Date: Tue, 12 Sep 2000 18:24:23 -0500 (CDT) From: James Wyatt <jwyatt@rwsystems.net> To: "Forrest W. Christian" <forrestc@imach.com> Cc: Steve Kaczkowski <steve@inc.net>, InvictaNet Customer Support <support@invictanet.co.uk>, Freebsd-ISP <freebsd-isp@FreeBSD.ORG> Subject: Re: Telnet restrictions Message-ID: <Pine.BSF.4.10.10009121809580.11534-100000@bsdie.rwsystems.net> In-Reply-To: <Pine.BSF.4.21.0009121550280.26689-100000@workhorse.iMach.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 12 Sep 2000, Forrest W. Christian wrote: > On Tue, 12 Sep 2000, Steve Kaczkowski wrote: > > > I'd check into both to see which would work better in your situation, > > tcp_wrappers will do it for you, but you can get much more creative > > with Ipfilter since it's a full firewalling package.. > > The other non-quantifyable advantage is that ipfilter/ipfw (whichever) > rejects the connection at a much lower level - logically, this would > indicate that ipfilter/ipfw *might* be more secure.... Yes, but tcp_wrappers can let you give a custom reject message. I know identd isn't much more secure, but tcp_wrappers can require identd support, limiting you from fewer script kiddies. Rules can be easier to see and it works on other OSes too. For fun, your 'telnet failed' could response look almost like your telnetd didn't wait after prompting for "login:". I've seen one machine from a junior college just try time after time to get a prompt that would let them try hacking-in. Others seem to catch-on more quickly... (^_^) With ipfw/ipfilter, you can prevent replying with a 'connection closed' and cause all telnet attempts to take *much* longer to time-out, delaying attacks. While ipfw/ipfilter *might* be more secure, I doubt it would be measurably so. The tcp_wrappers codebase is *very* mature and have been pretty frequently looked at by folks who can spot crack-points. All three (ipfw, ipfilter, and tcp_wrappers) are industrial strength. I'm suprised that we haven't heard the usual stuff about ssh being so much better than telnet that telnet should be shut off everywhere. - Jy@ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.10009121809580.11534-100000>