[Snort-sigs] Signature Definition #717, 12 of 20
Esler, Joel Contractor
EslerJ at ...785...
Mon Jun 9 06:58:31 EDT 2003
Rule: -- TELNET not on console
Sid: -- 717
Summary: -- This string detects a failed attempted root login response from
a telnet server on your network.
Impact: -- This is normal Telnet activity. Root logins should only be
allowed to login on the console, however, telnet uses cleartext usernames
and passwords, anyone sniffing traffic in the middle can receive this
traffic and possibly compromise your network.
Detailed Information: -- Telnet uses cleartext usernames and passwords,
this should be disallowed and SSH should be used instead. This signature
detects a failed root login through telnet.
Affected Systems: -- Any that have the telnet server installed
Attack Scenarios: -- Slim to Dangerous
Ease of Attack: -- Easy if installed
False Positives: -- Unknown
False Negatives: -- Unknown
Corrective Action: -- Find and disable unauthorized Telnet Servers, secure
authorized Telnet Servers by removing anonymous logins and require
username/password authentication. If possible remove Telnet altogether and
install SSH, then secure it with your perimeter routers by IP.
Contributors: -- Joel Esler
More information about the Snort-sigs