blocking telnet to selected IPs?

John M. Morris jmorris at dtx.net
Tue Jul 7 17:00:47 EDT 1998


On Tue, 7 Jul 1998, Dave Vose wrote:

> We have two platforms: UNIX running Solaris and PCs running NT. We've
> locked our machines down pretty tight and would like to kill telnet access
> to the campus mail server without buying filtering software like Kiosk,
> etc. 

If you have a router between your network and the undesirable host just
drop a filter in denying access to the telnet (23) port on that specific
host.  This way if that same machine is also running other services, a
webserver for example, they are still available.  This solution would
likely be a lot simpler than trying to install elaborate filtering
software on two radically different platforms.

And of course while you are in the router you might want to make sure all
of the other obvious things are plugged up.  Examples:

No packets can come IN bearing your IPs in the source field.
No packets can go OUT without bearing your IPs in the source field.
No outside connections to any of the following (specific exceptions on a
strict need basis) ports on any machine:
           tftp, portmap, netbios-ns, netbios-dgm, netbios-ssn, snmp,
           snmp-trap, exec, login, who, shell, printer or mount

This is not a real security-howto, there are already plenty of those. 
Just trying to get people thinking of their routers as something more than
a black box that sits in a corner and is never touched.

Unfortunately the site I'm currently at is stuck with a router we don't
have control over, but that is about to change and I'm already drawing up
the filter list. 

John M.      http://www.dtx.net/~jmorris         This post is 100% M$ Free!
Geek code 3.0:GCS C+++ UL++++$ P+++ L+++ W+ N++ w-- Y+ 5+++ R tv- b++ e* r%
===========================================================================
The views expressed certainly don't reflect those of CCC Internet Services.



More information about the Web4lib mailing list