Precautions for remotely logging on to a Linux host using Telnet

Article Title: Precautions for remotely logging on to a Linux host using Telnet. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.

Using the remote logon protocol to remotely log on and manage the server is the most common operation of the server administrator. In a Windows operating environment, the system administrator may like to use the Telnet protocol to complete this task. However, in a Linux operating system, it is difficult to use the Telnet protocol. Because the Telnet protocol has certain security vulnerabilities, the Linux operating system uses the ssh remote logon protocol by default to replace the Telnet protocol. However, some system administrators prefer to use the Telnet protocol. To remotely manage Linux Hosts through a Windows client, you must download this tool if you want to use the ssh protocol. By default, Windows clients only support the Telnet protocol, but not the ssh protocol. To meet the requirements of the system administrator, I will talk about the precautions for enabling the Telnet protocol on a Linux host today.

1. Start the telnet protocol manually.

By default, the Red Hat Linux operating system does not enable the Telnet protocol. In other versions of Linux, there are similar restrictions. This is mainly because Telnet has a big security risk. That is, the user name, password, and command are transmitted in plain text during data transmission. Therefore, attackers are prone to attacks during transmission. For example, attackers can easily obtain sensitive information such as accounts and passwords. For the security of Linux servers, we recommend that you use the ssh protocol instead of the Telnet protocol. If you must use the Telnet protocol, you must first enable the Telnet protocol on the Linux server. To enable this protocol, you must use a text editor such as vi to modify the telnet file. There is a/telnet file under/etc/xinetd. d. In this file, one record is disable = no. You only need to change this record to disable = yes. Note that it is case sensitive during modification. In this example, the value is "yes" in lower case, rather than "yes" in upper case.

However, this file cannot take effect immediately after modification. The system administrator needs to restart to make the file take effect. If you do not want to restart, run the/etc/init. d/xinetd reload command to force the system to reload the setting file. After this command is executed, the operating system immediately enables the telnet service. For the sake of server security, I once again stressed that it is best not to start this service easily. If this service is enabled, it is best to disable it in time to ensure its security. Or, use other security measures on the network, such as the IPSec Security Policy, to encrypt the data transmitted over the network. Using similar tools can also reduce the security risks caused by using the Telnet protocol.

2. Allow Remote logon using Telnet for the root account.

Even if the Telent service is enabled, the system administrator cannot remotely log on to the operating system using the Telnet protocol by default. This is mainly because, by default, the root account is not allowed to use Telnet for remote login in the Red Hat Linux operating system. As a system administrator, if you want to execute management tasks, the privileged user root is required in most cases. After the Telnet service is enabled, the privileged account root must be allowed to log on remotely and perform maintenance operations.

In fact, this design of the Linux operating system is not difficult for the system administrator, but it also has special considerations. The main reason is that when using the Telnet protocol and using the privileged account root for logon, You need to explicitly transmit the password of the privileged user on the network. The root account has the highest operation permissions on the Linux server. For this reason, if the password is disclosed, attackers will be able to perform arbitrary attacks. Therefore, the Linux operating system designer has adopted this restriction as a last resort.

To allow the root account to remotely log on to the operating system, follow these steps.

For the root account, there is a file/etc/securretty in the operating system to limit which terminal the root account can log on. In this file, not only the local terminal is fixed, but also the remote terminal is specified. In Linux, the Remote Terminal code is pts. The Code (/0,/1) after it indicates the number of users allowed to log on. If multiple users are allowed to log on to the operating system remotely at the same time, you need to set up multiple pts terminals. You can use this terminal to limit the number of users logging on remotely at the same time. When a user logs on, it is not necessarily the terminal that the user uses. If three users have logged on to the operating system remotely, the terminal number pts/4 is used when the system administrator logs on to the operating system remotely. If you want to run the root privileged account to remotely log on using Telnet, you need to add these terminals to this file. Note that if many users log on remotely, you need to add multiple remote terminals, such as pts/0 and pts1, to this file. Otherwise, if other users log on first, the system administrator cannot log on remotely. Generally, two or three remote terminals are required. However, the system administrator needs to determine the number of instances to be added based on the actual situation of the enterprise. If there are many enterprise system administrators, or you need to remotely log on to the Linux server for remote collaboration, You need to enable several more remote ports. In order to meet the demand. After these ports are added to the file, the system administrator can use the root account for remote logon. Note that similar settings are not required if the ssh remote logon protocol is used. Because the content transmitted by ssh protocol is encrypted by default, the system allows the root account to log on remotely.

If the system administrator finds this method cumbersome, there is a simpler method. You can directly delete the file or rename it. After you delete or rename the file, the operating system cannot find the relevant settings file. At this time, the system will allow the root account to log on using all available terminals. Although this operation is convenient, it leaves a great security risk. For this reason, I suggest you add relevant records to the configuration file above if you allow the root account to remotely log on using the Telnet protocol. In fact, this configuration is not very troublesome, and the modification of this configuration file takes effect immediately. You do not need to restart or manually execute the command to make the force take effect. Therefore, the configuration file is easy to modify. In addition, the Administrator should be reminded that if the configuration file is automatically backed up, it is best to back up the configuration file before it is modified. After all, the oldest "bird" will also lose its hand. Because the configuration file in the Linux operating system is like the Registry file in the Microsoft operating system. When you modify them, you must back up them first. This security measure is still indispensable for Linux system management experts.

3. Establish an ssh protocol to replace the Telent protocol.

In fact, in terms of functionality, the telnet protocol can also accomplish things. However, using the ssh protocol in a Linux operating system has two advantages. First, the ssh protocol is more secure than the telnet protocol. The former account, password, command, and so on are encrypted during transmission. Therefore, attackers cannot obtain this information. The latter is transmitted in plain text during the transmission process. Therefore, attackers can easily access the required content, especially the account and password, to prepare for the next attack. Secondly, by default, the Linux operating system only supports the ssh protocol, but does not support the Telnet protocol. That is to say, if you want to remotely log on to the Linux operating system through the Telnet protocol, you need to make some additional settings described above. If you use the ssh protocol, you can avoid the trouble of similar settings.

However, if you use a Windows client to remotely manage the Linux server system, there is an obstacle if you use the ssh protocol. That is, the ssh protocol is not supported on Windows clients. Therefore, if you want to use a Windows client to manage the Linux operating system (which is used by many System Administrators), you must download a small tool, such as putty, the ssh protocol can also be used on Windows clients. Although downloading tools from the Internet is troublesome, it is worth it compared to the security. For this reason, the author again recommends that the system administrator use the ssh protocol to remotely log on to and maintain the Linux operating system, instead of using the Telnet protocol.