>Shutting down telnetd is a good idea. This was considered. Unfortunatly,
>we do not have a dedicated mailhost. Instead we have three main machines
>(one VAX and two suns) that must remain open to telnet (port 23). They key
>would be able to shut down telnet to 25 and allow telnet to 23. (This is
>sounding like a key firewall question to me. If it is possible, please tell
>me!)
You can't shut off `telnet' access to port 25 without shutting off ALL
access to port 25. Other than the bit of telnet that negotiates terminal
options and a few other random bits, telnet is a simple character stream
protocol - many TCP/IP protocols are built on an character stream connection.
A firewall *can* be used to limit what hosts can deliver mail to your mail
hub - you can disallow student workstations, for example - but that means
that you've just moved the problem around; a prankster will simply use
one of the systems that are approved for mail access to deliver the mail.
If you try the next obvious approach - building a telnet client on those
systems that doesn't support specification of a port number - they'll just
build their own telnet client from source.
Moral of the story: you can't fix a people problem with technology. You
can only fix problems like this by making a policy decision - if you catch
people doing this they lose computer access, for example - then publicizing
the policy. Enforce it a few times and the fun is gone.
-Rick
References:
|
|
