Jump to content

Disabling Telnet Port 23 Access [Solved]


ColinM
 Share

Recommended Posts

New desktop Dual boot Win98se and Mdk 10.1 oe, two hardrives connected on same cable, Win drive is master.

 

External Serial Aztech 56kbs modem, Agnitum firewall on Win98seOS, and Guarddog on Linux: both activated and correctly setup.

 

I've just installed both OS with default settings on a clean new computer and they work fine.

(I installed Agnitum Outpost Firewall free version too.)

 

After connecting to the internet using dial-up I went to one of those online security checkers called 'Shields Up', and ran the test.

 

Everything is OK, except it failed the ping test by responding to a ping request, and more alarmingly told me my Port 23 Telnet is open.

 

This occurs using both the Win OS and Mdk: same result. Telnet is open. Though no evidence it is active.

 

Is this anything to be concerned about?

 

I use the desktop for internet access and uploading files to my website by ftp.

 

I suspect it's wise to shut down the Telnet 23 port, but how do I go about doing that.

 

I've checked in the Mdk MCC and there's no Telnet process listed anywhere.

It's configured as a desktop workstation, no Samba, or Lan etc.

 

 

Something odd which may/not be relevant.

In the Guarddog Protocol area it lists all the protocols available. (I've only allowed/checked the DNS, ftp, http, and https boxes) But at the bottom of the tree list is a '?User defined' entity.

 

I noticed a similar entity in the Windows sytem devices listings too. Can't get any info about it, and it looks suspicious. I use an external serial modem and the internal winmodem is disabled. This may be a red-herring, but I mention it in case it is important.

 

Ta!

 

PS. I tried enabling Shorewall first, and with that too, Shields Up detected port 23 telnet open, that is why I disabled Shorewall and tried Guarddog: same result.

Edited by ColinM
Link to comment
Share on other sites

Open a console, log in as root and type: netstat -pant. That will show all open ports and applications listening. And have a look in MCC, system, services to check what is running.

Thanks Devries, you've helped me greatly in recent weeks.

This site is invaulable.

 

I ran the netstat -pant command, first with my modem switched off...

 

Result not connected with internet:

 

[root@localhost colin]# netstat -pant
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:6000            0.0.0.0:*               LISTEN      3117/X
tcp        0      0 :::6000                 :::*                    LISTEN      3117/X
[root@localhost colin]#

 

Then I switched the modem on, and dialed up a connection: (Same readout)

 

[root@localhost colin]# netstat -pant
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:6000            0.0.0.0:*               LISTEN      3117/X
tcp        0      0 :::6000                 :::*                    LISTEN      3117/X
[root@localhost colin]#

 

The I visited this website (MdkUsers) using Firefox browser: (I've edited out the IPs)

 

[root@localhost colin]# netstat -pant
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:6000            0.0.0.0:*               LISTEN      3117/X
tcp        0      0 (my dialup IP):1029       (mozilla's IP):80      ESTABLISHED 4572/firefox-bin
tcp        0      0 (my dialup IP):1035       (MdkUser's Site host IP):80       ESTABLISHED 4572/firefox-bin
tcp        0      0 (my dialup IP):1030       (my RSS feed IP):80           ESTABLISHED 4572/firefox-bin
tcp        0      0 (my dialup IP):1031       (Another News Rss feed IP):80       ESTABLISHED 4572/firefox-bin
tcp        0      0 :::6000                 :::*                    LISTEN      3117/X
[root@localhost colin]#

 

All this looks OK (so far) to my untrained eye.

 

Here's the other data you requested:

 

MCC>System>Services Running:

 

alsa

atd

bluetooth (I don't need this I could turn it off)

crond

dm

fam (ticked: start when requested)

harddrake

iptables stopped: but ticked On boot (I'm using Guarddog, is this OK)

keytable

keyheader

messagebus

netfs

network

numlock

partmon

shorewall stopped (Not ticked)

sound

syslog

udev

xfs

xinetd

 

Yet when I go to the 'Shields Up' test, it says Port 23 is open Telnet and I'm very vulnerable.

 

(Previously, when I only had the single HD using Linux, I got the all clear at Shields Up.

So it is likely something to do with how the Win98se is reinstalled on the master HD)

 

I get the same result from 'Shileds Up' whichever OS I use, so perhaps the 'Telnet vulnerability' is at the motherborad, modem, or ISP level?

 

Is my port 23 really open and vulnerable to remote Telnet access?

Link to comment
Share on other sites

While you scratch your heads along with me, here's an update.

 

I logged off Linux, and logged in using my Win HD, then tetsed at Shields Up again, on the Win OS.

 

I got the all clear today! All ports closed or stealthed. It replied to a ping test, so failed overall, but at least the Telnet port is closed on the Win OS.

 

Perhaps this is because I fiddled around in the Win>System>Devices and deleted the ?Unknown Device (I think it was a U-Storage USB device)

Now when I restart Win, the PnP notices two devices and asks me to select the driver. I cancelled this request. Next time I'll select the driver so it PnPs, then re-test at Shileds up to see if that has anything to do with opening my Port 23.

 

I'll re-test the Mdk OS at Shield's Up again later on.

 

Your advice and comments appreciated.

 

Colin

Link to comment
Share on other sites

Telnetd is in xinetd, once you turn xinetd off telnetd will be killed too. Or you can edit file /etc/xinetd.d/telnet from this:

service telnet
{
       flags           = REUSE
       socket_type     = stream
       wait            = no
       user            = root
       server          = /usr/sbin/in.telnetd
       log_on_failure  += USERID
       disable         = no
}

to this

service telnet
{
       flags           = REUSE
       socket_type     = stream
       wait            = no
       user            = root
       server          = /usr/sbin/in.telnetd
       log_on_failure  += USERID
       disable         = yes
}

 

Then restart xinetd,

# service xinetd restart

so you can still have xinetd running while telnetd stopped.

Link to comment
Share on other sites

Heya,

 

it would also be good to disable the listening of the Xserver. This way you don't have anything listening it seems. If that's true you could maybe even don't run the firewall :). Ofcourse it is better to run it. It's an extra layer of security, also for outgoing connections if they're filtered. Ofcourse, you can argue that the firewall could contains bugs ...

 

Anyway, I'm not a Mandrake-user myself anymore, but I believe you can disable the listening of the Xserver in the security-part of the Mandrake-controlcenter. However, if that doesn't work you can have a look at the following thread:

 

http://mandrakeusers.org/index.php?showtopic=23650&hl=

 

Michel

Link to comment
Share on other sites

You know, I just have a thought.

 

Maybe the problem is not in your machine, but your ISP's machine. You see, some ISP have automatic web proxying (I know one ISP in my country does). Since Shield's up is web based, it may scan your ISP's proxy server instead of your own computer. After that few days, maybe the ISP found the vulnerability and then fixed it.

 

Anyway, as far as I know, Windows 98 SE doesn't have a telnet server. I mean, have you tried telnetting into a Windows 98 SE machine through port 23? (like telnet 127.0.0.1). If it doesn't work, then you shouldn't be worried.

Link to comment
Share on other sites

Fascinating and very helpful replies! Thank you all.

 

I've not changed anything since my last post, just tested at 'Shields UP' and Telnet Port 23 is now closed!? I got the all clear except failed the ping test. (My computer responded to a ping.)

 

From this I gather that the previously open Port 23 was something to do with the 'Unknown Device' I detected and deleted on the Win98se OS. It must've been at the motherboard or modem level to influence the Mdk system too. It'll be interesting to retest after I PnP that, and retest the Mdk OS at Shields Up.

 

Thank you Devries: I ran those commands you gave whilst connected to this board:

The result looks OK to me:

 

[root@localhost colin]# netstat -panu

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address Foreign Address State

PID/Program name

[root@localhost colin]# ps aux

USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND

root 1 0.2 0.4 1408 480 ? S 02:06 0:01 init [5]

root 2 0.0 0.0 0 0 ? S 02:06 0:00 [migration/0]

root 3 0.0 0.0 0 0 ? SN 02:06 0:00 [ksoftirqd/0]

root 4 0.0 0.0 0 0 ? S< 02:06 0:00 [events/0]

root 5 0.0 0.0 0 0 ? S< 02:06 0:00 [khelper]

root 6 0.0 0.0 0 0 ? S< 02:06 0:00 [kblockd/0]

root 32 0.0 0.0 0 0 ? S 02:06 0:00 [kapmd]

root 34 0.0 0.0 0 0 ? S 02:06 0:00 [pdflush]

root 35 0.0 0.0 0 0 ? S 02:06 0:00 [pdflush]

root 37 0.0 0.0 0 0 ? S< 02:06 0:00 [aio/0]

root 36 0.0 0.0 0 0 ? S 02:06 0:00 [kswapd0]

root 147 0.0 0.0 0 0 ? S 02:06 0:00 [kseriod]

root 275 0.0 0.0 0 0 ? S 02:06 0:00 [kjournald]

root 410 0.0 0.2 1388 284 ? S<s 02:06 0:00 udevd

root 807 0.0 0.0 0 0 ? S 02:06 0:00 [khubd]

root 1050 0.0 0.0 0 0 ? S 02:06 0:00 [kjournald]

root 2529 0.0 0.3 1420 420 ? Ss 02:06 0:00 /sbin/ifplugd -w

root 2553 0.0 0.4 1460 544 ? Ss 02:06 0:00 syslogd -m 0

root 2561 0.0 0.3 2120 416 ? Ss 02:06 0:00 klogd -2

xfs 2913 0.0 1.2 5288 1328 ? Ss 02:06 0:00 xfs -port -1 -dae

72 2938 0.0 0.5 2052 552 ? Ss 02:06 0:00 dbus-daemon-1 --s

root 3023 0.0 0.4 2436 492 ? S 02:06 0:00 /usr/bin/mdkkdm -

daemon 3026 0.0 0.3 1524 432 ? Ss 02:06 0:00 /usr/sbin/atd

root 3033 2.6 8.3 35876 9064 ? S 02:06 0:14 /etc/X11/X -defer

root 3080 0.0 1.0 3356 1112 ? S 02:06 0:00 -:0

root 3085 0.0 0.5 1988 564 ? Ss 02:06 0:00 xinetd -stayalive

root 3394 0.0 0.4 1448 532 ? Ss 02:06 0:00 crond

root 3496 0.0 0.3 1396 400 tty1 Ss+ 02:06 0:00 /sbin/mingetty tt

root 3497 0.0 0.3 1396 400 tty2 Ss+ 02:06 0:00 /sbin/mingetty tt

root 3498 0.0 0.3 1396 400 tty3 Ss+ 02:06 0:00 /sbin/mingetty tt

root 3499 0.0 0.3 1396 400 tty4 Ss+ 02:06 0:00 /sbin/mingetty tt

root 3500 0.0 0.3 1396 400 tty5 Ss+ 02:06 0:00 /sbin/mingetty tt

root 3501 0.0 0.3 1396 400 tty6 Ss+ 02:06 0:00 /sbin/mingetty tt

colin 3956 0.0 0.8 2860 948 ? S 02:06 0:00 /bin/sh /usr/bin/

colin 4008 0.0 2.2 11108 2472 ? S 02:06 0:00 /usr/bin/bluez-pi

colin 4029 0.5 6.6 27620 7236 ? S 02:06 0:02 /usr/bin/perl /us

colin 4053 0.0 3.2 14756 3552 ? S 02:06 0:00 magicdev

colin 4057 0.0 0.5 2432 576 ? S 02:06 0:00 dbus-launch --sh-

colin 4062 0.0 0.5 2052 552 ? Ss 02:06 0:00 dbus-daemon-1 --f

colin 4079 0.0 0.5 2636 604 ? Ss 02:06 0:00 s2u --daemon=yes

colin 4085 0.0 1.4 3808 1600 ? S 02:06 0:00 /usr/lib/gconfd-2

colin 4086 0.0 5.8 22288 6364 ? Ss 02:06 0:00 kdeinit: Running.

colin 4089 0.0 5.9 22148 6536 ? S 02:06 0:00 kdeinit: dcopserv

colin 4091 0.0 6.9 23860 7588 ? S 02:06 0:00 kdeinit: klaunche

colin 4097 0.2 7.7 25108 8452 ? S 02:07 0:01 kdeinit: kded

colin 4109 0.1 2.3 10836 2540 ? S 02:07 0:00 /usr/bin/artsd -F

colin 4111 0.0 8.0 30376 8780 ? S 02:07 0:00 kdeinit: knotify

colin 4112 0.0 0.2 1400 260 ? S 02:07 0:00 kwrapper ksmserve

colin 4114 0.0 7.2 23772 7932 ? S 02:07 0:00 kdeinit: ksmserve

colin 4118 0.1 8.9 25032 9792 ? S 02:07 0:00 kdeinit: kwin -se

colin 4120 0.3 12.0 31996 13108 ? S 02:07 0:01 kdeinit: kdesktop

colin 4122 0.5 10.9 27976 11900 ? S 02:07 0:02 kdeinit: kicker

colin 4123 0.0 6.1 23400 6736 ? S 02:07 0:00 kdeinit: kio_file

colin 4135 0.0 7.5 24168 8272 ? S 02:07 0:00 kdeinit: khotkeys

colin 4137 0.0 7.7 24300 8496 ? S 02:07 0:00 kdeinit: kwrited

colin 4138 0.1 7.7 23596 8484 ? S 02:07 0:00 kwikdisk -session

colin 4140 0.1 9.9 27620 10816 ? S 02:07 0:00 korgac --miniicon

colin 4156 0.2 9.5 24064 10392 ? S 02:07 0:01 kppp -icon kppp.p

root 4157 0.0 4.9 21948 5416 ? Ss 02:07 0:00 kppp -icon kppp.p

root 4268 0.0 0.6 2364 708 ttyS0 Ss+ 02:09 0:00 pppd 57600 -detac

colin 4297 0.0 0.6 2360 720 ? S 02:09 0:00 /bin/sh /home/col

colin 4310 0.0 0.8 2908 960 ? S 02:09 0:00 /bin/sh /home/col

colin 4315 3.4 20.5 89192 22432 ? Sl 02:09 0:12 /home/colin/firef

colin 4336 1.9 27.5 129660 29968 ? Sl 02:09 0:06 kaffeine

colin 4525 1.9 12.2 26828 13320 ? S 02:14 0:00 kdeinit: konsole

colin 4529 0.0 1.6 3056 1808 pts/1 Ss 02:14 0:00 /bin/bash

root 4564 0.0 0.9 2340 1052 pts/1 S 02:14 0:00 su

root 4570 0.1 1.4 2544 1548 pts/1 S 02:15 0:00 bash

root 4623 0.0 0.6 2248 736 pts/1 R+ 02:15 0:00 ps aux

 

idud: Therima Kasih!

Looks like your suggestion is very wise to follow, but do I need xinetd for anything else? What would I lose by turning it off altogether?

ibodo eh? :)

 

Michael: That sounds a good suggestion too. But I'll proceed one step at a time, and reboot between switching things off.

 

DragonMage: That is highly likely. I'm in S.E. Asia on dialup, and the national ISP is dodgy by default. I do get different IPs assigned at various times.

 

I've never tried Telnet, it's a closed book to me. But I can seee the point you are making.

 

Colin

Edited by ColinM
Link to comment
Share on other sites

idud: I just had a look in my xinetd.d folder using Nautilus and could not see any file called: /etc/xinetd.d/telnet

 

It only has two files: fam and rsync and neither mentions telnet inside.

 

I looked both with xinetd started, and then stopped via the MCC.

Is it a hidden file in Nautilus?

I'm using Mdk 10.1 OE

 

Colin

Edited by ColinM
Link to comment
Share on other sites

/etc/xinetd.d/telnet is a normal file, and it comes from package telnetd. So if the file doesn't exist, it means that you don't have any telnet-run-from-xinetd service running on port 23. (I feel strange now)

 

How about the output from this command:

$ nmap -P0 localhost

Link to comment
Share on other sites

/etc/xinetd.d/telnet is a normal file, and it comes from package telnetd. So if the file doesn't exist, it means that you don't have any telnet-run-from-xinetd service running on port 23. (I feel strange now)

 

How about the output from this command:

$ nmap -P0 localhost

 

I looked for any files named telnet* using the find facility and drew a blank.

So I don't appear to have any telnet files on my installation. Perhaps Telnet has been dropped from Mdk. 10.1 oe. From what I read it should be extinct anyway, or reserved for those bods who still use newsgroups...

 

Anyway, I tried again today at 'Shields Up' and got the all clear on Win OS and Mdk OS.

I also tried the hackerwatch.org/probe and passed that too. (Telnet port closed) Port 80 http was open, which I think has to be open if you want to surf the web.

 

Here's the result of running the command you suggested:

 

[root@localhost colin]# $ nmap -P0 localhost

bash: $: command not found

[root@localhost colin]# nmap -P0 localhost

 

Starting nmap 3.55 ( http://www.insecure.org/nmap/ ) at 2005-04-27 02:56 BST

Interesting ports on localhost (127.0.0.1):

(The 1659 ports scanned but not shown below are in state: closed)

PORT STATE SERVICE

6000/tcp open X11

 

Nmap run completed -- 1 IP address (1 host up) scanned in 0.970 seconds

[root@localhost colin]#

 

What does that tell you? I checked 127.0.0.1 it is iana.org

 

I appreciate your help.

 

Colin

PS. Devries; I'll get that ntp clock synchronized! I wondered why I had to manually reset it so often...

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
 Share

×
×
  • Create New...