'we should all be uncomfortable with the extent to which luck..'

Christopher A. Woodfield rekoil at semihuman.com
Thu Jul 26 03:43:33 UTC 2001

Extermely easy solution - block telnet to your routers at your edge, 
except from bastion hosts that are logically as close to your 
routers as possible (say, one per POP). ssh into the bastion host, then 
telnet to the Criscos from there.

This is extermely easy to implement assuming you dedicate network blocks 
to network equipment in each of your sites. 

Speaking of, out of curiosity (this is from a DSL line downstream from 

rekoil at electro:~$ telnet iad1-core1.atlas.icix.net
Connected to iad1-core1-l0.atlas.icix.net.
Escape character is '^]'.

Intermedia Business Internet     (iad1-core1.atlas.digex.net)
Unauthorized Access is Prohibited
Three routers of various powers for the internal works
Seven for customers in nearby towns
Nine for frame relay customers and all their quirks
One for the Mae-East deep underground
In the land of Datanet where the fiber lies.
One router to route them all, One router to find them,
One router to peer with them all and with BGP bind them
In the land of MFS Datanet where the fiber lies.

User Access Verification

telnet> quit
Connection closed.

Any other "major" ISPs still allowing telnet access to their cores from 
untrusted hosts?


On Wed, Jul 25, 2001 at 08:57:45PM -0400, Marshall Eubanks wrote:
> >
> >
> >>> > How many of us here run anything less than SSH and even allow telnetd
> to
> >>> > live on any of our hosts?
> Hey, we have had to do without SSH in more than one CISCO IOS build in the last
> 6 months in 12.1 / 12.2. 
> This always made me feel very nervous.
> Regards
> Marshall Eubanks
> >>> 
> >>> Here? Probably not all that many. 
> >>
> >>[bill's password slide from the Scottsdale NANOG]
> >>suggests that many (most?) of the NANOG attendees are shipping passwords
> >>around in the clear (not necessarily all telnet, but indicative of a
> >>mindset).
> >
> >The system with that data on it is off right now, but my recollection was
> >that the top three offenders were (in no particular order)
> >
> >- cleartext POP
> >- cleartext IMAP
> >- http:// (mostly people reading their email via Exchange).
> >
> >Note that the final slide that I put up at the end of the meeting (with
> >something like 150 passwords on it) had one of my passwords too
> >(my Vindigo password, if anyone wants to change what cities I have
> >configured =), so even people who are aware of the issues sometimes
> >still send cleartext passwords.
> >
> >  Bill
> >
> Marshall Eubanks
> tme at 21rst-century.com

Christopher A. Woodfield		rekoil at semihuman.com

PGP Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB887618B

More information about the NANOG mailing list