On Fri, 26 May 2000, John Horne wrote:
> Exactly, so how do I *force* (i.e. convince it is a 'good thing') our
> users to use ssh without actually deleting the telnet command? Telnet is
> still used for simple testing - e.g. "We can't send any mail"; the admin
> simply initially uses 'telnet <host> 25' to see what happens. Hence telnet as
> a command is still required, and if it is there then the users are probably
> going to use 'telnet host' rather than 'ssh host'. They *may* get used to
> using ssh, but as always there will be some who don't or take a long time in
> converting.
Disable telnetd on the destination machine. Under most unix-like OS, this
can be done by commenting out the line in /etc/inetd.conf that looks like
telnet stream tcp nowait root /usr/libexec/telnetd telnetd
(though actually only the first column needs to be an exact match).
This way, telnet the command works fine, but it has nothing to connect to
on the machine(s) you need to secure.
You can also do this with TCP/IP packet filtering. The firewalls of our
DMZ are going to be blocking telnet (port 23) to the DMZ and inner area,
but only blocking ssh (port 22) to the inner area sometime in the near
future.
