[NTLUG:Discuss] Strange iptables problem on CentOS 4.4

[. Daniel]

>Telnet needs to *die* - it's 100% obsolete.  ssh isn't perfect but it's
>heck of a lot better than nothing.
>
>Telnet was designed for use inside a little private network within
>one building maybe.  It's a lot older than the Internet and there is
>a strong case to be made for deleting it along with every copy of it's
>source code that we can find!
>
>With telnet, your data (including your password) goes across to the
>other computer in plaintext.  So anyone with any moderate amount of
>skill and/or interest can find out what your password is on the remote
>machine.  Once they know that, they can also telnet in, pretend to be
>you and do an awful lot of damage.  This damage might include installing
>their own software onto that machine to use it as a base for launching
>Spam, DDOS attacks and all manner of other horrors USING YOUR ACCOUNT.

Okay you're just stating more of the same as everyone else but you're 
leaving out the details like "how."  Yes, telnet is a plain-text protocol.  
But who listens and how?  We know what people do when they get in.  So the 
question remains, how do they listen?  They got a router out there 
compromised?  What are we talking about here?


>Not only is this dangerous for you - but it's also exceedingly
>antisocial because it gives the bad guys more computers to launch
>their attacks from.
>
>So it's not just about you - it's about being a good netizen.

Still need to know how.

>ssh encrypts everything.  There may have been a time when this was
>a significant burden in terms of CPU time - but these days the CPU
>is so much faster than the network that it really doesn't matter
>much except (perhaps) in the most demanding situations.
>
>So - get used to it.  ssh and tools like scp are the way things
>should be done...as the barest minimum.

It's not a concern over anything in terms of difficulty.  After all, I can 
ssh in and use the root account with much more ease.  But at the beginning, 
when the 'secure' connection is being negotiated, there's enough evidence 
both ways that, in theory, anyone who can be listening can also piece 
together the bits associated with the sessons being monitored.  In fact, 
one could go so far as to assume they are expecting to do as much since ssh 
is more commonly used than telnet.  Now if ssh involved the use of a key 
that was never transmitted during the negotiation part of the connection, I 
could be down with it being "secure."  But so far, just as in the case of 
https or even secure digital media, it's just in the name as being secure.

> > But fundamentally, I have to wonder about perceptions.  Is it better to 
use
> > something you don't fully understand simply because other people do?  
Or is
> > it better to understand what you're doing?  I have always subscribed to 
the
> > latter as the former never made much sense to me.  Been like that since 
I
> > was a little boy though, so maybe it's just me.
>
>When the consequences only affect you - then it's your call - but when
>it affects us all, you owe it to the community to use at least a
>minimally secure tool.
>
>ssh/scp are really easy to use and most (if not all) Linux/UNIX systems
>have it installed.  It shouldn't take you 20 minutes to learn all you
>need to know about them.  They aren't secure enough for military-grade
>secrets - but for what you are likely to use it for, they are pretty
>secure.

Ultimately, telnet is about as secure as http.  The protocols are rather 
similar in nature.  The same goes for SMTP and quite a few other protocols 
used on the net.  Telnet is rarely used as far as I can tell, so it may 
even be [recklessly] easy to assume that since it's rare by comparison, 
'They' aren't even looking.  We don't hear people going on a tirade over 
non-secure SMTP nor HTTP and yet that's how a majority of traffic flows..

I get that the protocol is largely deprecated by many.  (And yet routers 
and many devices like switches still use that means.)  All I ask for is 
why..  How is it exploited in ways that other protocols cannot be 
exploited?  Why is telnet singled out in this case?

_________________________________________________________________
ミュージカル『ゴールデンメッセ劇場のテーマ』きらびやかなシーンに心が躍る！ 
http://goldenmesse.jp/