From owner-freebsd-isp  Tue Sep 12 16:25:58 2000
Delivered-To: freebsd-isp@freebsd.org
Received: from bsdie.rwsystems.net (bsdie.rwsystems.net [209.197.223.2])
	by hub.freebsd.org (Postfix) with ESMTP id B4FCB37B42C
	for <freebsd-isp@FreeBSD.ORG>; Tue, 12 Sep 2000 16:25:52 -0700 (PDT)
Received: from bsdie.rwsystems.net([209.197.223.2]) (2361 bytes) by bsdie.rwsystems.net
	via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp
	(sender: <jwyatt@rwsystems.net>) 
	id <m13YzPb-000CDSC@bsdie.rwsystems.net>
	for <freebsd-isp@FreeBSD.ORG>; Tue, 12 Sep 2000 18:24:23 -0500 (CDT)
	(Smail-3.2.0.111 2000-Feb-17 #1 built 2000-Jun-25)
Date: Tue, 12 Sep 2000 18:24:23 -0500 (CDT)
From: James Wyatt <jwyatt@rwsystems.net>
To: "Forrest W. Christian" <forrestc@imach.com>
Cc: Steve Kaczkowski <steve@inc.net>,
	InvictaNet Customer Support <support@invictanet.co.uk>,
	Freebsd-ISP <freebsd-isp@FreeBSD.ORG>
Subject: Re: Telnet restrictions
In-Reply-To: <Pine.BSF.4.21.0009121550280.26689-100000@workhorse.iMach.com>
Message-ID: <Pine.BSF.4.10.10009121809580.11534-100000@bsdie.rwsystems.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-isp@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Tue, 12 Sep 2000, Forrest W. Christian wrote:
> On Tue, 12 Sep 2000, Steve Kaczkowski wrote:
> 
> > I'd check into both to see which would work better in your situation,
> > tcp_wrappers will do it for you, but you can get much more creative
> > with Ipfilter since it's a full firewalling package..
> 
> The other non-quantifyable advantage is that ipfilter/ipfw (whichever)
> rejects the connection at a much lower level - logically, this would
> indicate that ipfilter/ipfw *might* be more secure....

Yes, but tcp_wrappers can let you give a custom reject message. I know
identd isn't much more secure, but tcp_wrappers can require identd
support, limiting you from fewer script kiddies. Rules can be easier to
see and it works on other OSes too.

For fun, your 'telnet failed' could response look almost like your telnetd
didn't wait after prompting for "login:". I've seen one machine from a
junior college just try time after time to get a prompt that would let
them try hacking-in. Others seem to catch-on more quickly... (^_^)

With ipfw/ipfilter, you can prevent replying with a 'connection closed'
and cause all telnet attempts to take *much* longer to time-out, delaying 
attacks.

While ipfw/ipfilter *might* be more secure, I doubt it would be measurably
so. The tcp_wrappers codebase is *very* mature and have been pretty
frequently looked at by folks who can spot crack-points. All three (ipfw,
ipfilter, and tcp_wrappers) are industrial strength.

I'm suprised that we haven't heard the usual stuff about ssh being so much
better than telnet that telnet should be shut off everywhere. - Jy@



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message