[NTLUG:Discuss] Strange iptables problem on CentOS 4.4

[Kenneth Loafman]

. Daniel wrote:
> Okay you're just stating more of the same as everyone else but you're 
> leaving out the details like "how."  Yes, telnet is a plain-text protocol.  
> But who listens and how?  We know what people do when they get in.  So the 
> question remains, how do they listen?  They got a router out there 
> compromised?  What are we talking about here?

When I was on cable, I learned I could turn the box into promiscuous 
mode and listen in on the entire cable segment.  Lots of free passwords 
if I wanted them.  Telnet is the same way.

> Still need to know how.

How is unimportant... you can look it up on the web if you're persistent 
and stubborn enough.

> It's not a concern over anything in terms of difficulty.  After all, I can 
> ssh in and use the root account with much more ease.  But at the beginning, 
> when the 'secure' connection is being negotiated, there's enough evidence 
> both ways that, in theory, anyone who can be listening can also piece 
> together the bits associated with the sessons being monitored.  In fact, 
> one could go so far as to assume they are expecting to do as much since ssh 
> is more commonly used than telnet.  Now if ssh involved the use of a key 
> that was never transmitted during the negotiation part of the connection, I 
> could be down with it being "secure."  But so far, just as in the case of 
> https or even secure digital media, it's just in the name as being secure.

What you describe in a Man-in-the-Middle attack, where an adversary can 
see both sides of the conversation.  Any protocol is susceptible to MITM 
attacks.  What SSH does is provide you with a secure connection before 
it uses your key or password to log in to the session.

> Ultimately, telnet is about as secure as http.  The protocols are rather 
> similar in nature.  The same goes for SMTP and quite a few other protocols 
> used on the net.  Telnet is rarely used as far as I can tell, so it may 
> even be [recklessly] easy to assume that since it's rare by comparison, 
> 'They' aren't even looking.  We don't hear people going on a tirade over 
> non-secure SMTP nor HTTP and yet that's how a majority of traffic flows..

HTTP and SMTP are both insecure protocols.  That's the reason we have 
HTTPS and encrypted mail.

> I get that the protocol is largely deprecated by many.  (And yet routers 
> and many devices like switches still use that means.)  All I ask for is 
> why..  How is it exploited in ways that other protocols cannot be 
> exploited?  Why is telnet singled out in this case?

Routers and switches rarely are left such that an external attacker can 
access them from an outside IP address.  Telnet may be OK internally, 
but even at that, most of the harm comes from inside.  Having SSH is not 
a panacea for security, its just a layer of armor in the battle.

As to how telnet can be attacked itself, that would depend on the 
implementation of telnet.  The bottom line though, is that with SSH, you 
do not reveal your name or your password when you log in.  With telnet 
and HTTP, you do.  What could an attacker do with that info?

BTW, it is a bad idea to allow root to login directly to SSH, especially 
to an internet facing machine.  Best practice is to log in to a normal 
user account, then su to root, if allowed.

...Ken