2.13. Prohibiting Outgoing Telnet Connections
by Robert G. Byrnes, Richard E. Silverman, Daniel J. Barrett
Linux Security Cookbook
- Linux Security Cookbook
- Preface
- 1. System Snapshots with Tripwire
- 1.1. Setting Up Tripwire
- 1.2. Displaying the Policy and Configuration
- 1.3. Modifying the Policy and Configuration
- 1.4. Basic Integrity Checking
- 1.5. Read-Only Integrity Checking
- 1.6. Remote Integrity Checking
- 1.7. Ultra-Paranoid Integrity Checking
- 1.8. Expensive, Ultra-Paranoid Security Checking
- 1.9. Automated Integrity Checking
- 1.10. Printing the Latest Tripwire Report
- 1.11. Updating the Database
- 1.12. Adding Files to the Database
- 1.13. Excluding Files from the Database
- 1.14. Checking Windows VFAT Filesystems
- 1.15. Verifying RPM-Installed Files
- 1.16. Integrity Checking with rsync
- 1.17. Integrity Checking Manually
- 2. Firewalls with iptables and ipchains
- 2.1. Enabling Source Address Verification
- 2.2. Blocking Spoofed Addresses
- 2.3. Blocking All Network Traffic
- 2.4. Blocking Incoming Traffic
- 2.5. Blocking Outgoing Traffic
- 2.6. Blocking Incoming Service Requests
- 2.7. Blocking Access from a Remote Host
- 2.8. Blocking Access to a Remote Host
- 2.9. Blocking Outgoing Access to All Web Servers on a Network
- 2.10. Blocking Remote Access, but Permitting Local
- 2.11. Controlling Access by MAC Address
- 2.12. Permitting SSH Access Only
- 2.13. Prohibiting Outgoing Telnet Connections
- 2.14. Protecting a Dedicated Server
- 2.15. Preventing pings
- 2.16. Listing Your Firewall Rules
- 2.17. Deleting Firewall Rules
- 2.18. Inserting Firewall Rules
- 2.19. Saving a Firewall Configuration
- 2.20. Loading a Firewall Configuration
- 2.21. Testing a Firewall Configuration
- 2.22. Building Complex Rule Trees
- 2.23. Logging Simplified
- 3. Network Access Control
- 3.1. Listing Your Network Interfaces
- 3.2. Starting and Stopping the Network Interface
- 3.3. Enabling/Disabling a Service (xinetd)
- 3.4. Enabling/Disabling a Service (inetd)
- 3.5. Adding a New Service (xinetd)
- 3.6. Adding a New Service (inetd)
- 3.7. Restricting Access by Remote Users
- 3.8. Restricting Access by Remote Hosts (xinetd)
- 3.9. Restricting Access by Remote Hosts (xinetd with libwrap)
- 3.10. Restricting Access by Remote Hosts (xinetd with tcpd)
- 3.11. Restricting Access by Remote Hosts (inetd)
- 3.12. Restricting Access by Time of Day
- 3.13. Restricting Access to an SSH Server by Host
- 3.14. Restricting Access to an SSH Server by Account
- 3.15. Restricting Services to Specific Filesystem Directories
- 3.16. Preventing Denial of Service Attacks
- 3.17. Redirecting to Another Socket
- 3.18. Logging Access to Your Services
- 3.19. Prohibiting root Logins on Terminal Devices
- 4. Authentication Techniques and Infrastructures
- 4.1. Creating a PAM-Aware Application
- 4.2. Enforcing Password Strength with PAM
- 4.3. Creating Access Control Lists with PAM
- 4.4. Validating an SSL Certificate
- 4.5. Decoding an SSL Certificate
- 4.6. Installing a New SSL Certificate
- 4.7. Generating an SSL Certificate Signing Request (CSR)
- 4.8. Creating a Self-Signed SSL Certificate
- 4.9. Setting Up a Certifying Authority
- 4.10. Converting SSL Certificates from DER to PEM
- 4.11. Getting Started with Kerberos
- 4.12. Adding Users to a Kerberos Realm
- 4.13. Adding Hosts to a Kerberos Realm
- 4.14. Using Kerberos with SSH
- 4.15. Using Kerberos with Telnet
- 4.16. Securing IMAP with Kerberos
- 4.17. Using Kerberos with PAM for System-Wide Authentication
- 5. Authorization Controls
- 5.1. Running a root Login Shell
- 5.2. Running X Programs as root
- 5.3. Running Commands as Another User via sudo
- 5.4. Bypassing Password Authentication in sudo
- 5.5. Forcing Password Authentication in sudo
- 5.6. Authorizing per Host in sudo
- 5.7. Granting Privileges to a Group via sudo
- 5.8. Running Any Program in a Directory via sudo
- 5.9. Prohibiting Command Arguments with sudo
- 5.10. Sharing Files Using Groups
- 5.11. Permitting Read-Only Access to a Shared File via sudo
- 5.12. Authorizing Password Changes via sudo
- 5.13. Starting/Stopping Daemons via sudo
- 5.14. Restricting root’s Abilities via sudo
- 5.15. Killing Processes via sudo
- 5.16. Listing sudo Invocations
- 5.17. Logging sudo Remotely
- 5.18. Sharing root Privileges via SSH
- 5.19. Running root Commands via SSH
- 5.20. Sharing root Privileges via Kerberos su
- 6. Protecting Outgoing Network Connections
- 6.1. Logging into a Remote Host
- 6.2. Invoking Remote Programs
- 6.3. Copying Files Remotely
- 6.4. Authenticating by Public Key (OpenSSH)
- 6.5. Authenticating by Public Key (OpenSSH Client, SSH2 Server, OpenSSH Key)
- 6.6. Authenticating by Public Key (OpenSSH Client, SSH2 Server, SSH2 Key)
- 6.7. Authenticating by Public Key (SSH2 Client, OpenSSH Server)
- 6.8. Authenticating by Trusted Host
- 6.9. Authenticating Without a Password (Interactively)
- 6.10. Authenticating in cron Jobs
- 6.11. Terminating an SSH Agent on Logout
- 6.12. Tailoring SSH per Host
- 6.13. Changing SSH Client Defaults
- 6.14. Tunneling Another TCP Session Through SSH
- 6.15. Keeping Track of Passwords
- 7. Protecting Files
- 7.1. Using File Permissions
- 7.2. Securing a Shared Directory
- 7.3. Prohibiting Directory Listings
- 7.4. Encrypting Files with a Password
- 7.5. Decrypting Files
- 7.6. Setting Up GnuPG for Public-Key Encryption
- 7.7. Listing Your Keyring
- 7.8. Setting a Default Key
- 7.9. Sharing Public Keys
- 7.10. Adding Keys to Your Keyring
- 7.11. Encrypting Files for Others
- 7.12. Signing a Text File
- 7.13. Signing and Encrypting Files
- 7.14. Creating a Detached Signature File
- 7.15. Checking a Signature
- 7.16. Printing Public Keys
- 7.17. Backing Up a Private Key
- 7.18. Encrypting Directories
- 7.19. Adding Your Key to a Keyserver
- 7.20. Uploading New Signatures to a Keyserver
- 7.21. Obtaining Keys from a Keyserver
- 7.22. Revoking a Key
- 7.23. Maintaining Encrypted Files with Emacs
- 7.24. Maintaining Encrypted Files with vim
- 7.25. Encrypting Backups
- 7.26. Using PGP Keys with GnuPG
- 8. Protecting Email
- 8.1. Encrypted Mail with Emacs
- 8.2. Encrypted Mail with vim
- 8.3. Encrypted Mail with Pine
- 8.4. Encrypted Mail with Mozilla
- 8.5. Encrypted Mail with Evolution
- 8.6. Encrypted Mail with mutt
- 8.7. Encrypted Mail with elm
- 8.8. Encrypted Mail with MH
- 8.9. Running a POP/IMAP Mail Server with SSL
- 8.10. Testing an SSL Mail Connection
- 8.11. Securing POP/IMAP with SSL and Pine
- 8.12. Securing POP/IMAP with SSL and mutt
- 8.13. Securing POP/IMAP with SSL and Evolution
- 8.14. Securing POP/IMAP with stunnel and SSL
- 8.15. Securing POP/IMAP with SSH
- 8.16. Securing POP/IMAP with SSH and Pine
- 8.17. Receiving Mail Without a Visible Server
- 8.18. Using an SMTP Server from Arbitrary Clients
- 9. Testing and Monitoring
- 9.1. Testing Login Passwords (John the Ripper)
- 9.2. Testing Login Passwords (CrackLib)
- 9.3. Finding Accounts with No Password
- 9.4. Finding Superuser Accounts
- 9.5. Checking for Suspicious Account Use
- 9.6. Checking for Suspicious Account Use, Multiple Systems
- 9.7. Testing Your Search Path
- 9.8. Searching Filesystems Effectively
- 9.9. Finding setuid (or setgid) Programs
- 9.10. Securing Device Special Files
- 9.11. Finding Writable Files
- 9.12. Looking for Rootkits
- 9.13. Testing for Open Ports
- 9.14. Examining Local Network Activities
- 9.15. Tracing Processes
- 9.16. Observing Network Traffic
- 9.17. Observing Network Traffic (GUI)
- 9.18. Searching for Strings in Network Traffic
- 9.19. Detecting Insecure Network Protocols
- 9.20. Getting Started with Snort
- 9.21. Packet Sniffing with Snort
- 9.22. Detecting Intrusions with Snort
- 9.23. Decoding Snort Alert Messages
- 9.24. Logging with Snort
- 9.25. Partitioning Snort Logs Into Separate Files
- 9.26. Upgrading and Tuning Snort’s Ruleset
- 9.27. Directing System Messages to Log Files (syslog)
- 9.28. Testing a syslog Configuration
- 9.29. Logging Remotely
- 9.30. Rotating Log Files
- 9.31. Sending Messages to the System Logger
- 9.32. Writing Log Entries via Shell Scripts
- 9.33. Writing Log Entries via Perl
- 9.34. Writing Log Entries via C
- 9.35. Combining Log Files
- 9.36. Summarizing Your Logs with logwatch
- 9.37. Defining a logwatch Filter
- 9.38. Monitoring All Executed Commands
- 9.39. Displaying All Executed Commands
- 9.40. Parsing the Process Accounting Log
- 9.41. Recovering from a Hack
- 9.42. Filing an Incident Report
- Index
- About the Authors
- Colophon
- Copyright
To block all outgoing Telnet connections:
# iptables -A OUTPUT -p tcp --dport telnet -j REJECT
For ipchains:
# ipchains -A output -p tcp --dport telnet -j REJECT
To block all outgoing Telnet connections except to yourself from yourself:
For iptables:
# iptables -A OUTPUT -p tcp -o lo --dport telnet -j ACCEPT # iptables -A OUTPUT -p tcp --dport telnet -j REJECT
For ipchains:
# ipchains -A output -p tcp -i lo --dport telnet -j ACCEPT # ipchains -A output -p tcp --dport telnet -j REJECT
Telnet is notoriously insecure in its most common form, which transmits your login name and password in plaintext over the network. This recipe is a sneaky way to encourage your users to find a more secure alternative, such as ssh. (Unless your users are running Telnet in a secure fashion with Kerberos authentication. [Recipe 4.15])
-
No Comment
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.