blocking telnet on active port?

[Gangoolies]

Hi, is it possible to block telnet access to a port that is eg listening on port 80.
If a service is listening on a port will you always be able to telnet to it?

Thanks

 

[Lemon13]

block port 23 on the pc

M. Knorr

MCSE, MCTS, MCSA, CCNA

 

[Noway2]

Gangoolies, what exactly do you mean by block telnet access to a port that is listening on port 80? As Lemon13 points out, telnet is on port 23.

It sounds like you have someone who is getting around blocks by tunnelling through port 80 and you are trying to identify the service and block it?

 

[burtsbees]

I think the user means that since someone can telnet into something using any port, how would you block this?

C:\telnet 112.121.133.43 80

like that.



tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[Noway2]

Ah yes, I see what you mean. I forgot about that ability since I almost always SSH instead of telnet.

That is a good question, is it possible to identify the service and block it? Telnet is pretty raw in that it is close to providing a plain socket connection. That is why you can use it to retrieve web pages, test an SMTP, etc. I am not aware of it having any "HELO" signatures.

I suspect that the best approach is to make sure that what ever service is listening is properly secured.

Gangoolies, if it turns out the answer is no, is there a specific problem you are trying to solve that may have a more direct solution?

 

[Lemon13]

when you dont need telnet at all, disable it in services.



M. Knorr

MCSE, MCTS, MCSA, CCNA

 

[John Lewis]

There is some confusion here. I am almost certain the intent is to block access to a http server running on port 80 from a telnet client. Telnet can connect to any server that utilizes TCP on any port by simply specifying the desired port after the address. This can be quite useful for troubleshooting, as you can see the raw reply (or lack of connection) without the interpretation of the typical client.

The short answer is no, it is not possible to DIRECTLY block this type of connection. It is possible to block some types of traffic based upon the IP protocol being used. A common example is to block ping requests by refusing ICMP traffic. In this case, ICMP is the protocol used over IP. The IP header has a flag that indicates the traffic is ICMP and the type of ICMP request. Either or both of these can be examined by a firewall to determine what action should be taken, so it is a very simply matter to drop or refuse all ICMP traffic or just ping requests.

Telnet and HTTP both use TCP protocol over IP (as well as many other services). There is nothing in a telnet header that distinguishes it from a HTTP header or any other TCP traffic. You must either allow TCP traffic to a port or deny it. With this in mind, if you want to allow HTTP traffic on port 80, you must accept all TCP connections on that port.

Once the connection is made, there are some things in the actual data that would indicate that the connection is coming from a telnet client instead of a http client. Most notably, the initial data from a telnet client will be sent one character per packet, maybe two if you type really fast. In contrast, a traditional http client will sent complete http request in one or two packets starting with the third packet of the connection.

It would be fairly simple to detect the small packets with some firewalls and kill the connection. This is not really blocking the connection, as you would have to allow the initial connection to get at the subsequent data, but it would have the effect of disallowing connections from a telnet client. Another method would be to filter the first few packets and kill connections that do not have some of the key elements of a proper http request.

A better method would be to configure the http server to refuse connections from clients that do not provide a proper http header. It certainly is possible to send a reasonable header from telnet, but it would involve a bit of very accurate typing. Cumbersome at the very least. In this case, as with the other method the TCP connection is technically allowed, but nothing in the way of meaningful data is passed.

I don't really see much point in blocking this type of traffic. Telnet to a non-telnet server can be a useful diagnostic tool, not much use for anything else as the connection is closed after each exchange.

 

[burtsbees]

short answers...

"Hi, is it possible to block telnet access to a port that is eg listening on port 80."

No---telnet access exists on any port---you would have to block access to that specific port (acl).

"If a service is listening on a port will you always be able to telnet to it?"

Not necessarily "listening" on it, per se, but simply if the port is open and/or enabled, then yes---telnet ability always exists. To separate confusion...

Telnetting into a device on its native port (23) allows a remote console session.

Telnetting into a device by redirecting the port to a different port verifies layers 1-7 connectivity---telnet in general tests all 7 layers of the OSI model.

/


tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[elconomeno]

Depends all on the firewall that defends your server.

http://en.wikipedia.org/wiki/Firewall_(computer)

if it is packet filterering firewall => No you cannot block the traffic.

if it is application layer -firewall => yes you can block!

Sometimes application layer firewalls are called proxies. they check the sessions with the defined protocols.

without any firewall, your server receives any package on a specific port... with a lot of nasty things as a result

 

[Gangoolies]

thanks for the replies, mhkwood provided the answer I was looking for.