Discussion:
echo-like replacement for telnetd
henry nelson
2002-09-18 01:55:50 UTC
Permalink
Now that I have ssh working, I thought I would just shut down port 23
entirely. There is one machine, however, that I used to run a public
service on. I'd like to continue to issue a message about the status
of that service, which was available by telnet. Presently people
login, get a message telling them what's going on, and then are kicked
off. Idealy, rather than offer a login at all, just a message would
be transmitted to their telnet client.

Is there any _secure_ tool available that would work like that? TIA
--
henry nelson
Jeremy C. Reed
2002-09-18 02:25:08 UTC
Permalink
Post by henry nelson
off. Idealy, rather than offer a login at all, just a message would
be transmitted to their telnet client.
Very easy with inetd.

Instead of having inetd start the telnetd, just have it run your own
script that outputs that message.

(Or you could use tcp wrappers to output a message or run a command
instead.)

You can use the tcp wrappers to make it more secure (like only allow your
customer's IPs to access it).

Jeremy C. Reed
http://www.reedmedia.net/
Andy R
2002-09-18 17:04:44 UTC
Permalink
Post by henry nelson
Now that I have ssh working, I thought I would just
shut down port 23
entirely. There is one machine, however, that I
used to run a public
service on. I'd like to continue to issue a message
about the status
of that service, which was available by telnet.
Presently people
login, get a message telling them what's going on,
and then are kicked
off. Idealy, rather than offer a login at all, just
a message would
be transmitted to their telnet client.
Is there any _secure_ tool available that would work
like that? TIA
I had a FreeBSD machine I had to do something similar
with, so I just tried compiling a C program that was a
bunch of printf's, changed the line in inetd to point
to this program instead of the real telnetd, and it
works fine. Prints out information, then exits.
Windows telnet clients don't display it right though,
it wraps. Real telnet clients work fine.

Maybe someone can tell me if this is secure?

Andy

__________________________________________________
Do you Yahoo!?
Yahoo! News - Today's headlines
http://news.yahoo.com
Giorgos Keramidas
2002-09-18 21:35:37 UTC
Permalink
I had a FreeBSD machine I had to do something similar with, so I
just tried compiling a C program that was a bunch of printf's,
changed the line in inetd to point to this program instead of the
real telnetd, and it works fine. Prints out information, then exits.
Windows telnet clients don't display it right though, it wraps. Real
telnet clients work fine.
Maybe someone can tell me if this is secure?
No. At least, not without seeing the source.

But you went and put yourself into a lot of trouble to reimplement
something that is already there, as a feature. Try adding the
following to your hosts.allow file:

telnet : 127.0.0.1 : allow
telnet : ALL \
: severity auth.info \
: twist /bin/echo "You are not welcome to use %d from %h."

The libwrap support of inetd(8) will take care of the rest :-)

- Giorgos
Andy R
2002-09-18 22:58:24 UTC
Permalink
Post by Andy R
I had a FreeBSD machine I had to do something
similar with, so I
Post by Andy R
just tried compiling a C program that was a bunch
of printf's,
Post by Andy R
changed the line in inetd to point to this program
instead of the
Post by Andy R
real telnetd, and it works fine. Prints out
information, then exits.
Post by Andy R
Windows telnet clients don't display it right
though, it wraps. Real
Post by Andy R
telnet clients work fine.
Maybe someone can tell me if this is secure?
No. At least, not without seeing the source.
But you went and put yourself into a lot of trouble
to reimplement
something that is already there, as a feature. Try
adding the
telnet : 127.0.0.1 : allow
telnet : ALL \
: severity auth.info \
: twist /bin/echo "You are not welcome to use %d
from %h."
The libwrap support of inetd(8) will take care of
the rest :-)
You learn something new every day... I had searched
high and low for information like this but never found
it. I finally decided to just make a program of all
printf's (don't see how it could be a security
exposure) and just pointed the telnet line in inetd at
it. Wish I new how to find out what you just told me
above back then. This stuff isn't always easy... (It
isn't even sometimes easy for me!)

Andy

__________________________________________________
Do you Yahoo!?
Yahoo! News - Today's headlines
http://news.yahoo.com
Chuck Yerkes
2002-09-19 01:49:39 UTC
Permalink
change /etc/inetd.conf:

telnet stream tcp nowait root /usr/bin/printf printf "telnet is disabled\n"
or
telnet stream tcp nowait root /bin/cat cat /etc/notelnet.txt
or
telnet stream tcp nowait root /bin/echo echo "telnet is bad, okay"
Post by Andy R
You learn something new every day... I had searched
high and low for information like this but never found
it. I finally decided to just make a program of all
printf's (don't see how it could be a security
exposure) and just pointed the telnet line in inetd at
it. Wish I new how to find out what you just told me
above back then. This stuff isn't always easy... (It
isn't even sometimes easy for me!)
Experience is what we call it. It's why I charge more than I
did 10 years ago. If I can do it 20 minutes what New Kid does
in 1 day, then I'm cheaper than he is. Better, if I can TEACH
him this stuff and it takes 30 minutes, then everyone wins.
And I really don't want to handle setting up printcaps and tape
drives anymore.
Post by Andy R
Post by Andy R
I had a FreeBSD machine I had to do something
similar with, so I
Post by Andy R
just tried compiling a C program that was a bunch
of printf's,
Post by Andy R
changed the line in inetd to point to this program
instead of the
Post by Andy R
real telnetd, and it works fine. Prints out
information, then exits.
Post by Andy R
Windows telnet clients don't display it right
though, it wraps. Real
Post by Andy R
telnet clients work fine.
Maybe someone can tell me if this is secure?
No. At least, not without seeing the source.
But you went and put yourself into a lot of trouble
to reimplement
something that is already there, as a feature. Try
adding the
telnet : 127.0.0.1 : allow
telnet : ALL \
: severity auth.info \
: twist /bin/echo "You are not welcome to use %d
from %h."
The libwrap support of inetd(8) will take care of
the rest :-)
henry nelson
2002-09-19 02:33:09 UTC
Permalink
Post by Giorgos Keramidas
telnet : 127.0.0.1 : allow
telnet : ALL \
: severity auth.info \
: twist /bin/echo "You are not welcome to use %d from %h."
The libwrap support of inetd(8) will take care of the rest :-)
I wasn't able to get enough information from inetd(8) or hosts_access(5)
to show me what you've done so that I can create something to meet my own
needs. Specifically, what will %d or %h insert, and how would I enter a
short paragraph (3-4 lines)?

[For the time being I have inetd run a /bin/sh script to echo 3 lines of
information. The script is behind tcp wrappers. To overcome the "stair
casing" effect that I think Andy was refering to, I echo some control
codes, e.g., '^[[2J^[[3;4f', which positions the cursor. It seems to be
okay on the telnet clients I've tried.]

Anyway, thanks everyone.

henry nelson
Eric Fox
2002-09-19 03:40:41 UTC
Permalink
Post by henry nelson
Post by Giorgos Keramidas
telnet : 127.0.0.1 : allow
telnet : ALL \
: severity auth.info \
: twist /bin/echo "You are not welcome to use %d from %h."
The libwrap support of inetd(8) will take care of the rest :-)
I wasn't able to get enough information from inetd(8) or hosts_access(5)
to show me what you've done so that I can create something to meet my own
needs. Specifically, what will %d or %h insert, and how would I enter a
short paragraph (3-4 lines)?
[For the time being I have inetd run a /bin/sh script to echo 3 lines of
information. The script is behind tcp wrappers. To overcome the "stair
casing" effect that I think Andy was refering to, I echo some control
codes, e.g., '^[[2J^[[3;4f', which positions the cursor. It seems to be
okay on the telnet clients I've tried.]
Anyway, thanks everyone.
henry nelson
The man pages hosts_access(5) and hosts_options(5) should have
everything you need to know ... for example, the 'banner' directive can
be used for exactly what you're wanting to do.
--
/\---/\ Eric J Fox
/ o o \ http://fox.phoenix.az.us
\.\ /./ ---------------------------
\@/ "Of course it runs NetBSD."
.
Jeremy C. Reed
2002-09-19 17:03:22 UTC
Permalink
Post by henry nelson
I wasn't able to get enough information from inetd(8) or hosts_access(5)
to show me what you've done so that I can create something to meet my own
needs. Specifically, what will %d or %h insert, and how would I enter a
Look in hosts_access(5) again and search for "expansions":

%d The daemon process name (argv[0] value).

%h (%H)
The client (server) host name or address, if the
host name is unavailable.

Jeremy C. Reed
http://bsd.reedmedia.net/

Loading...