Documents to read:
Manuals of telnetd(8),telnet(1),issue.net(5),tcpd(8)
and hosts_access(5).
Square brackets are used to separate keywords, such as filenames,
programs names etc etc from lines of text. They have no other meaning.
A TELNET server, with minimal configuration, is to be used in this
experiment.
Create a directory named [telnet], in your home directory.
$ cd <-- puts you in your [home] directory
$ mkdir telnet
$ cd telnet
Installations are to be carried out from this directory. Binary
packages are to be installed. It is also possible to compile from
source code. Such source code may be down-loaded from Internet.
This experiment is to be carried out in Debian Linux platform. Some
Debian specific commands such as [dpkg], [dselect] etc etc have to be
used for software installation and removal. Other distributions have
similar commands of their own. Redhat Linux used [rpm] command.
The following command lists the softwares installed in your host.
$ dpkg -l
The output may be examined one screen at time
$ dpkg -l | more
If the name of the software is known partially it may be checked
$ dpkg -l | grep pyth
Find out the [telnet] related softwares installed in your host
$ dpkg -l | grep telnet
Typical output might be:
ii telnet 0.17-18woody2 The telnet client.
ii telnetd 0.17-18woody2 The telnet server.
The above lines indicate that [telnet] client and [telnet] servers are
installed in your host.
The status of the installed software can be checked.
Check the status of [telnet] client program. Output is not shown.
$ dpkg --status telnet
Check the status of [ telnetd ]. This is the server program. Output is
not shown.
$ dpkg --status telnetd
Test [telnetd] and [telnet] programs in your host
$ telnet 127.0.0.1
You may login in any user account if password is known.
As this experiment is on installation, the installed packages are to
be removed and then reinstalled.
Note: Installation and removal of software needs [root] privilege.
Remove the TELNET client program [telnet]
# dpkg -r telnet
Now the following command should fail
$ telnet 127.0.0.1
Check the [telnet] related installed packages.
$ dpkg -l | grep telnet
Output might be:
rc telnet 0.17-18woody2 The telnet client.
ii telnetd 0.17-18woody2 The telnet server.
The [ telnet ] program was removed but its configuration file was not
removed. Remove the configuration file.
# dpkg --purge telnet
Check the [telnet] related installed packages.
$ dpkg -l | grep telnet
Output might be:
ii telnetd 0.17-18woody2 The telnet server.
Check the status of [telnet] client program. Output is not shown.
$ dpkg --status telnet
Remove TELNET server program with its configuration file/files.
# dpkg --purge telnetd
Check the [telnet] related installed packages.
$ dpkg -l | grep telnet
Copy [ telnet ] and [ telnetd ] binary packages in your [ telnet ]
directory. You may use NFS or FTP for copying.
The package names might be
telnet_0.17-18woody2_i386.deb
and telnetd_0.17-18woody2_i386.deb
Note: The files are also available in first CD of a set of seven CDs.
These CDs are kept in the laboratory.
Install the TELNET client program
# dpkg -i telnet_0.17-18woody2_i386.deb
Check status of [telnet]
$ dpkg --status telnet
At present the TELNET client program is installed. Next command should
fail, as there is no TELNET server running on this host
$ telnet 127.0.0.1
However the client program can be used to access TELNET server running
on other host. Replace 192.16.5.251 with a suitable address.
$ telnet 192.16.5.251
Install the TELNET server program
# dpkg -i telnetd_0.17-18woody2_i386.deb
Check status of [telnetd]
$ dpkg --status telnetd
Find out where the executable(binary) of [telnetd] is installed
$ whereis -b in.telnetd
Location of [in.telnetd] -->
Briefly read manual of the TELNET server
$ man 8 telnetd
From the manual we find that the file [/etc/issue.net] is a text file
which contains a message or system identification to be printed before
the login prompt of a [telnet] session.
To know about the syntax of the file [ /etc/issue.net ], its manual is
consulted.
$ man 5 issue.net
A new [ issue.net ] is to be prepared, to provide the following to a
[telnet] client:
Welcome message
System node name (FQDN)
Current time and date
Name of the operating system and OS release name
Machine (hardware) type
Before modification, the original file is saved with a distinctive
extension for later identification.
$ cp /etc/issue.net ./issue.net-$USER-$( /bin/date +%H-%M )
Note the name of the saved file
$ ls -l | grep issue
Name of saved file-->
Edit [/etc/issue.net]
# nano /etc/issue.net
The file should contain the following text. Replace Sumit with your
name.
-------- /etc/issue.net --------
Welcome to Sumit's TELNET server
Terminal -----> %t
Server name --> %h
Date & time --> %d
OS -----------> %s %r
Hardware -----> %m
--------------------------------
Save the file.
Request two of your friends to [telnet] to your host. 192.169.5.146 is
assumed to be your IP address.
friend1 $ telnet 192.169.5.146
friend2 $ telnet 192.169.5.146
They should get the above information.
A server program may be kept running on a host. Such servers are
called stand-alone servers. Frequently used servers, such as [ named ]
( name server ), [ exim ] ( mail server ) run as stand-alone servers.
Less frequently used servers such as [ date ], [ echo ] etc etc do not
run always. A master server called [inetd] runs always. When a request
for a less frequently used server such as [date] comes, [inetd] starts
the [ date ] server. Usually [ telnetd ] is started by [inetd].
Note: [ date ], [ echo ] are two of the trivial services provided
internally by [ inetd ].
Note: [ xinetd ] is another master server with more functionality than
[ inetd ].
Examine file [ /etc/inetd.conf ] to find out if [ telnetd ] is started
by [inetd].
$ less /etc/inetd.conf
Was there any entry for [telnet] service ( Y / N )
A typical entry for [telnet] service is shown
telnet stream tcp nowait telnetd.telnetd /usr/sbin/tcpd /usr/sbin/in.telnetd
Note: The entry must be on a SINGLE line. A comment ( hash ) before a
service name, disables the service.
The [telnetd] is to be disabled using file [ /etc/inetd.conf ]
Edit file [ /etc/inetd.conf ]
# nano /etc/inetd.conf
Put a hash ( # ) mark before [telnet] service name and save the file.
Try to [telnet] to localhost.
$ telnet 127.0.0.1
This should succeed in spite of the hash before the service name. The
[inetd] process is not yet aware of the modifications made by you. If
SIGHUP signal is delivered to [ inetd ] process, its signal handler
makes arrangement to re-read its configuration file. [/etc/inetd.conf]
is the configuration file of [inetd] process.
Find out PID of [inetd] daemon process
$ ps ax | grep inetd
PID-of-inetd-->
Send SIGHUP signal to [ inetd ] daemon, to re-read [ /etc/inetd.conf ]
# kill -SIGHUP pid-of-inetd
Try to [telnet] to localhost. Now it should fail
$ telnet 127.0.0.1
Describe the steps to enable TELNET service.
Again examine the following line from [ /etc/inetd.conf ] file.
telnet stream tcp nowait telnetd.telnetd /usr/sbin/tcpd /usr/sbin/in.telnetd
The field [ /usr/sbin/tcpd ] indicates that access to [telnet] service
is controlled by [tcpd].
Access control to your host with [tcpd]:
[tcpd] program can be used to
control access to some of the services offered by your host, with two
files:
[ /etc/hosts.allow ] and [ /etc/hosts.deny ]
For access control to be effective, [tcpd] must be called first to get
the service. Check file [ /etc/inetd.conf ] to find out the services
controlled by [tcpd]. You may read manual of [tcpd(8)].
The access control software consults [/etc/hosts.allow] first and then
[/etc/hosts.deny]. The search stops at the first match. If no match is
found in either of the files, access is granted. To know about access
control rules you may read manual [hosts_access(5)].
Note: If extended access control rules are used, it is possible to use
a single access control file such as [/etc/hosts.allow].
You may read manual of hosts_options(5).
Case-1: Access is open:
The two files [/etc/hosts.allow] and
[/etc/hosts.deny] may be absent or may be present without any
rule.
OR
If the line:
ALL : ALL
is entered in [/etc/hosts.allow]. File [/etc/hosts.deny] would
not be consulted in this case, as file [ /etc/hosts.allow ] is
checked first.
Case-2: Access is mostly open and access is denied on specific cases.
File [/etc/hosts.allow] may be absent or empty of rules. File
[/etc/hosts.deny] blocks access specifically.
Example:
Edit the file [/etc/hosts.deny]
# nano /etc/hosts.deny
Add the following line in that file
in.telnetd : sumit@127.0.0.1
Save the file.
The above line deny access to user [sumit] to [telnet]
service from host 127.0.0.1 ( localhost ).
Login as [sumit] and [telnet] to localhost
sumit $ telnet 127.0.0.1
Was it successful ? ( y / N )
Login as [you] and [telnet] to localhost
you $ telnet 127.0.0.1
Was it successful ? ( Y / n )
Case-3: Access is mostly closed and access is granted on specific
cases.
Note: Paranoid System Administrators might use this scheme
The file [/etc/hosts.deny] contains a single line
ALL : ALL
This line denies access to all. As [ /etc/hosts.allow ] is
checked first, specific cases are granted access in that file.
Example:
Edit the file [/etc/hosts.deny] and add a single line
All : ALL
Save the file.
Edit [/etc/hosts.allow] and keep it blank.
Try to [telnet] to localhost as [sumit], [you],[guest]
or any other user
Were these successful ? ( y / N )
Edit [/etc/hosts.allow] and add the following line in
that file
in.telnetd : sumit@127.0.0.1
Save the file.
Try to [telnet] to localhost as [sumit]
sumit $ telnet 127.0.0.1
Was it successful ? ( Y / n )
Try to [telnet] to localhost as [you], [guest] or any
user other than [sumit]
Were these successful ? ( y / N )
Assignment-1:
Configure your host as a mostly closed system using
[tcpd] and allow:
a. [telnet] access from 172.16.2.0 network.
b. Access to all services from localhost (127.0.0.1)
Enter suitable entries in the two files
------- /etc/hosts.allow ---------
----------------------------------
--- /etc/hosts.deny ---
ALL : ALL
-----------------------
The following steps were followed to install TELNET server
1. The binary package of [telnetd] was installed
# dpkg -i telnetd_0.17-18woody2_i386.deb
2. The file [/etc/issue.net] was modified to provide some information
to the [telnet] clients.
3.
(a) Hash before [ telnet ] service line in [ /etc/inetd ] file was
removed.
(b) PID of [inetd] super-server was determined.
(c) SIGHUP signal was sent to [inetd] daemon process.
4. Mostly closed [tcpd] access control was imposed.
(a) ALL : ALL was entered in [/etc/hosts.allow] file.
(b) The file [/etc/hosts.allow] was modified as under
--------------------------------------
in.telnetd : 172.16.2.0/255.255.0.0
ALL : 127.0.0.0/255.0.0.0
--------------------------------------
IMPORTANT: At the end of this laboratory class, allow [tcpd] access to
all services on your host, from all. Enter a single line
ALL : ALL
in the file [/etc/hosts.allow].
------------------
