PicLan-IP Inbound TELNET Configuration
In order to use PicLan-IP for inbound TELNET connections, you must configure
your system to accept these connections. The following pre-requesites
apply:
-
Inbound TELNET services are currently only available with Native PicLan-IP
releases. This currently includes:
-
AP/Pro
-
Mentor PRO
-
Sequoia PRO
-
You must have an inbound TELNET license for your copy of PicLan-IP.
Configuring Inbound TELNET Ports
The first step in configuring inbound TELNET services is deciding on which
Pick ports you are going to assign as inbound TELNET ports. In general,
inbound TELNET ports have the same restrictions as inbound PicLan IPX ports
and are configured co-operatively with inbound PicLan IPX ports.
To configure inbound TELNET ports, you follow this proceedure:
-
First, configure the ports as PicLan IPX inbound ports using the PicLan
PL-CONFIGURE function.
-
Your list of PicLan IPX inbound ports initially includes both IPX and TELNET
ports. After PicLan-IP is initialized, the ports that you specify
as inbound TELNET ports will no longer be available as inbound PicLan IPX
ports.
-
You can have both PicLan IPX and PicLan-IP inbound TELNET ports allocated
concurrently, but they cannot share the same port numbers.
-
In the PLIP.CTRL CONFIG item add a line for each inbound TELNET port as:
TELNET PORT=250
If you have multiple ports to configure, enter them on seperate lines as
in:
TELNET PORT=250
TELNET PORT=251
TELNET PORT=252
TELNET PORT=253
or as a single entry:
TELNET PORT=250-253
TELNET PORT=250,252-255
Make sure that you only specify ports that are actually configured with
PicLan as PicLan ports.
-
If you specify a non-initialized port, the system may crash.
Configuring Inbound TELNET Listen Rules
After you have setup one or more ports as inbound TELNET ports, you must
setup inbound TELNET listen "rules". These rules tell the PicLan-IP
server threads about what TCP/IP addresses and ports it should listen for
inbound TELNET connections, and if a connection is received, what action
is to be taken.
The listen "rules" are configured in the PLIP.CTRL CONFIG item and take
on the format:
TELNET LISTEN=*:23 207.215.231.10 255.255.255.255 250-251 00:20:00 3 LOGOFF=YES
You can specify multiple listen rules. When processing inbound TELNET
connections, the rules table is scanned from the beginning and the first
rule that matches the connection is used to control the connection.
In this example, a TELNET listen is posted on the first configured
IP address and TCP port 23 (the default for TELNET). Connections
from address 207.215.231.10 (with a sub-net mask of 255.255.255.255) will
result in a connection to Pick port 250 or 251. If the connection
is idle for more than 20 minutes, it will automatically be disconnected.
The use can use <ctrl>C as a break key. Finally, if the connection
is disconnected (either by the user or because of a timeout), the port
will be logged off.
The complete format of a TELNET LISTEN rule is divided into a number
of fields seperated by spaces.
TELNET LISTEN=ip_addr:tcp_port remote_addr remote_net_mask pick_ports timeout break_char options
ip_addr:tcp_port - The IP address and TCP port number that is opened
for incoming connections. It is acceptible to have more than one
rule for a single IP address and TCP port combination. You can use
the * character to specify the first configured IP address.
remote_addr remote_net_mask - These parameters specify whether
this rule will apply for a particular connection. If the actual remote
IP address "ANDed" with the remote_net_mask equals the remote_addr, then
this rule is processed. If the actual remote IP address "ANDed" with
the remote_net_mask does not equal the remote_addr, then this rule is skipped
and the next rule is examined for a match. More information on IP
address matching is included later in this document.
pick_ports - This is a list of Pick ports that are to be used
for this connection. You can specify either a single port, or multiple
ports as a combination of single ports or port ranges. In either
case, the list will be processed in order until an available port is found.
If no ports are available, then the user will receive an error message
and the connection will be terminated.
timeout - This is the amount of time (in hh:mm:ss format) that
an inactive connection will be maintained. An inactive connection
is defined as one that has no inbound or outbound traffic. If you
specify 00:00:00, then the connectin will not timeout. The maximum
timeout length is 8 hours.
break_char - This is the decimal ascii value of a control character
that will break the Pick port. The inbound TELNET services in PicLan-IP
will respond to the TELNET "interrupt" command, but this control allows
you to set a break key for use with TELNET terminal emulators that do not
generate an interrupt command. If you specify 0, then a break character
will not be set.
options - Options are used to specify how the ports will be logged
on and off when a connection is established or broken. The two available
options are:
LOGON=account{,password} or
LOGON=user,password,md,password (for AP)
LOGOFF=YES
BANNER-SUPPRESS
RECONNECT
.
BANNER-SUPPRESS - Supress the connection banner that displays
the connected port and other parameters. This is useful for use with
TELNET terminal servers.
RECONNECT - Normally, if a port is currently in use, another
connection will be refused for that port. If you specify the RECONNECT
option, then the new connection will take presidence. This is designed
for use with TELNET terminal servers. You should only specify the
RECONNECT option for TELNET LISTEN lines that specify a single Pick port.
IP Address Matching Rules
When a user connects to PicLan-IP inbound TELNET services, the connection
has a remote address. This is the IP address that the user
running a TELNET terminal emulator has assigned to his computer system
(it can also be the IP address of a sockets proxy server, Network Address
Translation [NAT] server, or TELNET terminal server). PicLan-IP uses
this address to decide which Pick port (if any) to make a TELNET connection
with.
In understanding whether a particular remote address matches
the TELNET LISTEN rule's remote_address remote_net_mask pair, you
need to understand how IP addresses and network sub-net masks are manipulated.
IP Address Math
IP addresses are actually four byte binary numbers that range from 0 to
4294967295 (00000000 to FFFFFFFF in hex). As a shorthand, these addresses
are usually expressed as a series of four decimal numbers seperated by
periods (or dots). This allows for IP addresses from 0.0.0.0 to 255.255.255.255.
Because of how IP addresses are assigned and how IP network traffic
is routed, an IP address is usually considered as a network address
and a local address. The network address is the left-part
of the IP address and the local address is the right-part of the IP address.
It is the sub-net mask that defines the division between the network address
and the local address.
Class A, B, and C sub-nets
Originally, there were three types of sub-nets (based on the number of
addresses within each type). There are class A, class B, and class
C.
Class A - A class A network uses one byte to specify the network
address and three bytes to specify the local address. Class A networks
can have at most 16777216 IP addresses.
Class B - A class B network uses two bytes to specify the network
address and two bytes to specify the local address. Class B networks
can have at most 65536 IP addresses.
Class C - A class C network uses three bytes to specify the network
address and two bytes to specify the local address. Class C networks
can have at most 256 IP addresses.
The manner that a network address is specified is through the use of
the sub-net mask. This is a number that is formatted in the same
manner as an IP address. By using the sub-net mask, a computer system
can determine which part of an IP address is the network address and which
part is the local address. Because a class A network uses the left
byte of the IP address as the network address and the right three bytes
as the local address, the sub-net mask is 255.0.0.0. Class B networks
have sub-net masks of 255.255.0.0 and class C networks have sub-net masks
of 255.255.255.0.
How sub-net masks are evaluated
Sub-net masks are used to determine the network address from a supplied
IP address. This is done by performing a bit-wise and operation
between the IP address and the sub-net mask. For a class A network,
the 255.0.0.0 sub-net mask indicates that 255 is to be anded with
the left byte of the IP address and 0 is to be anded with the right
three bytes of the IP address to form a network address. 255 is a
binary number with 8 bits set to 1, so 255 anded with any number
will equal that number. 0 is a binary number with 8 bits set to 0,
so 0 anded with any number will always equal zero. This means
that a class A IP address 24.18.32.7 has a network address of 24.0.0.0
(the result of anding 24.18.32.7 with 255.0.0.0).
Similarily, class B networks use a sub-net mask of 255.255.0.0 and class
C networks use a sub-net mask of 255.255.255.0.
Other sub-net types
Because the internet is rapidly running out of addresses, network sizes
have been created that lie between and below the size of the existing class
A, B, and C networks originally envisioned. Instead of considering
the number of bytes in the network address, these new schemes specify the
number of bits in the network address. This means that a class A
network is also called a /8 network. A class B network is
a /16 and a class C is a /24 network. The advantage
of this is that if only 6 addresses are needed, you can use a /29
network which has a sub-net mask of 255.255.255.248.
How PicLan-IP evaluates network addresses
The PicLan-IP TELNET server works by taking the inbound IP address and
anding it with the remote_net_mask. If the result equals
the the remote_addr then the specified rule will be used. If the
result does not match, then the next rule will be evaluated.
Inbound TELNET Address Examples
Allow all users
If you wish to allow all users, you would specify a remote_addr
of 0.0.0.0 and a remote_net_mask of 0.0.0.0. When anded
with 0.0.0.0, any IP address will always match with 0.0.0.0. This
configuration will allow any users to connect with the TELNET server.
Allow only a single user
If you wish to only allow a single IP address, you would specify a remote_addr
that matches the user's IP address and a remote_net_mask of 255.255.255.255.
By specifying a network mask of 255.255.255.255, all bits in the IP address
are evaluated for a match. This configuration is used to allow only
a specify IP address to connect.
Allowing a sub-net
You can specify other sub-net masks to allow any user on a particular network
to access the Pick host over telnet. You could use this to allow
connections from local PCs, but exclude connections from the internet.
Handling dynamic IP addresses
If you have users that dial into an ISP (Internet Service Provider), they
will probably get what is called a dynamic IP address. This means
that the IP address that they are assigned may change each time they connect
with their ISP. In this case, it is impossible to limit connections
to a single IP address because that address will change every time the
user connects with their ISP. You should realize that the IP address
that they are assigned will always be a part of an IP sub-net, so you can
limit access to the sub-net.
Implementing Inbound TELNET Security
This discussion is primarily intended for users who are connecting their
systems to the Internet. Security on local networks is several orders
of magnitude easier.
The PicLan-IP TELNET server allows you to control who makes connections,
and to which ports, based on the remote user's IP address. If you
are concerned about security, you should consider the following steps:
-
Only allow connections to specific IP address (or IP sub-nets) and not
to the whole internet in general.
-
Do not "advertise" that you have an open TELNET server.
-
Consider not giving the TELNET server a DNS name.
-
Consider posting TELNET listen's on non-standard TCP ports numbers instead
of using the TELNET default of 23.
-
Try using port numbers in the 8000-16000 range.
-
You may want to periodically change the port number that is used.
-
Always use the LOGOFF=YES option.
-
Establish an effective system password policy on all accounts.
-
Consider placing TELNET users in accounts that are tightly controlled.
-
Use SYS0 priviledge to prevent debugger usage.
-
Include an 'R' in attribute 9 to re-run the logon proc if the users breaks
and ends.
None of the techniques are fool-proof, but used intelligently, they can
limit your exposure.
Also, you should keep in mind that TELNET is an "in the clear", non-encrypted
protocol and any users with packet-sniffing equipment and access to the
network path can watch everything that a user types (you should note that
this typically must be done by an ISP [or by someone who has hacked into
an ISPs system]).
Configuring TELNET Option Strings
The PicLan-IP TELNET server runs using minimal TELNET option strings. These
option strings are encoded in hex in the PLIP.CTRL CONFIG item under the
label:
TELNET OPT STR=
This string of characters will be send to TELNET clients upon connection
to setup elements such as echo, line mode, and other required options.
You should consult RFC 854 (and subsequent revisions) for more information.
If you have difficult with specific TELNET client applications, setting
up additional option strings can help. If you are unfamiliar with
TELNET operation and programming, you can contact Modular Software technical
support for additional help.
© Copyright 1996-1998 Modular Software
Corporation.All rights Reserved.
