Skip to content

Disable telnet Service

An XCCDF Rule

Description

Make sure that the activation of the telnet service on system boot is disabled. The telnet socket can be disabled with the following command:

$ sudo systemctl mask --now telnet.socket

warning alert: Warning

If the system relies on xinetd to manage telnet sessions, ensure the telnet service is disabled by the following line: disable = yes. Note that the xinetd file for telnet is not created automatically, therefore it might have different names.

Rationale

The telnet protocol uses unencrypted network communication, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network. The telnet protocol is also subject to man-in-the-middle attacks.

ID
xccdf_org.ssgproject.content_rule_service_telnet_disabled
Severity
High
References
Updated



Remediation - OS Build Blueprint


[customizations.services]
disabled = ["telnet"]

Remediation - Ansible

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - NIST-800-171-3.1.13
  - NIST-800-171-3.4.7

Remediation - Shell Script

# Remediation is applicable only in certain platforms
if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q telnet-server ); then

SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'telnet.service'
"$SYSTEMCTL_EXEC" disable 'telnet.service'

Remediation - Puppet

include disable_telnet

class disable_telnet {
  service {'telnet':
    enable => false,
    ensure => 'stopped',