Re: Remote telnet through firewall failing

From: FyRE (FyRE_at_toktik.d.co.uk.invalid)
Date: 12/23/04 

Date: Wed, 22 Dec 2004 23:35:03 +0000

On Wed, 22 Dec 2004 11:35:41 -0500, John <ibis.john@rogers.com> wrote:

[...]

>I wish I could do this. I have Linux devices available on the LAN on which
>I am building this server, but there will be none on the end user LAN. The
>telnet problem required a solution, partly because the only device on the
>ultimate destination site which will be externally accessible will be the
>SCO system, but mainly due to the nature of the client software involved.
>
>I once was able to do what you described when there was a FreeBSD NAT server
>present, but the site owner took it out to put in a hardware firewall
>(ignoring my advice and overriding my security concerns) and this option
>was lost. Even when I did use this method, because of the nature of the
>some of the client software involved which had very specific emulation and
>connection requirements, this method would not serve 100% of the time and
>direct telnet was still required for at least three of the users.

This is slightly puzzling. For one thing, the ssh tunnel will have no
impact on the emulation used, and for another, it would look like a
direct telnet connection (from the ssh server on the remote LAN) to
the SCOG box. Never the less, if the company you're working for cannot
spring for a few bucks for a linux/BSD box, or even source an old
obsolete PC to save you sending sensitive information across the
internet in plain text, then they deserve to have some 11 year old
playing with their network. Hopefully you explained how ridiculous it
is to force you to use an insecure means of connecting to them? By the
way, if it's a new hardware firewall, doesn't it have VPN capabilites?

>Had you bothered to read the OP of this thread you would have seen that I
>deliberately asked contributors not to suggest the use of SSH. There was a
>reason for this: the fact that it had been previously tried and found to be
>an incomplete solution, incidentally by people more compentent and
>knowledgeable than I, and would not usefully contribute anything to solving
>the problem under discussion.

Unless your SCOG box is using telnet in some new and interesting way,
which would require extensive changes to the source code and
recompilation, then I doubt the tunnel was the problem. I personally
carry out a lot of remote admin using tunnels with a variety of
protocols, on a variety of hardware, and have had no problems with
telnet whatsoever. VPN can get a bit hairy with multiple subnets on
each side though ;-)

>Incidentally, I do avoid telnet as root, and admin does not require the
>special purpose client emulation, so your assumption is quite wrong. The
>admin is being done here on this LAN so that little, if any, will ever be
>required once the install is completed.

Using telnet over the net is ALWAYS a bad idea, unless you have no
problem with any random stranger accessing the same systems you are
using it for, with the same access rights as you are using. Try
running ethereal on your machine next time you use it, and watch all
your keystrokes go across the network. Now imagine those same
keystrokes moving, unconcealed through systems you don't control, and
your client doesn't control before they hit their destination.

Doesn't inspire confidence, does it?

Relevant Pages

  • Re: Remote telnet through firewall failing
    ... >>LAN on which I am building this server, ... >>on the end user LAN. ... The telnet problem required a solution, ...
    (comp.unix.sco.misc)
  • Re: DNS Server Name
    ... You should NOT have port 80 forwarded to anything on your LAN. ... I would enable NetBIOS over TCP/IP since the single NIC should be your LAN ... When you run the CEICW, on the Web Server Certificate page, you should enter ... telnet SBSserverNetBIOSname 25 ...
    (microsoft.public.windows.server.sbs)
  • Re: Please help with ssh over internet to LAN server behind NAT
    ... can you telnet to the port and actually ... > see with tcpdump that the server is getting something. ... > The server and other computers on the LAN are behind a NAT. ... > The command and response looks like this: ...
    (comp.security.ssh)
  • Re: inetd to take telnet request
    ... flavours of TELNET here - so I read on. ... I know about INETD only from long ago with the RS/6000 UNIX, ... server applications" in the CS IP Configuration Guide: ...
    (bit.listserv.ibm-main)
  • Re: RDP access to SBS 2003 - HELP please
    ... http://www.whatismyipaddress.com/ (from the server). ... Merv Porter [SBS-MVP] ... I use the IP address in RDP and that will be the internal LAN IP or the ... of it to the telnet prompt and quit. ...
    (microsoft.public.windows.server.sbs)