Previous | Table of Contents | Next |
The Telnet and rlogin Usage Report
The telnet and rlogin usage report (tn-gw-summ.sh) combines activity through the firewall of the telnet and rlogin services. This report identifies the following:
The following report provides a sample execution of tn-gw-summ.sh:
Top 100 telnet gateway clients (total: 43) Connects Host/Address Input Output Total -------- ------------ ----- ------ ----- 17 stargazer.unilabs.or 924 177 1101 16 pc.unilabs.org/204.1 97325 1243 98568 3 stargazer.unilabs.or 274 6 280 3 mailhost.unilabs.org 26771 717 27488 2 unknown/204.191.3.14 27271 710 27981 1 unknown/206.116.65.4 10493 701 11194 1 pc.unilabs.org/206.1 0 0 0 Top 100 telnet gateway clients in terms of traffic Connects Host/Address Input Output Total -------- ------------ ----- ------ ----- 16 pc.unilabs.org/204.1 97325 1243 98568 3 mailhost.unilabs.org 26771 717 27488 2 unknown/204.191.3.14 27271 710 27981 1 unknown/206.116.65.4 10493 701 11194 17 stargazer.unilabs.or 924 177 1101 3 stargazer.unilabs.or 274 6 280 1 pc.unilabs.org/206.1 0 0 0 Top 100 Denied telnet gateway clients (total: 20) Connects Host/Address -------- ------------ 14 stargazer.unilabs.or 2 stargazer.unilabs.or 2 204.191.3.150/pc.uni 1 unknown/204.191.3.14 1 mail.fonorola.net/19
This report provides details on who is connecting through the firewall, how much traffic is being generated, and who is being denied. You can see, for example, that stargazer.unilabs.org is in both the connections and denied lists. This may indicate that at one point the site was denied, and then later authorized to use the telnet or rlogin gateways.
Help with the TIS Toolkit is easy to find. Discussions on general Internet security-related topics can be found in the Usenet newsgroups:
alt.2600 alt.security comp.security
You can also find help by joining the mailing list concerned with a general discussion of firewalls and security technology:
firewalls@greatcircle.com
To subscribe to the mailing list, send a message to:
majordomo@greatcircle.com
with the text
subscribe firewalls
in the body of the message.
To reach users familiar with the TIS Toolkit applications and their configuration, contact this mailing list:
fwtk-users-request@tis.com
In addition, the TIS Toolkit includes a large amount of documentation on firewalls. If you plan to make significant use of the Toolkit you should join the TIS discussion lists first. Before you commit to an operating system and hardware platform, ask questions on this mailing list; probably many of the lists readers have had similar questions and experiences.
This section lists a sample netperm-table file. To help you understand this file better, a prodigious amount of comments are included. In addition, a wide variety of options are included so that you can see how the examples used in the chapter would appear when configuring the TIS Toolkit.
# # Sample netperm configuration table # # Change YOURNET to be your network IP address # Change YOURADDRESS to be the IP address of a specific host # # Example netacl rules: # --------------------- # if the next 2 lines are uncommented, people can get a login prompt # on the firewall machine through the telnet proxy # This is okay, but means that anyone who is authorized to connect to the # firewall box through the proxy can get a login prompt on the firewall. # In most circumstances, it is to provide tight controls on who can log in # directly to the firewall. #netacl-telnetd: permit-hosts 127.0.0.1 -exec /usr/libexec/telnetd #netacl-telnetd: permit-hosts YOURADDRESS -exec /usr/libexec/telnetd # # This rule says that only telnet sessions through netacl from these two hosts # will be accepted. netacl-telnetd: permit-hosts 206.116.65.2 206.116.65.3 -exec /usr/libexec/telnetd # # if the next line is uncommented, the telnet proxy is available #netacl-telnetd: permit-hosts * -exec /usr/local/etc/tn-gw # # if the next 2 lines are uncommented, people can get a login prompt # on the firewall machine through the rlogin proxy #netacl-rlogind: permit-hosts 127.0.0.1 -exec /usr/libexec/rlogind -a #netacl-rlogind: permit-hosts YOURADDRESS 198.6.73.2 -exec /usr/libexec/rlogind -a # # if the next line is uncommented, the rlogin proxy is available to any host #netacl-rlogind: permit-hosts * -exec /usr/local/etc/rlogin-gw # # The next line allows FTP sessions from the specified network(s) to the # firewall system itself. netacl-ftpd: permit-hosts 206.116.65.* -exec /usr/libexec/ftpd -A -l # # Uncommenting the next line will turn off FTP and print a message to that # effect whenever someone attempts to access the FTP port. # netacl-ftpd: permit-hosts 206.116.65.147 -exec /bin/cat /usr/local/etc/noftp.txt # # to enable finger service uncomment these 2 lines #netacl-fingerd: permit-hosts YOURNET.* -exec /usr/libexec/fingerd #netacl-fingerd: permit-hosts * -exec /bin/cat /usr/local/etc/finger.txt # # Example smap rules: # ------------------- # These rules control the operation of the SMAP and SMAPD applications. smap: userid 6 smap: directory /var/spool/smap smap: timeout 3600 # # Change this to increase/decrease the maximum message size that will be # permitted. smap: maxbytes 10000 smap: maxrecip 20 # # This configuration section is for the SMAPD application # smapd: executable /usr/local/etc/smapd smapd: sendmail /usr/sbin/sendmail smapd: userid 6 smapd: directory /var/spool/smap smapd: baddir /var/spool/smap/bad smapd: wakeup 900 # # Example ftp gateway rules: # -------------------------- # These rules control the operation of the FTP proxy # # Use the following lines to configure the denial, welcome and help messages # for the proxy. ftp-gw: denial-msg /usr/local/etc/ftp-deny.txt ftp-gw: welcome-msg /usr/local/etc/ftp-welcome.txt ftp-gw: help-msg /usr/local/etc/ftp-help.txt # # Use the following lines to use the authentication server ftp-gw: authserver localhost 7777 # # set the timeout ftp-gw: timeout 3600 # uncomment the following line if you want internal users to be # able to do FTP with the internet # ftp-gw: permit-hosts 206.116.65.* # # the following line logs all get and put requests, and authorizes put # requests. ftp-gw: permit-hosts 206.116.65.* -log { retr stor } -auth { stor } # uncomment the following line if you want external users to be # able to do FTP with the internal network using authentication #ftp-gw: permit-hosts * -authall -log { retr stor } # # Example telnet gateway rules: # ----------------------------- tn-gw: denial-msg /usr/local/etc/tn-deny.txt tn-gw: welcome-msg /usr/local/etc/tn-welcome.txt tn-gw: help-msg /usr/local/etc/tn-help.txt tn-gw: timeout 3600 tn-gw: prompt Enter Command> # # the following line permits a telnet only to hosts in the .fonorola.net # domain. All other requests are denied. #tn-gw: permit-hosts 206.116.65.* -dest *.fonorola.net -dest !* -passok - xok tn-gw: permit-hosts 206.116.65.* -passok -xok # tn-gw: deny-hosts * -dest 206.116.65.150 # if this line is uncommented incoming traffic is permitted WITH # authentication required # tn-gw: permit-hosts * -auth # Example rlogin gateway rules: # ----------------------------- #rlogin-gw: permit-hosts YOURNET.* -passok -xok rlogin-gw: denial-msg /usr/local/etc/rlogin-deny.txt rlogin-gw: welcome-msg /usr/local/etc/rlogin-welcome.txt rlogin-gw: denydest-msg /usr/local/etc/rlogin-dest.txt #rlogin-gw: help-msg /usr/local/etc/rlogin-help.txt rlogin-gw: timeout 3600 rlogin-gw: prompt Enter Command< rlogin-gw: permit-hosts 206.116.65.* -dest *.fonorola.net -dest !* -passok -xok rlogin-gw: deny-hosts * -dest 206.116.65.150 # if this line is uncommented incoming traffic is permitted WITH # authentication required #rlogin-gw: permit-hosts * -auth -xok # Example auth server and client rules # ------------------------------------ authsrv: hosts 127.0.0.1 authsrv: database /usr/local/etc/fw-authdb authsrv: badsleep 1200 authsrv: nobogus true authsrv: permit-hosts localhost # clients using the auth server *: authserver 127.0.0.1 7777 # X-forwarder rules tn-gw, rlogin-gw: xforwarder /usr/local/etc/x-gw # # Plug-gw # ---------- # The following rules provide examples on using plug-gw to access other # services, such as POP mail and NNTP. # # Uncomment the next line to allow NNTP connections to be routed to an # external news server for news reading. # # plug-gw: port 119 YOURNET.* -plug-to NEWS_SERVER_IP # # Uncomment the next line to allow POP mail connections from the private # network to an external POP mail host. # # plug-gw: port 110 YOURNET.* -plug-to POP_MAIL_HOST_IP # # HTTP-GW # -------- # This section provides some examples for the http-gw proxy # http-gw: userid www # http-gw: directory /usr/local/secure/www http-gw: timeout 1800 http-gw: default-httpd www.fonorola.net http-gw: default-gopher gopher.fonorola.net http-gw: permit-hosts 206.116.65.* # http-gw: deny-hosts 206.116.65.2 http-gw: deny-hosts unknown
Previous | Table of Contents | Next |