Re: (PM) Locking up telnet connections

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Thomas Kinnen: "Re: (PM) Locking up telnet connections"
• Previous message: MegaZone: "(PM) Locking up telnet connections (fwd)"
• In reply to: michael@blueneptune.com: "(PM) Locking up telnet connections"
• Next in thread: Thomas Kinnen: "Re: (PM) Locking up telnet connections"

> (perl -e 'print "A" x 10000' ; sleep 10) | telnet pm3-hostname
>
> 2) That network connection will lock up.

> (When the "reset n###" command is given, the state shown by
> "show netcon" will change to "TIME WAIT". After a few minutes,
> the connection will be dropped.)

Yes this is rather normal and ive seen similar occur on other types of
hardware.

> 2) No special privileges are required to get to the unit to do this,
> other than a clear network route to the unit. Obviously, an appropriate
> firewall/filter setting should keep most or even all potential hackers
> away from the unit, but it is far too common for such filters to not
> exist. In such a case, ComOS should be more robust than it currently is.
> As it stands now, a user with access to the telnet port can lock out the
> admin from telnet sessions with four "hit-and-run" connections.

Do what we do. Put in a filter that allows telnet ONLY from some other
local host or a local subnet. So you have to telnet to the local host
successfully FIRST, then telnet to the pm's. Same with pmconsole, er i
mean pmvision.

> 2) Be better about detecting that the other end of a telnet session has
> gone away, and reset the connection when this happens. Possibly use

You walk a fine line here, what if the session is just badly lagged. If
you set it to hang up too quickly, you could cut off legitimate sessions.

I think the best way is to put in the filter to deny telnet from anything
but your local machines or subnet. Thats how com os overcomes it. Another
way... change your telnet port on the portmaster to somehting NOT so
obvious like 34567. Of course, obscurity is no substitute for security.

~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~
Jake Messinger, VP. ph:713-772-6690 Lucent Dealer
AMS, Inc. fx:713-774-3498 Medical Billing
8300 Bissonnet #400 jake@ams.com , ICQ# 4403734 Internet Services
Houston, Texas 77074 www.ams.com/~jake and Hardware

Adjunct Professor University of Houston, CBA jake@uh.edu
~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~

INVENTOR OF the _.,-*~''~*-,._ SQUIGGLES (c) 1978

-
To unsubscribe, email 'majordomo@livingston.com' with
'unsubscribe portmaster-users' in the body of the message.
Searchable list archive: <URL:http://www.livingston.com/Tech/archive/>

• Next message: Thomas Kinnen: "Re: (PM) Locking up telnet connections"
• Previous message: MegaZone: "(PM) Locking up telnet connections (fwd)"
• In reply to: michael@blueneptune.com: "(PM) Locking up telnet connections"
• Next in thread: Thomas Kinnen: "Re: (PM) Locking up telnet connections"