Detecting "telnet"?
in [Postfix]
|
From: Jerrale Gayle on 10 Jun 2010 17:34 On 6/10/2010 5:31 PM, Ralf Hildebrandt wrote: > I heard that there are firewalls/security appliances that supposedly > can distinguish "somebody using telnet" from "a machine speaking SMTP". > > I must admit, it sounds feasible (timing between keystrokes etc.), but > little useful. > > Anyway. Is there such a thing? Does anybody use such a thing? > > I use fail2ban which works for dovecot, postfix, ssh, telnet (non-windows), and anything that logs failed logins to a log file.
From: Jeroen Geilman on 10 Jun 2010 17:40 On 06/10/2010 11:31 PM, Ralf Hildebrandt wrote: > I heard that there are firewalls/security appliances that supposedly > can distinguish "somebody using telnet" from "a machine speaking SMTP". > > I must admit, it sounds feasible (timing between keystrokes etc.), but > little useful. > > Anyway. Is there such a thing? Does anybody use such a thing? > > There are IDSen (Intrusion Detection Systems) that can fingerprint the client on the actual TCP delays between actions, yes. They exist both in software (snort) and hardware (cisco et al). However, then blocking the offender is step two - or combined into an IPS (Intrusion Prevention System) - and that's usually configurable. When in doubt, ask the network people at the site you suspect this of (presuming they are willing to help you, of course). Using an IDS or similar sniffer to fingerprint OSen and client software of services is fun (if you're a network nerd :)), but it doesn't mean people take any action on the data. The risk of false positives is obvious, and I doubt many network-savvy people would implement this sort of thing willy-nilly - especially since telnet remains a very good SMTP debug tool! J.
From: Reinaldo de Carvalho on 10 Jun 2010 19:43 On Thu, Jun 10, 2010 at 6:31 PM, Ralf Hildebrandt <Ralf.Hildebrandt(a)charite.de> wrote: > I heard that there are firewalls/security appliances that supposedly > can distinguish "somebody using telnet" from "a machine speaking SMTP". > > I must admit, it sounds feasible (timing between keystrokes etc.), but > little useful. > Why use telnet (e.g. raw tcp client) or block them if with few lines if code in pyhton/perl/shell you can do anything. -- Reinaldo de Carvalho http://korreio.sf.net http://python-cyrus.sf.net "Don't try to adapt the software to the way you work, but rather yourself to the way the software works" (myself)
From: Charles Seeger on 10 Jun 2010 22:49 +------ Ralf Hildebrandt wrote (Thu, 10-Jun-2010, 23:31 +0200): | | I heard that there are firewalls/security appliances that supposedly | can distinguish "somebody using telnet" from "a machine speaking SMTP". | | I must admit, it sounds feasible (timing between keystrokes etc.), but | little useful. | | Anyway. Is there such a thing? Does anybody use such a thing? ISTR someone doing (or speculating about) this with sendmail, perhaps 20 years ago, based on detecting telnet option negotiation. Never having used it, please forgive my fuzzy memory. It would be easy to compile a line mode telnet client without option negotiation that would defeat those two particular techniques, though it likely would appear to be rather slow. Best, Chuck
From: Victor Duchovni on 11 Jun 2010 00:19
On Thu, Jun 10, 2010 at 11:31:49PM +0200, Ralf Hildebrandt wrote: > I heard that there are firewalls/security appliances that supposedly > can distinguish "somebody using telnet" from "a machine speaking SMTP". > > I must admit, it sounds feasible (timing between keystrokes etc.), but > little useful. > > Anyway. Is there such a thing? Does anybody use such a thing? Why do you want to discriminate against "telnet 25"? Administrators of sites that want to trouble-shoot connectivity issues with your server will use "telnet 25" from time to time. There is no need to block this, it is by far the least likely source of any significant spam volume... -- Viktor. |