From owner-freebsd-isp  Thu Jan 17 10:49:40 2002
Delivered-To: freebsd-isp@freebsd.org
Received: from lily.ezo.net (lily.ezo.net [206.102.130.13])
	by hub.freebsd.org (Postfix) with ESMTP id 566B437B41D
	for <freebsd-isp@FreeBSD.ORG>; Thu, 17 Jan 2002 10:49:37 -0800 (PST)
Received: from openwebmail (newpeony.ezo.net [206.102.130.9])
	by lily.ezo.net (8.11.6/8.11.6) with ESMTP id g0HInAV01755;
	Thu, 17 Jan 2002 13:49:10 -0500 (EST)
	(envelope-from jflowers@cantoncommerce.com)
Date: Thu, 17 Jan 2002 13:49:10 -0500 (EST)
Message-Id: <200201171849.g0HInAV01755@lily.ezo.net>
From: "Jim Flowers" <jflowers@cantoncommerce.com>
To: Andrew Houghton <aah@acm.org>, freebsd-isp@FreeBSD.ORG
Subject: Re: How to secure telnet?
In-Reply-To: <DFEBLBPNIMCBCMIBDEOACELFEAAA.aah@acm.org>
References: <DFEBLBPNIMCBCMIBDEOACELFEAAA.aah@acm.org>
X-Mailer: Open WebMail 1.53 20020107
X-OriginatingIP: 66.19.185.154 (jflowers)
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Sender: owner-freebsd-isp@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-isp.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-isp>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-isp>
X-Loop: FreeBSD.org

set up a sacrificial host and allow only telnet through your firewall to it.  
Allow only ssh -2 from it to your server that has the shell accounts and 
firewall out access from it to any of your other machines.  Optionally 
include a portsentry scanner and keep an eye on the logs.
   
> I have a server for shell accounts, and up to now the only way people have
> been able to access it is via SSH.  One of the users is leaving for a
> year-long, round-the-world jaunt.
> 
> SSH is pretty much out of the question for him -- if he can find an internet
> cafe in some of the places he's going, he won't be able to install new
> software, it would probably take years just to download a client over a 56K
> link, etc. etc.
> 
> I'd like to support him by making telnet available to him.  Any thoughts on
> the best/most secure way to do this?
> 
> - a.
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-isp" in the body of the message


--
Jim Flowers<jflowers@ezo.net>

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message