Securing the VOS Telnet Daemon
Securing the VOS Telnet Daemon
Securing the VOS Telnet Daemon
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>Securing</strong> <strong>the</strong> <strong>VOS</strong> <strong>Telnet</strong> <strong>Daemon</strong><br />
Noah Davids<br />
Stratus Customer Assistance Center<br />
May 23, 2012
<strong>Securing</strong> <strong>the</strong> <strong>VOS</strong> <strong>Telnet</strong> <strong>Daemon</strong><br />
� Background – Why is <strong>the</strong> <strong>Telnet</strong> daemon still needed<br />
� Restricting connections with TCP Wrappers<br />
� Selective listening with –local_ip<br />
� Using SSH tunnels<br />
� Using IPSec<br />
� What not to do<br />
2
Background – why is <strong>the</strong> <strong>Telnet</strong><br />
daemon still needed<br />
� Running telnetd is required for<br />
• RSN<br />
� Incoming slave<br />
• Remote printing<br />
� Outgoing slave<br />
• If you don’t use telnetd for your own connections you can<br />
remove <strong>the</strong> telnet line from <strong>the</strong> telnetservice file<br />
• If you don’t use telnetd for your own connections and you<br />
don’t want RSN support you can remove both <strong>the</strong> telnet and<br />
rsn_incoming lines from <strong>the</strong> telnetservice file<br />
• If you don’t use telnetd for your own connections and don’t<br />
want RSN support and don’t do remote printing <strong>the</strong>n you can<br />
stop running telnetd<br />
3
Restricting connections with TCP<br />
Wrappers<br />
� Start telnet with <strong>the</strong> –tcpwrapper_check and –<br />
numeric arguments set to yes.<br />
� Set up <strong>the</strong> hosts.allow and hosts.deny files in<br />
>system>stcp<br />
� Format is<br />
• >system>stcp>command_library>telnetd.pm : IP-ADDR1 IP-<br />
ADDR2 IP-ADDR3 IP-ADDR4/MASK<br />
• See http://stratadoc.stratus.com/vos/17.1.0/r419-<br />
10/wwhelp/wwhimpl/js/html/wwhelp.htm?context=r419-<br />
10&file=ch5r419-10l.html for alternative formats<br />
4
Restricting connections with TCP<br />
Wrappers<br />
� Addresses in <strong>the</strong> hosts.allow file are allowed to<br />
complete <strong>the</strong> login process<br />
� Addresses in <strong>the</strong> hosts.deny file are disconnected<br />
� Addresses in nei<strong>the</strong>r file are allowed to complete <strong>the</strong><br />
login process<br />
• This line in <strong>the</strong> hosts.deny will prevent any logins except those<br />
in <strong>the</strong> hosts.allow file<br />
� >system>stcp>command_library>telnetd.pm : ALL<br />
� Changes in <strong>the</strong> hosts.allow and hosts.deny file take<br />
place immediately – no need to restart telnetd<br />
� Changes will not effect connections already logged in<br />
5
Restricting connections with TCP<br />
Wrappers<br />
� Users that are denied will get connected and <strong>the</strong>n<br />
disconnected<br />
• What <strong>the</strong>y see will depend on <strong>the</strong>ir telnet client<br />
• Scanning programs will note that something is listening on <strong>the</strong><br />
port since a TCP connection completes before <strong>the</strong> disconnect<br />
� >system>stcp>logs>tcpddeny file will list all denied<br />
connections<br />
• 12-04-25 15:42:11 mst telnetd: refused connect from myworkstation.stratus.com<br />
� Note <strong>the</strong> double “d” in <strong>the</strong> tcpddeny name<br />
� >system>stcp>logs>tcpdallow file will list all allowed<br />
connections<br />
• 12-04-25 15:08:58 mst telnetd: connect from yourworkstation.stratus.com<br />
6
Restricting connections with TCP<br />
Wrappers<br />
� The hosts.allow and deny files are for all ports that<br />
telnetd is listening for<br />
• You cannot have a separate set for 1 port and a different set<br />
for ano<strong>the</strong>r<br />
7
Restricting connections with TCP<br />
Wrappers<br />
� The default telnetservice file listens for both <strong>the</strong><br />
telnet service (port 23) and <strong>the</strong> rsn_incoming service<br />
(port 85)<br />
telnet window_term "keepalive nodelay " "Default login service" 1<br />
+ 1 tli_log.m15<br />
rsn_incoming window_term "keepalive nodelay " "" 0 1 rsn_in.m15<br />
� Removing <strong>the</strong> telnet service will prevent connections<br />
to port 23 but connections to port 85 must be<br />
allowed for <strong>the</strong> RSN to work<br />
rsn_incoming window_term "keepalive nodelay " "" 0 1 rsn_in.m15<br />
� Outgoing slave connections are not listed<br />
8
Restricting connections with TCP<br />
Wrappers<br />
� Setting <strong>the</strong> hosts.deny file to prevent all telnet<br />
connections and <strong>the</strong> hosts.allow file to allow only <strong>the</strong><br />
RSN server will prevent anyone except <strong>the</strong> RSN<br />
server from maintaining a telnet connection<br />
%phx_vos#m15_mas>system.17.0>stcp>hosts.allow<br />
>system>stcp>command_library>telnetd.pm : 10.10.1.200<br />
%phx_vos#m15_mas>system.17.0>stcp>hosts.deny<br />
>system>stcp>command_library>telnetd.pm : ALL<br />
� Scanners will still see that something is listening on<br />
port 85<br />
9
Selective listening with –local_ip<br />
� Tells telnetd to only listen on a specific interface for<br />
<strong>the</strong> indicated port<br />
� The following line tells telnetd to only listen on <strong>the</strong><br />
maintenance network interface for connections to <strong>the</strong><br />
rsn_incoming service (port 85)<br />
rsn_incoming window_term "keepalive nodelay " "RSN Incoming Service"<br />
+ 0 1 rsn_in.m17 "-local_ip 10.10.1.1“<br />
netstat –numeric –all_sockets<br />
. . . . .<br />
tcp 0 0 10.10.1.1:85 *:* LISTEN<br />
. . . . .<br />
� Scans from networks o<strong>the</strong>r than <strong>the</strong> maintenance<br />
network will not see anything listening on port 85<br />
10
Selective listening with –local_ip<br />
� Of course any host on <strong>the</strong> 10.10.1.0/24 subnet can<br />
make a connection on port 85 not just <strong>the</strong> RSN server<br />
• They will not be able to do anything except make <strong>the</strong><br />
connection because <strong>the</strong> RSN software has its own protections<br />
• You can use <strong>the</strong> hosts.allow and hosts.deny files to lock it<br />
down to just <strong>the</strong> RSN server<br />
11
Selective listening with –local_ip<br />
� If forwarding is enabled it is possible that a host on ano<strong>the</strong>r<br />
local network could also make <strong>the</strong> connection by using <strong>the</strong><br />
module to route between a public network and <strong>the</strong> maintenance<br />
network<br />
• Unless you have a really good reason to have forwarding enabled (its<br />
is on by default) you should turn it off<br />
IP_forwarding<br />
ipForwarding ON<br />
ready 14:36:38<br />
IP_forwarding off<br />
ipForwarding OFF<br />
• Need to run <strong>the</strong> command twice (see stcp-3055) for it to take<br />
effect<br />
12
Using SSH tunnels<br />
� When using an SSH tunnel you configure telnetd to<br />
listen only to localhost (127.0.0.1)<br />
telnet window_term "keepalive nodelay" "SSH Tunnel Connections" 1<br />
+ 1 tli_login.m17 "-local_ip 127.0.0.1“<br />
netstat –numeric –all_sockets<br />
. . . . .<br />
tcp 0 0 127.0.0.1:23 *:* LISTEN<br />
. . . . .<br />
� Scanners will not see anything listening on port 23<br />
but <strong>the</strong>y will detect sshd on port 22<br />
13
Using SSH tunnels<br />
� How users set up <strong>the</strong> SSH tunnel will depend on <strong>the</strong>ir SSH client<br />
� What happens is<br />
1. SSH client on <strong>the</strong> client host makes a connection to <strong>the</strong> SSH server<br />
on <strong>the</strong> module (link A in next slide)<br />
2. The SSH client on <strong>the</strong> client host starts listening on <strong>the</strong> port<br />
specified (12345) during setup on <strong>the</strong> client host<br />
3. The client’s telnet client makes a connection to localhost port 12345<br />
(link B in next slide)<br />
4. The SSH client sends this connection request to <strong>the</strong> SSH server on<br />
<strong>the</strong> module which makes a connection to <strong>the</strong> port specified (23)<br />
during setup on <strong>the</strong> client system (link C)<br />
� The connections between <strong>the</strong> telnet client and SSH on <strong>the</strong> client<br />
system and between SSHD and telnetd on <strong>the</strong> module are<br />
unencrypted but never leave <strong>the</strong> local host<br />
� Communication between hosts is encrypted by SSH<br />
14
Using SSH tunnels<br />
C<br />
<strong>Telnet</strong>d<br />
Port 23<br />
SSHD<br />
Port 22<br />
A<br />
SSH<br />
Port<br />
12345<br />
B<br />
Client<br />
15
Using SSH tunnels<br />
� To set up <strong>the</strong> RSN server to connect to <strong>the</strong> system<br />
using SSH tunnels instead of telnet<br />
• Change <strong>the</strong> telnetservice file so that <strong>the</strong> rsn_incoming service<br />
specifies <strong>the</strong> local_ip address of 127.0.0.1<br />
rsn_incoming window_term "keepalive nodelay " "RSN Incoming Service"<br />
+ 0 1 rsn_in.m17 "-local_ip 127.0.0.1“<br />
tcp 0 0 127.0.0.1:85 *:* LISTEN<br />
• Specify an ssh_uid in <strong>the</strong> update_rsnip_site command<br />
� Since <strong>the</strong> SSH client is being run automagically by <strong>the</strong> RSN server it<br />
cannot prompt for a password and so you must also set up SSH<br />
public key au<strong>the</strong>ntication for <strong>the</strong> specified user on both <strong>the</strong> RSN<br />
Server and <strong>the</strong> module<br />
• Public Key setup is left as an exercise for <strong>the</strong> reader or a possible future<br />
talk<br />
16
Using SSH tunnels<br />
� Scanners will not detect anything listening on port 85<br />
but <strong>the</strong>y will detect port 22<br />
� When using tunnels you do not have to worry about<br />
illicit connections made via forwarding<br />
� HOWEVER, my comment still stands, unless you have<br />
a very good reason to allow forwarding it should be<br />
turned off.<br />
17
Using IPSec<br />
� IPSec is separately shipped software<br />
• It also costs extra<br />
• Talk to your account team<br />
� Typically used to encrypt all communication between<br />
two hosts<br />
• very Very VERY hard to set up<br />
� Can be used to just block communication from<br />
unwanted hosts<br />
• Much easier to set up<br />
• Scanners will not see anything unless <strong>the</strong> scan is made from<br />
one of <strong>the</strong> “wanted” hosts<br />
18
Using IPSec<br />
� ipsec.conf file<br />
• Allow 164.152.77.50 and 164.152.77.107 to use telnet<br />
everyone else will have <strong>the</strong>ir packets dropped<br />
{saddr 164.152.77.50 ulp tcp dport 23 dir in} bypass {}<br />
{saddr 164.152.77.107 ulp tcp dport 23 dir in} bypass {}<br />
{saddr 0.0.0.0/0 ulp tcp dport 23 dir in} drop {}<br />
� Load <strong>the</strong> policies with <strong>the</strong> command<br />
ipsec_policy_admin add -file ipsec.conf<br />
� Usually a good idea to flush previous rules and I also<br />
like to list <strong>the</strong> rules<br />
ipsec_policy_admin flush<br />
ipsec_policy_admin add -file ipsec.conf<br />
ipsec_policy_admin list<br />
19
Using IPSec<br />
� The “No properties defined” messages are because<br />
<strong>the</strong> rules do not have any properties, just bypass and<br />
drop<br />
• The load_ipsec.cm contains <strong>the</strong> 3 previous commands<br />
load_ipsec<br />
SetProperties: No properties defined<br />
SetProperties: No properties defined<br />
SetProperties: No properties defined<br />
ipsecconf: System IPSEC policy configured.<br />
spd[0]<br />
spd index = 1<br />
saddr = 164.152.77.50<br />
daddr end = 255.255.255.255<br />
dport = telnet<br />
ulp = tcp<br />
action = bypass<br />
direction = in<br />
mode = dontcare<br />
20
Using IPSec<br />
spd[2]<br />
spd index = 2<br />
saddr = 164.152.77.107<br />
daddr end = 255.255.255.255<br />
dport = telnet<br />
ulp = tcp<br />
action = bypass<br />
direction = in<br />
mode = dontcare<br />
spd[4]<br />
spd index = 3<br />
saddr end = 255.255.255.255<br />
daddr end = 255.255.255.255<br />
dport = telnet<br />
ulp = tcp<br />
action = drop<br />
direction = in<br />
mode = dontcare<br />
ipsecconf: 3 SP configured.<br />
ready 15:23:50<br />
21
Using IPSec<br />
� The policies<br />
{saddr 10.10.1.200 ulp tcp dport 85 dir in} bypass {}<br />
{saddr 0.0.0.0/0 ulp tcp dport 85 dir in} drop {}<br />
Will allow only <strong>the</strong> RSN server (10.10.1.200) to<br />
connect to port 85<br />
� Note that even though keys are not being exchanged<br />
it is still necessary to run <strong>the</strong> iked command once so<br />
that <strong>the</strong> system is configured to use <strong>the</strong> IPSec<br />
policies.<br />
22
What not to do<br />
� Do not remove (or change) <strong>the</strong> telnet service<br />
definition from <strong>the</strong> >system>stcp>services file<br />
• It will prevent <strong>the</strong> telnet client from working<br />
� Unless you also specify port 23<br />
• telnet 1.2.3.4 23<br />
• It will prevent maintenance and diagnostic tools that use <strong>the</strong><br />
telnet client to connect to <strong>the</strong> ftScalable disk array from<br />
working<br />
23
Summary<br />
Scanners see an open port<br />
� TCP Wrappers Yes<br />
� -local_ip Yes (but only on selected interface)<br />
� SSH Tunnels No<br />
• Requires client to connect to localhost<br />
• Will require key setup to skip password prompt<br />
� IPSec No<br />
• Requires separately shipped and priced software<br />
� Don’t remove telnet from <strong>the</strong> services file<br />
24
Questions?<br />
a = b<br />
a^2 = a*b<br />
a^2-b^2 = a*b-b^2<br />
(a+b)(a-b) = b(a-b)<br />
(a+b) = b<br />
a+a = a<br />
2a = a<br />
2 = 1<br />
25
Thank You!<br />
26