Don Parris wrote:
I've just read an article about using ssh/telnet. The article suggested setting a Linux box in front of a mainframe, thus allowing users to telnet to the mainframe _after_ securely connecting to the Linux box via ssh. The Linux Security Admin Guide also suggests not installing (or deleting) services you know you won't be using to prevent attackers from using them to access your system. So, other than using a Linux box as a front door for a mainframe telnet session, is there any valid reason to even install telnet, rlogin, etc.?
Based on the SAG, I could eliminate telnet, etc., as I cannot think of any reason to use those services in my LAN (which has no mainframe). SUSE installs these services by default (at least as of 8.0), so I'm thinking about removing them, unless someone can offer good reasons to retain them. My LAN consists of 6 SUSE 8.0 boxes and currently has no connection to the outside world (though that may come at a later date). I want to be sure I thoroughly understand security issues and that I am implementing the best practices for my LAN _before_ I think about connecting it to the outside world. Thanks in advance for your input.
There is an important distinction between "installed" and "running". SuSE installs telnet in case you want to use it, but at least as of SuSE 9.0 (and probably much earlier), it's not actually turned on by default. Modern unix systems have really moved away from the "don't install unless you absolutely need it" to a "install everything, but firewall off all the ports you don't need". This allows far more uniformity in your install base. Rather than having to back up entire systems, you can just keep copies of the /etc, /usr/local, and /home. You can also keep a spare machine on hand that with only unpacking a tarball can take the place of any other system. Another important practice is security patches. It sounds like your systems haven't had net access, and therefore haven't had any security update in years. This is a far more dangerous situation than any service like telnet sitting on your hard drive.