I can only log in telnet server via local machine, can you check my configuration?

0

I'm using ArchLinux on this machine, using xinetd for config

/etc/xinetd.d/telnet

        flags                   = REUSE
        socket_type             = stream
        wait                    = no
        user                    = root
        server                  = /usr/bin/telnetd
        log_on_failure          += USERID
        disable                 = no

this is successful login from the same computer: telnet 192.168.1.2 (or localhost)

Apr 15 15:36:22 geo xinetd[4363]: START: telnet pid=4369 from=192.168.1.2
Apr 15 15:36:31 geo login[4370]: pam_unix(remote:session): session opened for user root by .telnet(uid=0)
Apr 15 15:36:31 geo login[4370]: ROOT LOGIN ON pts/3 FROM localhost.localdomain
Apr 15 15:36:35 geo login[4370]: pam_unix(remote:session): session closed for user root

This is unsuccessful telnet from other computer. I dont understand why remote IP's also show up in the log (the second, and many other foreign IP's each time when I start the telnet server on line 2)

Apr 15 15:42:19 geo xinetd[4363]: START: telnet pid=4382 from=192.168.1.5
Apr 15 15:42:27 geo xinetd[4363]: START: telnet pid=4386 from=114.26.76.231

user1861388

Posted 2018-04-15T12:49:09.130

Reputation: 75

Answers

0

Using Telnet in 2018, despite it's highly recommended not to do so; ArchLinux Wiki on Telnet:

Telnet is the traditional protocol for making remote console connections over TCP. Telnet is not secure and is mainly used to connect to legacy equipment nowadays. Telnet traffic is easily sniffed for passwords and connections should never be made over any untrusted network including the Internet unless encrypted with SSH or tunneled though a VPN. For a secure alternative see SSH.

Seeing those foreign IP addresses in your logs seems normal: those are connection attempts you get simply by opening Telnet port 23 on open Internet. There are bots tirelessly scanning this port. It's possible to test this for example by using sudo nc -l -p 23 -v -v on any public IP: within seconds or a couple of minutes you'll get a connection:

listening on [any] 23 ...
198.51.100.10: inverse host lookup failed: Unknown host
connect to [192.0.2.100] from (UNKNOWN) [198.51.100.10] 60061
Login:
tech
Password:
tech
s sent 17, rcvd 12

While the Telnet is abandoned on servers, many routers, switches and IoT devices still utilize it. It's horrible that at the same time they are the devices that are the easiest to start using without doing any actual configuration, including leaving the default passwords. This is exactly why there's still those scans going on. If more interested on the subject, GitHub is full of Telnet Honeypot projects.

You have seen enough. Now, the fixed configuration you need:

/etc/xinetd.d/telnet

        disable                 = yes

Esa Jokinen

Posted 2018-04-15T12:49:09.130

Reputation: 615

Asked: 2018-04-15T12:49:09.130

Viewed: 262 times

Active: 2018-04-17T10:53:55.287