Re: disabling telnet and rlogin

[Steve Lewis <SALewis@lbl.gov>]

Title: Re: disabling telnet and rlogin

At 10:18 AM -0600 2000/02/22, Andrew Johnson wrote:

> "Porter, Rodney" wrote:
> >
> > Following up on your security talk at APS, I was wondering if
> there is a
> > standard way to disable telnet and
> rlogin.  If not could one be made?

You can inspect the INCLUDE_CONFIGURATION_5_2 macro, which is just

a bunch of #defines, and pick what you want, leaving out telnet and

rlogin.  Just move the onces you do want from the grouping after

#ifdef FALSE to just above it.

By the way, I leave them in, because they are useful to me; further,

I assume VxWorks is extremeley vulnerable, so to get some real security,

I:

 - put my IOCs on a hidden subnet, for example, using IP masquerading

   on one of my dual-homed servers.  This really hides them from the

   Internet (and is good practice for your console Unix/NT machines as well--

   they can still see "out".);

 - do not give the IOCs a DEFAULT route; at most, give them single-host

   routes to special hosts not on the hidden subnet.  They will not reply

   to any packet not on their own LAN (which would not occur if using

   the IP masquerading technique, of course).  You can still access them

   by using ssh once to your above server; then rlogin or via you serial

   port acess method;

 - change the default password and login supplied by WRS.  Do this by

   looking further down in configAll.h;

 - finally, VxWorks is pretty obscure; I still forget to put quotes

   around the arguments to cd and ls.

_____________________________________________________________________
Stephen A. Lewis                        | SALewis@LBL.gov
Mail Stop 71-259                        | http://www.lbl.gov/~salewis
Lawrence Berkeley National Laboratory   | Tel: +1.510.486.7702
Berkeley, CA 94720    USA               | FAX: +1.510.486.4544