Have an interesting requirement. Have a network system with Internet
connection. Blocking all connection attempts to any address except for
the FTP server. (Protocol Filtering Router)
One of the requirements is the ability for users to telnet to their
workstations (Sun and SCO) from the Internet. This is currently allowed
by telneting to the FTP server, then telneting out from there.
This is relatively secure, as the number of accounts on that system is
strictly limited. Once there, you need to know an IP address to get out.
After giving users a shell and various and sundry attempts to limit that
shell, I have actually found it more secure to put telnet into their
home directory, and execute it as a shell instead. Without an underlying
shell, no shell functions can be performed, and the connection is dropped
when they log out of the remote system.
user:ashdfkja:1000:1000:Remote Access User:/home/user/telnet
1 - Any user can use
> open xxx.xxx.xxx.xxx 25
.. and telnet to the sendmail port on the Sun boxes. The security
here is performed at the Router and Firewall system, trying to leave the
inner system alone. (Yah, I know that a single break and the whole system
is compromised but this is how it's being done...)
-- Therefore, I'd like to find a way to kill that ability, and/or
replace telnet with something more limited.
2 - Is there anything else left open for attack?
BTW: The Router allows ICMP and DNS (port 53) data through. It allows
port 21,23,25 to go to the firewall (FTP,Telnet,SMTP) but disallows
all other protocols under 1024, blocks the standard NFS and NIS ports,
as well as X-Window ports.