I have telnet uninstalled and disabled and people can telnet onport 25

[adamrau]

i did (pm -e telnet) and telnet is disabled from xinetd. Im using redhat 7.1 as my mail server. People can still telnet myhost.mydomain.com 25. How is it possible for my mail server to be able to open up a telnet session when telnet is not installed and disabled.

Thanks in advance
Adam

 

[boebox]

You may want to check /etc/services or NIS map to see what port ftp is bound to.

-Tony

 

[marsd]

telnet as a service listens on port 23 by default.
telnet clients can connect to any listening ports,
bound by server processes and access those services.

You have a listening smtp process on 25. if you
want to deny people mail just filter it.

#!/bin/sh
local=interior addresses(192.168.1.0./25)
iptables -A INPUT -s ! $local --dport 25 -j REJECT
ipchains -A input -s ! $local -d $mail 25 -p tcp -j REJECT

Good Luck.

 

[adamrau]

Hi marsd,
I understand now. Can you tell me one thing. THe code you entered above, what file does that belong in.
Thanks again
Adam

 

[marsd]

They don't: they are linux packet filtering examples.
man ipchains (if uname -r produces -lt 2.4.x)
man iptables (if uname -r produces -gt 2.2.x)

If you filter external connects to your mail port you
won't be getting any mail.

Just compile your sendmail.cf with the RSH option.
man sendmail ; man sendmail.cf ; this is pretty safe.

 

[ifincham]

Hi,

What i'd do is a variation of marsd recommendation - do the packet filtering so that it rejects inbound to port 25 unless the origin port is also 25. In normal operation a smtp server talks to another on this basis. However, a client connecting using telnet to port 25 of a smtp server would have an origin port that was an unpriviledged client port, i.e. > 1024 . You will find they can also telnet to port 110 if you have a pop3 server.

Regards

 

[rycamor]

It's also worth mentioning that telnetting to port 25 is not the same as telnetting to the Telnet service on port 23. In other words, the user who telnets to port 25 will still not be able to do any more than what a user with an email client can do. It is still just the mail service they are interacting with. If they can get a bash prompt by telnetting to port 25, then there is something very wrong.

The telnet client is just a generic networking utility, which can interact with any open port in TCP/IP. But that also means it is still limited by the service that is listening at that open port.

You can even telnet to your webserver at port 80, and as long as you issue GET or POST requests, with the right headers, you will see the HTML contents of the web pages scrolling past, and you can manually do everything a browser does automatically. It's kind of fun, actually, if you want to see the HTTP protocol from the inside.

 

[marsd]

Good idea IF, but...
The server process listens on port 25, the mta
may send data from any high port.
So it is hard to build an adequate PF against the smtp
listener at port 25 without denying yourself service.

 

[ifincham]

Hi,



True indeed ! Didn't think that one thru too much...

Regards

 

[bluedevils]

If you don't want any response to port 25, then disable sendmail. If you know the machines or their IP range that you want to have access to SMTP, then you can use the firewall(ipchains) to limit the response.

 

[viporx]

rpm -e telnet
rpm -e telnet-server

to remove telnet from your system. Use OpenSSH instead.

Anyone can telnet to port 25, but very little they can do if you are running the very * latest * sendmail daemon.