[techtalk] login restriction
Susannah D. Rosenberg
indrani at mindspring.com
Fri Jul 7 17:10:21 EST 2000
Aaron Malone wrote:
>
> On Fri, Jul 07, 2000 at 01:54:41PM -0400, Susannah D. Rosenberg wrote:
> > yeah, but it still leaves rlogind and telnetd flapping in the wind. can
> > you say "telnet to port 25", boys and girls?
> >
> > gaping security flaws are /bad/.
>
> This has been discussed a bit already, but I think there's some deep
> misunderstanding going on. You can delete telnetd and rlogind, and
> still be able to telnet to port 25. Using a telnet client to connect
> to port 25 -- it has nothing to do with a telnet server (unless your
> system is configured very strangely). You're connecting to sendmail,
> exim, qmail-smtpd, or some other SMTP server. telnetd isn't relevant
> in this case.
gar. feh. re-reading what i wrote:
yes, you're right. damn, i've been playing around with packet filtering
and IPSec too much lately.
[what i have been doing in my Copious Free Time: trying to come up with
a way to re-aritechtect an absurdly FUBARed LAN /and/ add security in a
way that will not disrupt it's current functionality. i've been up
for... um... <glances at clock> a long time. you know you've drunk too
much caffeine when the phrase "no service udp-small-monkeys" makes some
bizarre sort of sense. mmmm... access-lists.]
> Now, telnetd should certainly be disabled, but if you don't want
> certain people logging in at all, do the shell trick as well. It
> works fine for ssh as well.
yeah, but it's still a slightly dodgy way of doing it, imho. the
etc/security/access.conf thing is probably a better way of doing it, or
putting people into a group that has restricted access.
More information about the Techtalk
mailing list