From owner-freebsd-security  Thu Mar 14 10:58:45 2002
Delivered-To: freebsd-security@freebsd.org
Received: from web11308.mail.yahoo.com (web11308.mail.yahoo.com [216.136.131.211])
	by hub.freebsd.org (Postfix) with SMTP id 6D21637B400
	for <freebsd-security@freebsd.org>; Thu, 14 Mar 2002 10:58:39 -0800 (PST)
Message-ID: <20020314185839.8844.qmail@web11308.mail.yahoo.com>
Received: from [205.175.225.24] by web11308.mail.yahoo.com via HTTP; Thu, 14 Mar 2002 10:58:39 PST
Date: Thu, 14 Mar 2002 10:58:39 -0800 (PST)
From: Dean Phillips <deanphillips@yahoo.com>
Subject: Re: telnet / ipfw question
To: FreeBSD Security <freebsd-security@freebsd.org>
Cc: "N. J. Cash" <ncash@pei.eastlink.ca>
In-Reply-To: <003501c1cb81$2e12faa0$e8cede18@xeno>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

No, it does not look safe.

All of your traffic (including any passwords) can be
sniffed any time you use telnet.

Limiting the IP address helps but is vulnerable to IP
spoofing.  IP spoofing can be used to hijack your
connection or even log in.

I highly recommend ssh as a much better alternative. 
Clients are available for most common operating
systems.

Regards,
Dean M. Phillips

--- "N. J. Cash" <ncash@pei.eastlink.ca> wrote:
> I have telnet enabled on my system running
> 4.5-stable and have it hidden
> behind very strick ipfw rules so that the only IP
> that has access to the box
> on port 23 is my home static IP, everything else is
> denied by the firewall.
> I'm well aware of the risks of having telnet open
> and how insecure it can be
> so, i'm just looking for some input here if this
> sounds like a safe way to
> have the daemon running on a system. Would there
> still be security risks
> involved
> that i'm not aware about running it this way?
> 
> Here's basically what's going on in ipfw for port
> 23.
> 
> ipfw add 1400 allow log tcp from x.x.myip.x.x to any
> 23
> ipfw add 09000 deny log ip from any to any
> 
> 
> Look safe ?
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of
> the message


__________________________________________________
Do You Yahoo!?
Yahoo! Sports - live college hoops coverage
http://sports.yahoo.com/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message