A.P. Lawrence

Why you don't have telnet open to the world

(Traditional format)

Tue Dec 21 18:08:48 2004 Why you don't have telnet open to the world
Posted by Tony Lawrence
Search Keys: security|ssh

I had an email today from a reseller who I have helped with routers, vpn's etc. in the past. I usually set his clients up with internet ssh access restricted to specific accounts (see Security Paranoia - restricting ssh access), but apparently I had never explained WHY I do this, because his email went something like this (edited slightly to remove extraneous material):

I had someone show me a trick the other day...I was able to connect to his customer using ALPHACOM with a TELNET session!

I think the "!" is because he probably thought telnet over the internet was impossible. My fault for not explaining this stuff better. He went on to say:

What he did is give me an IP address that I plugged in and bingo, I got a login. What I had to do was go to the advanced properties and give it a port number to use as well. This is because on his router he set it up so that port xyz forwarded to something like port 23 on the system.

Actually, it's "Bingo! You have a big security hole!".

The person who gave him this "trick" probably thought that by using a different port he had improved security. That's called "security through obscurity" and the only people it protects you from are the ones that probably couldn't hurt you anyway. Anyone else is going to scan a full range of ports and they will see your login almost as quickly as they would had you left it at port 23.

So there we are, telnet open to the world. Unless the firewall has a rule that says "only folks from these addresses get forwarded" (and if you had that, why obfuscate the port?), anyone can try to log in. Anyone can TRY to login with ssh, too, but as explained above, we only allow certain accounts to do that, and root isn't one of them. So the attacker is free to hammer away, guessing root passwords for as long as he wants.

Well, not quite. That version of SCO implements a feature to lock out a tty after so many unsuccesful logins - usually set to 99, but it doesn't take all that long for a dictionary password attack to hit that number. So, a pseudo tty gets locked out, and now nobody can login (see /Detective/ttylocked.html).

Of course that assumes that the dictionary attack failed..but dumb passwords are pretty common, and most people have no idea how many of these guys try and how long they keep trying. I see it in my server logs, and it is just incredible. Here's just a sample :

Failed logins from these:
adm/password from 61.100.180.125: 2 Time(s)
apache/password from 61.100.180.125: 1 Time(s)
cyrus/password from 61.100.180.125: 1 Time(s)
horde/password from 61.100.180.125: 1 Time(s)
iceuser/password from 61.100.180.125: 1 Time(s)
irc/password from 61.100.180.125: 2 Time(s)
jane/password from 61.100.180.125: 1 Time(s)
matt/password from 61.100.180.125: 1 Time(s)
mysql/password from 61.100.180.125: 1 Time(s)
nobody/password from 61.100.180.125: 1 Time(s)
operator/password from 61.100.180.125: 1 Time(s)
pamela/password from 61.100.180.125: 1 Time(s)
patrick/password from 61.100.180.125: 2 Time(s)
rolo/password from 61.100.180.125: 1 Time(s)
root/password from 61.100.180.125: 11 Time(s)
test/password from 61.100.180.125: 4 Time(s)
www-data/password from 61.100.180.125: 1 Time(s)
www/password from 61.100.180.125: 1 Time(s)
wwwrun/password from 61.100.180.125: 1 Time(s)

Remember - I lock people out after 2 failed logins - so the ones with more than that waited quite a while and came back at me again and again! None of those accounts could login anyway - they aren't in the ssh allowed users list - but they can't tell that, so they keep on trying. Hour after hour, day after day.

Don't do this.