Dave McGuire <mcguire at neurotica.com> writes:
On 11/27/2013 12:13 PM, Brian Schenkenberger, VAXman- wrote:
The Telnet protocol itself makes no promises about the presence OR
absence of encryption, and it has a very flexible do/don't/will/won't
option negotiation protocol. Kerberos-enabled telnet, in particular,
allows for automatic authentication and/or stream encryption, with
either enabled or disabled on an invocation-by-invocation basis.
Kerberos-enabled telnet doesn't work unless the target is setup to and
willing to provide for it. I have no knowledge of how Sampsa has his
configured but from the initial discussion, I'd doubt that Kerberos is
involved.
As do I. I was merely nit-picking that "telnet" does not exclusively
mean "cleartext". Given that it was an open and outward-facing service,
I'd certainly HOPE it was Kerberized telnet! ;)
Sampsa already explain that it is not.
I do have telnet enabled but only for specific captive accounts. These
accounts -- such as the VTTEST account -- run an application that can't
be escaped from to tinker with anything on the system. For the general
cases, though, I only permit 'ssh' for external access and that runs on
an alternate port too. Port scanning ssh on a VMS system can consume a
over-generous amount of CPU resources. I also limit, becasue of this,
how many 'ssh' session can be created at any one time. For me, this is
a pretty low number as I should be the only party accessing my systems.
--
VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)ORG
Well I speak to machines with the voice of humanity.
On 11/27/2013 12:13 PM, Brian Schenkenberger, VAXman- wrote:
The Telnet protocol itself makes no promises about the presence OR
absence of encryption, and it has a very flexible do/don't/will/won't
option negotiation protocol. Kerberos-enabled telnet, in particular,
allows for automatic authentication and/or stream encryption, with
either enabled or disabled on an invocation-by-invocation basis.
Kerberos-enabled telnet doesn't work unless the target is setup to and
willing to provide for it. I have no knowledge of how Sampsa has his
configured but from the initial discussion, I'd doubt that Kerberos is
involved.
As do I. I was merely nit-picking that "telnet" does not exclusively
mean "cleartext". Given that it was an open and outward-facing service,
I'd certainly HOPE it was Kerberized telnet! ;)
-Dave
--
Dave McGuire, AK4HZ
New Kensington, PA
Dave McGuire <mcguire at neurotica.com> writes:
On 11/27/2013 11:26 AM, Ian McLaughlin wrote:
Encrypted telent? I am intrigued...
The Telnet protocol itself isn't encrypted - passwords are in
cleartext. Running telnet inside an SSH tunnel is different...
Why would you when you've already got a secure communications channel
established?
I routinely use port forwarding through an ssh tunnel and, in most of
the cases, this is essentially telnet on an alternate port (eg. SMTP,
POP) but there are other protocols (eg. SQL) which are not so telnet
like in their implementation which can benefit from ssh tunneling.
The Telnet protocol itself makes no promises about the presence OR
absence of encryption, and it has a very flexible do/don't/will/won't
option negotiation protocol. Kerberos-enabled telnet, in particular,
allows for automatic authentication and/or stream encryption, with
either enabled or disabled on an invocation-by-invocation basis.
Kerberos-enabled telnet doesn't work unless the target is setup to and
willing to provide for it. I have no knowledge of how Sampsa has his
configured but from the initial discussion, I'd doubt that Kerberos is
involved.
This is far from new. I have been using it for over twenty years.
It's certainly not new. ;)
--
VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)ORG
Well I speak to machines with the voice of humanity.
Roughly, what would be the power consumption of a 4000-500?
On Wed, Nov 27, 2013 at 7:32 AM, Cory Smelosky <b4 at gewt.net> wrote:
On Wed, 27 Nov 2013, Mark Wickens wrote:
DS10L with 1 HDD is 176 watts.
That's less than my ES40...quad-proc with 2 HDD and it hits 800W. ;)
--
Cory Smelosky
http://gewt.net Personal stuff
http://gimme-sympathy.org Projects
On 11/27/2013 11:26 AM, Ian McLaughlin wrote:
Encrypted telent? I am intrigued...
The Telnet protocol itself isn't encrypted - passwords are in
cleartext. Running telnet inside an SSH tunnel is different...
The Telnet protocol itself makes no promises about the presence OR
absence of encryption, and it has a very flexible do/don't/will/won't
option negotiation protocol. Kerberos-enabled telnet, in particular,
allows for automatic authentication and/or stream encryption, with
either enabled or disabled on an invocation-by-invocation basis.
This is far from new. I have been using it for over twenty years.
-Dave
--
Dave McGuire, AK4HZ
New Kensington, PA
Encrypted telent? I am intrigued...
The Telnet protocol itself isn't encrypted - passwords are in cleartext. Running telnet inside an SSH tunnel is different...
Ian
On Nov 27, 2013, at 8:22 AM, Dave McGuire <mcguire at neurotica.com> wrote:
On 11/26/2013 05:56 PM, Brian Schenkenberger, VAXman- wrote:
Stupid! Disable TELNET for anything but your local net. You do NOT want
plain text sent over the internet!
Telnet does not imply a lack of encryption. I regularly use encrypted
telnet, as do many others.
-Dave
--
Dave McGuire, AK4HZ
New Kensington, PA
---
Filter service subscribers can train this email as spam or not-spam here: http://my.email-as.net/spamham/cgi-bin/learn.pl?messageid=2BD711B6578011E38…
On 11/26/2013 05:56 PM, Brian Schenkenberger, VAXman- wrote:
Stupid! Disable TELNET for anything but your local net. You do NOT want
plain text sent over the internet!
Telnet does not imply a lack of encryption. I regularly use encrypted
telnet, as do many others.
-Dave
--
Dave McGuire, AK4HZ
New Kensington, PA
On Wed, 27 Nov 2013, Mark Wickens wrote:
DS10L with 1 HDD is 176 watts.
That's less than my ES40...quad-proc with 2 HDD and it hits 800W. ;)
--
Cory Smelosky
http://gewt.net Personal stuff
http://gimme-sympathy.org Projects
On Wed, Nov 27, 2013 at 3:13 AM, Mark Wickens <mark at wickensonline.co.uk> wrote:
DS10L with 1 HDD is 176 watts.
IIRC - the supply was rated at 450W peak.
On 27 Nov 2013, at 02:01, Sampsa Laine <sampsa at mac.com> wrote:
On 26 Nov 2013, at 23:08, Hans Vlems <hvlems at zonnet.nl> wrote:
No, I get telnet attempts from it, es and nl domains lately. I put a text in sys$announce that tells the, error, user that the system is privately owned, alle access attempts are logged and monitored and that unauthorized access is not allowed. The attempts are now down to a couple every 24 hours and no longer every 5 minutes.
Just got an SSH bruteforce attempt from Korea, decided to have a look at the chap's machine:
nmap -p1-65535 -T5 -sV -oAhax0r -P0 14.63.222.153
The "attack" stopped pretty quickly after that lol.
Mainland China based IP attacked me this morning, stopped after 27 seconds of my nmap scan.
The scanners don't like to be scanned it seems :)
Might write an automatic ArcSight rule to trigger these..
sampsa
