Telnet Crusade
Monday Jun 11, 2007
I still come across customer's every once in a while who still use telnet. This is completely incomprehensible to me. The protocol is archaic and insecure. SSH is exponentially better, it is secure, you have all of the flexibility of tunnels, and at a base level looks and feels like telnet. I guess some people just will never stop using, just like some people won't stop smoking.
I feel that anyone who still uses telnet is just uneducated about it. Check out this link as to why you should not use it.
If that is not enough to convince you check I quote a ZDNet blog
Although patches have been shipped, security experts have one simple message to Solaris users: Turn off telnet and leave it off.
A good sun blog on the issue can be found here.And if you still insist on running telnet the patches are here.
Now I hope all of my nay saying, and threats of equating it to cancer, have convinced you it is time to kick the habit and move on from Telnet. It is really a lot less painful then you think. Simply log in as root and type the following:
#svcadm disable svc:/network/telnet:default
And for the record, Solaris 10 ships with it off, so we know you know the above command, cause you turned it on.
Now the question becomes where to go from here. The answer is ssh. If you are running any flavor of unix, linux, or mac os, you can simply fire up a terminal and type ssh user@host. If you are running windows, you will need to get an SSH client. My preference is putty. Using one of these methods will established a secure encrypted tunnel between your host and the remote one.
SSH is a very powerful tool. You can use it to securely move files from your workstation to a server:
#scp file user@server:/pathtowhereyouwantthefile
You can use it to move a file from the server to your workstation:
#scp user@server:/pathtothefile localpathtothefile
You can also use ssh for tunneling. Imagine opening one secure port between your workstation and a server, and tunneling other ports through the secure connection. From a network security standpoint, you only have to open up one port, ssh 22, on your firewall. Authenticated users can then tunnel through that port. My favorite use for this is to connect to windows terminal servers using RDP:
#;ssh -L 3389:<remote windows server>:3389 user@<ssh server>
Once this connection is open you can simply point your RDP client at localhost and connect to the server on the other network. Want to connect to more than one windows server on the remote network, set the local port to something else, i.e.:
#ssh -L 33389:<remote windows server 2>:3389 user@<ssh server>
Simply point your RDP client at localhost:33389 and you are looking at the second windows server.
Now there is one caveat to Sun's configuration of ssh. Sun defaults to the root account not having ssh access. This is the most secure methodology. I recommend that you simply add another user account, ssh in as that account and su - or use sudo.
#useradd -d /export/home/<user> -m -s /bin/bash -c <user> <user>
Now a lot of my clients tell me the reason they don't use SSH is because they can't ssh in as root. Their systems are in labs, they don't want the hassle of adding a user, they could always telnet in as root.... So in an effort to compromise, it is much better to run SSH with root access, then to use Telnet. Here are the details in order to allow root to ssh.
#vi /etc/ssh/sshd_config
Find the following line, normally line 132:
#PermitRootLogin no
Change the no to yes and restart network services:
#svcadm restart svc:/network/ssh
So if telnet happens to not work, after my next visit, just remember this post, and like a good friend trying to help you kick the habit, I threw out your cigarettes.
|
|
|
|
