This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XGS - V19.0.2 - WAN Side Telnet (23) Open!

Hi Guys, hi Sophos ....

Why is Telnet on Port 23 on WAN open?



This thread was automatically locked due to age.
Parents
  • This tcpdump: Did you do it on port 23? 

    Try: tcpdump -ni any port 23 

    __________________________________________________________________________________________________________________

  • Yes.

    tcpdump -i Port2 port 23

    and this is from Log...

    Update:

    we are under heavy attacks.

    The DNAT Rule does not match. What Service is answering here?

  • Hi Toni,

    thank for your answer.

    @sys appliance_access enable: Yes i now. This will insert a any-any-any iptables rule at first place.

    XGS2100_RL01_SFOS 19.0.2 MR-2-Build472# iptables -L -n -v --line-numbers
    Chain INPUT (policy DROP 0 packets, 0 bytes)
    num pkts bytes target prot opt in out source destination optimization
    1 105K 5441K ALLOW_ALL all -- * * 0.0.0.0/0 0.0.0.0/0 skip_ip_match <<<<
    2 181K 9832K HA_TRAFFIC all -- * * 0.0.0.0/0 0.0.0.0/0 skip_ip_match
    3 25227 1735K LOGIN_SECURITY all -- * * 0.0.0.0/0 0.0.0.0/0 skip_ip_match
    4 25132 1729K ADMIN_SERVICES_ALLOW all -- * * 0.0.0.0/0 0.0.0.0/0 skip_ip_match RULEID match --fwruleid 0
    :
    :

    Chain ALLOW_ALL (1 references)
    num pkts bytes target prot opt in out source destination optimization
    1 105K 5454K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 skip_ip_match <<<<

    But this is not the problem and the initial reason for my posting.

    The reason is the - non documented - open telnet port.


    In the GUI/Deviceaccess there is also no service which is related to telnet.

    On the other hand, if one guy has forgotten that "sys appliance_access enable" is set, currently there is no hint about this dangerous setting.

    Up to this time, we as customer, have no efficient way to check such settings. A "show running-config" would be fine, as many times requested by us customers.

    Why do we want this? It simple, we do not service only one or two firewall in a static well documented environment. If we take over a system (customer), we have to check all this settings command by command. This is unefficient. And not each show command starts with show.

    In my case, the nearest Sophos-Firewall is more then 300km far away, in another Country.
    So in the most cases I have to setup the Firewallclusters remote.

    This customer have already a working firewall environment. For some reasons in the setupprocess, the XG had two default gateways.
    One on LAN, and one via DHCP on the WAN site (with an internal IP).

    If you try access to the XG-GUI via VPN which terminates on the existing system you will find some performance issues since V19.0. Also you'll find, that the Loginpage is not loaded correct.
    The Command - sys appliance_access enable - makes the performance in this situation better.


    Guenter

  • Hi Toni,

    thank for your answer.

    @sys appliance_access enable: Yes i now. This will insert a any-any-any iptables rule at first place.

    XGS2100_RL01_SFOS 19.0.2 MR-2-Build472# iptables -L -n -v --line-numbers
    Chain INPUT (policy DROP 0 packets, 0 bytes)
    num pkts bytes target prot opt in out source destination optimization
    1 105K 5441K ALLOW_ALL all -- * * 0.0.0.0/0 0.0.0.0/0 skip_ip_match <<<<
    2 181K 9832K HA_TRAFFIC all -- * * 0.0.0.0/0 0.0.0.0/0 skip_ip_match
    3 25227 1735K LOGIN_SECURITY all -- * * 0.0.0.0/0 0.0.0.0/0 skip_ip_match
    4 25132 1729K ADMIN_SERVICES_ALLOW all -- * * 0.0.0.0/0 0.0.0.0/0 skip_ip_match RULEID match --fwruleid 0
    :
    :

    Chain ALLOW_ALL (1 references)
    num pkts bytes target prot opt in out source destination optimization
    1 105K 5454K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 skip_ip_match <<<<

    But this is not the problem and the initial reason for my posting.

    The reason is the - non documented - open telnet port.


    In the GUI/Deviceaccess there is also no service which is related to telnet.

    On the other hand, if one guy has forgotten that "sys appliance_access enable" is set, currently there is no hint about this dangerous setting.

    Up to this time, we as customer, have no efficient way to check such settings. A "show running-config" would be fine, as many times requested by us customers.

    Why do we want this? It simple, we do not service only one or two firewall in a static well documented environment. If we take over a system (customer), we have to check all this settings command by command. This is unefficient. And not each show command starts with show.

    In my case, the nearest Sophos-Firewall is more then 300km far away, in another Country.
    So in the most cases I have to setup the Firewallclusters remote.

    This customer have already a working firewall environment. For some reasons in the setupprocess, the XG had two default gateways.
    One on LAN, and one via DHCP on the WAN site (with an internal IP).

    If you try access to the XG-GUI via VPN which terminates on the existing system you will find some performance issues since V19.0. Also you'll find, that the Loginpage is not loaded correct.
    The Command - sys appliance_access enable - makes the performance in this situation better.


    Guenter

  • Hi Toni,

    thank for your answer.

    @sys appliance_access enable: Yes i now. This will insert a any-any-any iptables rule at first place.

    XGS2100_RL01_SFOS 19.0.2 MR-2-Build472# iptables -L -n -v --line-numbers
    Chain INPUT (policy DROP 0 packets, 0 bytes)
    num pkts bytes target prot opt in out source destination optimization
    1 105K 5441K ALLOW_ALL all -- * * 0.0.0.0/0 0.0.0.0/0 skip_ip_match <<<<
    2 181K 9832K HA_TRAFFIC all -- * * 0.0.0.0/0 0.0.0.0/0 skip_ip_match
    3 25227 1735K LOGIN_SECURITY all -- * * 0.0.0.0/0 0.0.0.0/0 skip_ip_match
    4 25132 1729K ADMIN_SERVICES_ALLOW all -- * * 0.0.0.0/0 0.0.0.0/0 skip_ip_match RULEID match --fwruleid 0
    :
    :

    Chain ALLOW_ALL (1 references)
    num pkts bytes target prot opt in out source destination optimization
    1 105K 5454K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 skip_ip_match <<<<

    But this is not the problem and the initial reason for my posting.

    The reason is the - non documented - open telnet port.

     In the GUI/Deviceaccess there is also no service which is related to telnet.

    On the other hand, if one guy has forgotten that "sys appliance_access enable" is set, currently there is no hint about this dangerous setting.

    Up to this time, we as customer, have no efficient way to check such settings. A "show running-config" would be fine, as many times requested by us customers.

    Why do we want this? It simple, we do not service only one or two firewall in a static well documented environment. If we take over a system (customer), we have to check all this settings command by command. This is unefficient. And not each show command starts with show.

    In my case, the nearest Sophos-Firewall is more then 300km far away, in another Country. So in the most cases I have to setup the Firewallclusters remote.

    This customer have already a working firewall environment. For some reasons in the setupprocess, the XG had two default gateways.  One on LAN, and one via DHCP on the WAN site (with an internal IP).

    If you try access to the XG-GUI via VPN which terminates on the existing system you will find some performance issues since V19.0. Also you'll find, that the Loginpage is not loaded correct. The Command - sys appliance_access enable - makes the performance in this situation better.

     Guenter

  • Hi,

    why don't you setup a CM account and you can then add your supported firewall and manage them remotely without direct connections.Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Not every customer accept connects a firewall into a cloud system. Some written policies forbid such things.

  • I still would suggest you use CM of those customers that do allow remote access. CM is way more secure than leaving the XG external interface open to attack by opening ports to allow remote access.

    I would hope that the customers that don't allow access fro cloud based devices do not have the XG support ports open but use a VPN to an internal server which can access the XG internal interface?

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Hello,

    Thank you for your answer.

    There is no point in discussing basic decisions of the customer here. That is not the topic here.
    The customer specifies the environment and how to deal with it. We all have to abide by that. It does not matter what is "subjectively" better or more elegant.

    The customer has strict guidelines that he has to follow and that we have to follow as well.

    One requirement is to have all running IP services documented.
    This is for prevention and assessment of possible IT security risks.

    And 7 days ago it was just discovered that the XG firewall has a telnet service running that is not documented anywhere. Allegedly a legacy issue.

    For the documentation of the same it doesn't matter at all whether this service is "normally" sealed off. The only thing that is relevant here is whether such a service exists or not.

    The knowledge about this would have required a different procedure for the setup.


    As you can see, there are also very restrictive customers and environments.

    By the way: The customer is not very pleased.


    Guenter

  • I would assume you have or will be performing an audit on the XG to determine when the change was made? Maybe e en why?
    ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • First of all, i would agree in adjusting product and documentation to explain this outcome.

    But nevertheless this approach, so actively setup a Emergency option on the CLI and "forget to turn it off(?)" seems to be a security breach itself. 

    So the questions should be - Who enabled this setting and why was it enabled in the first place. 

    We are going to document this service on docs soon and might pickup changes for the product later. 

    __________________________________________________________________________________________________________________

  • I too recommend adding a banner, etc. to remind a sysadmin that they had changed that setting.  I guess in this case they changed it and forgot...

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Sophos Platinum Partner

    --------------------------------------

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

Reply
  • I too recommend adding a banner, etc. to remind a sysadmin that they had changed that setting.  I guess in this case they changed it and forgot...

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Sophos Platinum Partner

    --------------------------------------

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

Children
No Data