Securing the VOS Telnet Daemon

Securing the VOS Telnet Daemon 

Noah Davids 

Stratus Customer Assistance Center 

May 23, 2012

Securing the VOS Telnet Daemon 

� Background – Why is the Telnet daemon still needed 

� Restricting connections with TCP Wrappers 

� Selective listening with –local_ip 

� Using SSH tunnels 

� Using IPSec 

� What not to do 

2

Background – why is the Telnet 

daemon still needed 

� Running telnetd is required for 

• RSN 

� Incoming slave 

• Remote printing 

� Outgoing slave 

• If you don’t use telnetd for your own connections you can 

remove the telnet line from the telnetservice file 

• If you don’t use telnetd for your own connections and you 

don’t want RSN support you can remove both the telnet and 

rsn_incoming lines from the telnetservice file 

• If you don’t use telnetd for your own connections and don’t 

want RSN support and don’t do remote printing then you can 

stop running telnetd 

3

Restricting connections with TCP 

Wrappers 

� Start telnet with the –tcpwrapper_check and – 

numeric arguments set to yes. 

� Set up the hosts.allow and hosts.deny files in 

>system>stcp 

� Format is 

• >system>stcp>command_library>telnetd.pm : IP-ADDR1 IP- 

ADDR2 IP-ADDR3 IP-ADDR4/MASK 

• See http://stratadoc.stratus.com/vos/17.1.0/r419- 

10/wwhelp/wwhimpl/js/html/wwhelp.htm?context=r419- 

10&file=ch5r419-10l.html for alternative formats 

4


Wrappers 

� Addresses in the hosts.allow file are allowed to 

complete the login process 

� Addresses in the hosts.deny file are disconnected 

� Addresses in neither file are allowed to complete the 

login process 

• This line in the hosts.deny will prevent any logins except those 

in the hosts.allow file 

� >system>stcp>command_library>telnetd.pm : ALL 

� Changes in the hosts.allow and hosts.deny file take 

place immediately – no need to restart telnetd 

� Changes will not effect connections already logged in 

5


Wrappers 

� Users that are denied will get connected and then 

disconnected 

• What they see will depend on their telnet client 

• Scanning programs will note that something is listening on the 

port since a TCP connection completes before the disconnect 

� >system>stcp>logs>tcpddeny file will list all denied 

connections 

• 12-04-25 15:42:11 mst telnetd: refused connect from myworkstation.stratus.com 

� Note the double “d” in the tcpddeny name 

� >system>stcp>logs>tcpdallow file will list all allowed 

connections 

• 12-04-25 15:08:58 mst telnetd: connect from yourworkstation.stratus.com 

6


Wrappers 

� The hosts.allow and deny files are for all ports that 

telnetd is listening for 

• You cannot have a separate set for 1 port and a different set 

for another 

7


Wrappers 

� The default telnetservice file listens for both the 

telnet service (port 23) and the rsn_incoming service 

(port 85) 

telnet window_term "keepalive nodelay " "Default login service" 1 

+ 1 tli_log.m15 

rsn_incoming window_term "keepalive nodelay " "" 0 1 rsn_in.m15 

� Removing the telnet service will prevent connections 

to port 23 but connections to port 85 must be 

allowed for the RSN to work 

rsn_incoming window_term "keepalive nodelay " "" 0 1 rsn_in.m15 

� Outgoing slave connections are not listed 

8


Wrappers 

� Setting the hosts.deny file to prevent all telnet 

connections and the hosts.allow file to allow only the 

RSN server will prevent anyone except the RSN 

server from maintaining a telnet connection 

%phx_vos#m15_mas>system.17.0>stcp>hosts.allow 

>system>stcp>command_library>telnetd.pm : 10.10.1.200 

%phx_vos#m15_mas>system.17.0>stcp>hosts.deny 

>system>stcp>command_library>telnetd.pm : ALL 

� Scanners will still see that something is listening on 

port 85 

9

Selective listening with –local_ip 

� Tells telnetd to only listen on a specific interface for 

the indicated port 

� The following line tells telnetd to only listen on the 

maintenance network interface for connections to the 

rsn_incoming service (port 85) 

rsn_incoming window_term "keepalive nodelay " "RSN Incoming Service" 

+ 0 1 rsn_in.m17 "-local_ip 10.10.1.1“ 

netstat –numeric –all_sockets 

. . . . . 

tcp 0 0 10.10.1.1:85 *:* LISTEN 

. . . . . 

� Scans from networks other than the maintenance 

network will not see anything listening on port 85 

10


� Of course any host on the 10.10.1.0/24 subnet can 

make a connection on port 85 not just the RSN server 

• They will not be able to do anything except make the 

connection because the RSN software has its own protections 

• You can use the hosts.allow and hosts.deny files to lock it 

down to just the RSN server 

11


� If forwarding is enabled it is possible that a host on another 

local network could also make the connection by using the 

module to route between a public network and the maintenance 

network 

• Unless you have a really good reason to have forwarding enabled (its 

is on by default) you should turn it off 

IP_forwarding 

ipForwarding ON 

ready 14:36:38 

IP_forwarding off 

ipForwarding OFF 

• Need to run the command twice (see stcp-3055) for it to take 

effect 

12

Using SSH tunnels 

� When using an SSH tunnel you configure telnetd to 

listen only to localhost (127.0.0.1) 

telnet window_term "keepalive nodelay" "SSH Tunnel Connections" 1 

+ 1 tli_login.m17 "-local_ip 127.0.0.1“ 

netstat –numeric –all_sockets 

. . . . . 

tcp 0 0 127.0.0.1:23 *:* LISTEN 

. . . . . 

� Scanners will not see anything listening on port 23 

but they will detect sshd on port 22 

13


� How users set up the SSH tunnel will depend on their SSH client 

� What happens is 

1. SSH client on the client host makes a connection to the SSH server 

on the module (link A in next slide) 

2. The SSH client on the client host starts listening on the port 

specified (12345) during setup on the client host 

3. The client’s telnet client makes a connection to localhost port 12345 

(link B in next slide) 

4. The SSH client sends this connection request to the SSH server on 

the module which makes a connection to the port specified (23) 

during setup on the client system (link C) 

� The connections between the telnet client and SSH on the client 

system and between SSHD and telnetd on the module are 

unencrypted but never leave the local host 

� Communication between hosts is encrypted by SSH 

14


C 

Telnetd 

Port 23 

SSHD 

Port 22 

A 

SSH 

Port 

12345 

B 

Client 

15


� To set up the RSN server to connect to the system 

using SSH tunnels instead of telnet 

• Change the telnetservice file so that the rsn_incoming service 

specifies the local_ip address of 127.0.0.1 

rsn_incoming window_term "keepalive nodelay " "RSN Incoming Service" 

+ 0 1 rsn_in.m17 "-local_ip 127.0.0.1“ 

tcp 0 0 127.0.0.1:85 *:* LISTEN 

• Specify an ssh_uid in the update_rsnip_site command 

� Since the SSH client is being run automagically by the RSN server it 

cannot prompt for a password and so you must also set up SSH 

public key authentication for the specified user on both the RSN 

Server and the module 

• Public Key setup is left as an exercise for the reader or a possible future 

talk 

16


� Scanners will not detect anything listening on port 85 

but they will detect port 22 

� When using tunnels you do not have to worry about 

illicit connections made via forwarding 

� HOWEVER, my comment still stands, unless you have 

a very good reason to allow forwarding it should be 

turned off. 

17

Using IPSec 

� IPSec is separately shipped software 

• It also costs extra 

• Talk to your account team 

� Typically used to encrypt all communication between 

two hosts 

• very Very VERY hard to set up 

� Can be used to just block communication from 

unwanted hosts 

• Much easier to set up 

• Scanners will not see anything unless the scan is made from 

one of the “wanted” hosts 

18

Using IPSec 

� ipsec.conf file 

• Allow 164.152.77.50 and 164.152.77.107 to use telnet 

everyone else will have their packets dropped 

{saddr 164.152.77.50 ulp tcp dport 23 dir in} bypass {} 


{saddr 0.0.0.0/0 ulp tcp dport 23 dir in} drop {} 

� Load the policies with the command 

ipsec_policy_admin add -file ipsec.conf 

� Usually a good idea to flush previous rules and I also 

like to list the rules 

ipsec_policy_admin flush 

ipsec_policy_admin add -file ipsec.conf 

ipsec_policy_admin list 

19

Using IPSec 

� The “No properties defined” messages are because 

the rules do not have any properties, just bypass and 

drop 

• The load_ipsec.cm contains the 3 previous commands 

load_ipsec 

SetProperties: No properties defined 



ipsecconf: System IPSEC policy configured. 

spd[0] 

spd index = 1 

saddr = 164.152.77.50 

daddr end = 255.255.255.255 

dport = telnet 

ulp = tcp 

action = bypass 

direction = in 

mode = dontcare 

20

Using IPSec 

spd[2] 

spd index = 2 

saddr = 164.152.77.107 

daddr end = 255.255.255.255 


ulp = tcp 

action = bypass 



spd[4] 

spd index = 3 

saddr end = 255.255.255.255 

daddr end = 255.255.255.255 


ulp = tcp 

action = drop 



ipsecconf: 3 SP configured. 

ready 15:23:50 

21

Using IPSec 

� The policies 


{saddr 0.0.0.0/0 ulp tcp dport 85 dir in} drop {} 

Will allow only the RSN server (10.10.1.200) to 

connect to port 85 

� Note that even though keys are not being exchanged 

it is still necessary to run the iked command once so 

that the system is configured to use the IPSec 

policies. 

22

What not to do 

� Do not remove (or change) the telnet service 

definition from the >system>stcp>services file 

• It will prevent the telnet client from working 

� Unless you also specify port 23 

• telnet 1.2.3.4 23 

• It will prevent maintenance and diagnostic tools that use the 

telnet client to connect to the ftScalable disk array from 

working 

23

Summary 

Scanners see an open port 

� TCP Wrappers Yes 

� -local_ip Yes (but only on selected interface) 

� SSH Tunnels No 

• Requires client to connect to localhost 

• Will require key setup to skip password prompt 

� IPSec No 

• Requires separately shipped and priced software 

� Don’t remove telnet from the services file 

24

Questions? 

a = b 

a^2 = a*b 

a^2-b^2 = a*b-b^2 

(a+b)(a-b) = b(a-b) 

(a+b) = b 

a+a = a 

2a = a 

2 = 1 

25

Thank You! 

26

Securing the VOS Telnet Daemon

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?