|
|
| Previous | Table of Contents | Next |
The Telnet and rlogin Usage Report
The telnet and rlogin usage report (tn-gw-summ.sh) combines activity through the firewall of the telnet and rlogin services. This report identifies the following:
The following report provides a sample execution of tn-gw-summ.sh:
Top 100 telnet gateway clients (total: 43)
Connects Host/Address Input Output Total
-------- ------------ ----- ------ -----
17 stargazer.unilabs.or 924 177 1101
16 pc.unilabs.org/204.1 97325 1243 98568
3 stargazer.unilabs.or 274 6 280
3 mailhost.unilabs.org 26771 717 27488
2 unknown/204.191.3.14 27271 710 27981
1 unknown/206.116.65.4 10493 701 11194
1 pc.unilabs.org/206.1 0 0 0
Top 100 telnet gateway clients in terms of traffic
Connects Host/Address Input Output Total
-------- ------------ ----- ------ -----
16 pc.unilabs.org/204.1 97325 1243 98568
3 mailhost.unilabs.org 26771 717 27488
2 unknown/204.191.3.14 27271 710 27981
1 unknown/206.116.65.4 10493 701 11194
17 stargazer.unilabs.or 924 177 1101
3 stargazer.unilabs.or 274 6 280
1 pc.unilabs.org/206.1 0 0 0
Top 100 Denied telnet gateway clients (total: 20)
Connects Host/Address
-------- ------------
14 stargazer.unilabs.or
2 stargazer.unilabs.or
2 204.191.3.150/pc.uni
1 unknown/204.191.3.14
1 mail.fonorola.net/19
This report provides details on who is connecting through the firewall, how much traffic is being generated, and who is being denied. You can see, for example, that stargazer.unilabs.org is in both the connections and denied lists. This may indicate that at one point the site was denied, and then later authorized to use the telnet or rlogin gateways.
Help with the TIS Toolkit is easy to find. Discussions on general Internet security-related topics can be found in the Usenet newsgroups:
alt.2600 alt.security comp.security
You can also find help by joining the mailing list concerned with a general discussion of firewalls and security technology:
firewalls@greatcircle.com
To subscribe to the mailing list, send a message to:
majordomo@greatcircle.com
with the text
subscribe firewalls
in the body of the message.
To reach users familiar with the TIS Toolkit applications and their configuration, contact this mailing list:
fwtk-users-request@tis.com
In addition, the TIS Toolkit includes a large amount of documentation on firewalls. If you plan to make significant use of the Toolkit you should join the TIS discussion lists first. Before you commit to an operating system and hardware platform, ask questions on this mailing list; probably many of the list’s readers have had similar questions and experiences.
This section lists a sample netperm-table file. To help you understand this file better, a prodigious amount of comments are included. In addition, a wide variety of options are included so that you can see how the examples used in the chapter would appear when configuring the TIS Toolkit.
#
# Sample netperm configuration table
#
# Change YOURNET to be your network IP address
# Change YOURADDRESS to be the IP address of a specific host
#
# Example netacl rules:
# ---------------------
# if the next 2 lines are uncommented, people can get a login prompt
# on the firewall machine through the telnet proxy
# This is okay, but means that anyone who is authorized to connect to the
# firewall box through the proxy can get a login prompt on the firewall.
# In most circumstances, it is to provide tight controls on who can log in
# directly to the firewall.
#netacl-telnetd: permit-hosts 127.0.0.1 -exec /usr/libexec/telnetd
#netacl-telnetd: permit-hosts YOURADDRESS -exec /usr/libexec/telnetd
#
# This rule says that only telnet sessions through netacl from these two
hosts
# will be accepted.
netacl-telnetd: permit-hosts 206.116.65.2 206.116.65.3 -exec
/usr/libexec/telnetd
#
# if the next line is uncommented, the telnet proxy is available
#netacl-telnetd: permit-hosts * -exec /usr/local/etc/tn-gw
#
# if the next 2 lines are uncommented, people can get a login prompt
# on the firewall machine through the rlogin proxy
#netacl-rlogind: permit-hosts 127.0.0.1 -exec
/usr/libexec/rlogind -a
#netacl-rlogind: permit-hosts YOURADDRESS 198.6.73.2 -exec
/usr/libexec/rlogind -a
#
# if the next line is uncommented, the rlogin proxy is available to any
host
#netacl-rlogind: permit-hosts * -exec /usr/local/etc/rlogin-gw
#
# The next line allows FTP sessions from the specified network(s) to the
# firewall system itself.
netacl-ftpd: permit-hosts 206.116.65.* -exec /usr/libexec/ftpd -A -l
#
# Uncommenting the next line will turn off FTP and print a message to that
# effect whenever someone attempts to access the FTP port.
# netacl-ftpd: permit-hosts 206.116.65.147 -exec /bin/cat
/usr/local/etc/noftp.txt
#
# to enable finger service uncomment these 2 lines
#netacl-fingerd: permit-hosts YOURNET.* -exec /usr/libexec/fingerd
#netacl-fingerd: permit-hosts * -exec /bin/cat /usr/local/etc/finger.txt
#
# Example smap rules:
# -------------------
# These rules control the operation of the SMAP and SMAPD applications.
smap: userid 6
smap: directory /var/spool/smap
smap: timeout 3600
#
# Change this to increase/decrease the maximum message size that will be
# permitted.
smap: maxbytes 10000
smap: maxrecip 20
#
# This configuration section is for the SMAPD application
#
smapd: executable /usr/local/etc/smapd
smapd: sendmail /usr/sbin/sendmail
smapd: userid 6
smapd: directory /var/spool/smap
smapd: baddir /var/spool/smap/bad
smapd: wakeup 900
#
# Example ftp gateway rules:
# --------------------------
# These rules control the operation of the FTP proxy
#
# Use the following lines to configure the denial, welcome and help
messages
# for the proxy.
ftp-gw: denial-msg /usr/local/etc/ftp-deny.txt
ftp-gw: welcome-msg /usr/local/etc/ftp-welcome.txt
ftp-gw: help-msg /usr/local/etc/ftp-help.txt
#
# Use the following lines to use the authentication server
ftp-gw: authserver localhost 7777
#
# set the timeout
ftp-gw: timeout 3600
# uncomment the following line if you want internal users to be
# able to do FTP with the internet
# ftp-gw: permit-hosts 206.116.65.*
#
# the following line logs all get and put requests, and authorizes put
# requests.
ftp-gw: permit-hosts 206.116.65.* -log { retr stor } -auth
{ stor }
# uncomment the following line if you want external users to be
# able to do FTP with the internal network using authentication
#ftp-gw: permit-hosts * -authall -log { retr stor }
#
# Example telnet gateway rules:
# -----------------------------
tn-gw: denial-msg /usr/local/etc/tn-deny.txt
tn-gw: welcome-msg /usr/local/etc/tn-welcome.txt
tn-gw: help-msg /usr/local/etc/tn-help.txt
tn-gw: timeout 3600
tn-gw: prompt “Enter Command>”
#
# the following line permits a telnet only to hosts in the .fonorola.net
# domain. All other requests are denied.
#tn-gw: permit-hosts 206.116.65.* -dest *.fonorola.net -dest
!* -passok - xok
tn-gw: permit-hosts 206.116.65.* -passok -xok
# tn-gw: deny-hosts * -dest 206.116.65.150
# if this line is uncommented incoming traffic is permitted WITH
# authentication required
# tn-gw: permit-hosts * -auth
# Example rlogin gateway rules:
# -----------------------------
#rlogin-gw: permit-hosts YOURNET.* -passok -xok
rlogin-gw: denial-msg /usr/local/etc/rlogin-deny.txt
rlogin-gw: welcome-msg /usr/local/etc/rlogin-welcome.txt
rlogin-gw: denydest-msg /usr/local/etc/rlogin-dest.txt
#rlogin-gw: help-msg /usr/local/etc/rlogin-help.txt
rlogin-gw: timeout 3600
rlogin-gw: prompt “Enter Command<”
rlogin-gw: permit-hosts 206.116.65.* -dest *.fonorola.net -dest
!* -passok -xok
rlogin-gw: deny-hosts * -dest 206.116.65.150
# if this line is uncommented incoming traffic is permitted WITH
# authentication required
#rlogin-gw: permit-hosts * -auth -xok
# Example auth server and client rules
# ------------------------------------
authsrv: hosts 127.0.0.1
authsrv: database /usr/local/etc/fw-authdb
authsrv: badsleep 1200
authsrv: nobogus true
authsrv: permit-hosts localhost
# clients using the auth server
*: authserver 127.0.0.1 7777
# X-forwarder rules
tn-gw, rlogin-gw: xforwarder /usr/local/etc/x-gw
#
# Plug-gw
# ----------
# The following rules provide examples on using plug-gw to access other
# services, such as POP mail and NNTP.
#
# Uncomment the next line to allow NNTP connections to be routed to an
# external news server for news reading.
#
# plug-gw: port 119 YOURNET.* -plug-to NEWS_SERVER_IP
#
# Uncomment the next line to allow POP mail connections from the private
# network to an external POP mail host.
#
# plug-gw: port 110 YOURNET.* -plug-to POP_MAIL_HOST_IP
#
# HTTP-GW
# --------
# This section provides some examples for the http-gw proxy
#
http-gw: userid www
# http-gw: directory /usr/local/secure/www
http-gw: timeout 1800
http-gw: default-httpd www.fonorola.net
http-gw: default-gopher gopher.fonorola.net
http-gw: permit-hosts 206.116.65.*
# http-gw: deny-hosts 206.116.65.2
http-gw: deny-hosts unknown
| Previous | Table of Contents | Next |