystem. Aloha, Michael. -- Please have your Internet License http://kapu.net/~mjwise/ and Usenet Registration handy...
Re: [OT] Detecting telnet?
* Victor Duchovni victor.ducho...@morganstanley.com: Anyway. Is there such a thing? Does anybody use such a thing? Why do you want to discriminate against telnet 25? What do i know? I don't do this nonsense :) 'm just asking Administrators of sites that want to trouble-shoot connectivity issues with your server will use telnet 25 from time to time. There is no need to block this, it is by far the least likely source of any significant spam volume... Indeed. There are faster methods. -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: [OT] Detecting telnet?
Ralf Hildebrandt wrote (on Fri, Jun 11, 2010 at 09:57:42AM +0200): Administrators of sites that want to trouble-shoot connectivity issues with your server will use telnet 25 from time to time. There is no need to block this, it is by far the least likely source of any significant spam volume... Indeed. There are faster methods. Kinda reminds me of the Donald Westlake story, which described a fine-arts painter who took to counterfeiting $20s; the Secret Service let him go with a slap on the wrist, they said, when they figured out it him hours to produce each note. :-) -- _ Nachman Yaakov Ziskind, FSPA, LLM aw...@ziskind.us Attorney and Counselor-at-Law http://ziskind.us Economic Group Pension Services http://egps.com Actuaries and Employee Benefit Consultants
Re: [OT] Detecting telnet?
* N. Yaakov Ziskind aw...@ziskind.us: Kinda reminds me of the Donald Westlake story, which described a fine-arts painter who took to counterfeiting $20s; the Secret Service let him go with a slap on the wrist, they said, when they figured out it him hours to produce each note. :-) Exactly my point. -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: [OT] Detecting telnet?
I vaguely remember managing an email server around 1997 and there was a checkbox to disable telnet access. IIRC it was Imail on windows NT 4, but that was a long time ago. I do remember thinking it was odd that they could discriminate, but it seemed to work - though I'm not sure how or why. -B On Thu, Jun 10, 2010 at 2:31 PM, Ralf Hildebrandt ralf.hildebra...@charite.de wrote: I heard that there are firewalls/security appliances that supposedly can distinguish somebody using telnet from a machine speaking SMTP. I must admit, it sounds feasible (timing between keystrokes etc.), but little useful. Anyway. Is there such a thing? Does anybody use such a thing? -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: [OT] Detecting telnet?
On Thu, 10 Jun 2010 23:31:49 +0200, Ralf Hildebrandt ralf.hildebra...@charite.de wrote: [...] I must admit, it sounds feasible (timing between keystrokes etc.), With respect to detection, is this relevant? http://en.wikipedia.org/wiki/Telnet#Telnet_data -- If you have an apple and I have an apple and we exchange these apples then you and I will still each have one apple. But if you have an idea and I have an idea and we exchange these ideas, then each of us will have two ideas. -- George Bernard Shaw Do *not* use the following address, it's just a spam trap: aaro...@plowman.nl
Re: [OT] Detecting telnet?
On 06/10/2010 11:31 PM, Ralf Hildebrandt wrote: I heard that there are firewalls/security appliances that supposedly can distinguish somebody using telnet from a machine speaking SMTP. I must admit, it sounds feasible (timing between keystrokes etc.), but little useful. Anyway. Is there such a thing? Does anybody use such a thing? There are IDSen (Intrusion Detection Systems) that can fingerprint the client on the actual TCP delays between actions, yes. They exist both in software (snort) and hardware (cisco et al). However, then blocking the offender is step two - or combined into an IPS (Intrusion Prevention System) - and that's usually configurable. When in doubt, ask the network people at the site you suspect this of (presuming they are willing to help you, of course). Using an IDS or similar sniffer to fingerprint OSen and client software of services is fun (if you're a network nerd :)), but it doesn't mean people take any action on the data. The risk of false positives is obvious, and I doubt many network-savvy people would implement this sort of thing willy-nilly - especially since telnet remains a very good SMTP debug tool! J.
Re: [OT] Detecting telnet?
On 6/10/2010 5:31 PM, Ralf Hildebrandt wrote: I heard that there are firewalls/security appliances that supposedly can distinguish somebody using telnet from a machine speaking SMTP. I must admit, it sounds feasible (timing between keystrokes etc.), but little useful. Anyway. Is there such a thing? Does anybody use such a thing? I use fail2ban which works for dovecot, postfix, ssh, telnet (non-windows), and anything that logs failed logins to a log file.
Re: [OT] Detecting telnet?
On Thu, Jun 10, 2010 at 6:31 PM, Ralf Hildebrandt ralf.hildebra...@charite.de wrote: I heard that there are firewalls/security appliances that supposedly can distinguish somebody using telnet from a machine speaking SMTP. I must admit, it sounds feasible (timing between keystrokes etc.), but little useful. Why use telnet (e.g. raw tcp client) or block them if with few lines if code in pyhton/perl/shell you can do anything. -- Reinaldo de Carvalho http://korreio.sf.net http://python-cyrus.sf.net Don't try to adapt the software to the way you work, but rather yourself to the way the software works (myself)
Re: [OT] Detecting telnet?
+-- Ralf Hildebrandt wrote (Thu, 10-Jun-2010, 23:31 +0200): | | I heard that there are firewalls/security appliances that supposedly | can distinguish somebody using telnet from a machine speaking SMTP. | | I must admit, it sounds feasible (timing between keystrokes etc.), but | little useful. | | Anyway. Is there such a thing? Does anybody use such a thing? ISTR someone doing (or speculating about) this with sendmail, perhaps 20 years ago, based on detecting telnet option negotiation. Never having used it, please forgive my fuzzy memory. It would be easy to compile a line mode telnet client without option negotiation that would defeat those two particular techniques, though it likely would appear to be rather slow. Best, Chuck
Re: [OT] Detecting telnet?
On Thu, Jun 10, 2010 at 11:31:49PM +0200, Ralf Hildebrandt wrote: I heard that there are firewalls/security appliances that supposedly can distinguish somebody using telnet from a machine speaking SMTP. I must admit, it sounds feasible (timing between keystrokes etc.), but little useful. Anyway. Is there such a thing? Does anybody use such a thing? Why do you want to discriminate against telnet 25? Administrators of sites that want to trouble-shoot connectivity issues with your server will use telnet 25 from time to time. There is no need to block this, it is by far the least likely source of any significant spam volume... -- Viktor.